Add ctrl and macro so we can determine if peer support secure renegotiation.

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7b911ae1eac610d591688c174f45e14651dc3c92..39bd9d7cf04bcaf304729df1812db1013f18b395 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -486,6 +486,16 @@ int SSL_set_trust(SSL *s, int trust)
        return X509_VERIFY_PARAM_set_trust(s->param, trust);
        }
 
+int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
+       {
+       return X509_VERIFY_PARAM_set1(ctx->param, vpm);
+       }
+
+int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
+       {
+       return X509_VERIFY_PARAM_set1(ssl->param, vpm);
+       }
+
 void SSL_free(SSL *s)
        {
        int i;
@@ -546,7 +556,6 @@ void SSL_free(SSL *s)
        if (s->cert != NULL) ssl_cert_free(s->cert);
        /* Free up if allocated */
 
-       if (s->ctx) SSL_CTX_free(s->ctx);
 #ifndef OPENSSL_NO_TLSEXT
        if (s->tlsext_hostname)
                OPENSSL_free(s->tlsext_hostname);
@@ -570,6 +579,8 @@ void SSL_free(SSL *s)
 
        if (s->method != NULL) s->method->ssl_free(s);
 
+       if (s->ctx) SSL_CTX_free(s->ctx);
+
 #ifndef        OPENSSL_NO_KRB5
        if (s->kssl_ctx != NULL)
                kssl_ctx_free(s->kssl_ctx);
@@ -1051,6 +1062,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                        return 0;
                s->max_send_fragment = larg;
                return 1;
+       case SSL_CTRL_GET_RI_SUPPORT:
+               if (s->s3)
+                       return s->s3->send_connection_binding;
+               else return 0;
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
@@ -1346,6 +1361,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
                p+=j;
                }
+       /* If p == q, no ciphers and caller indicates an error, otherwise
+        * add MCSV
+        */
+       if (p != q)
+               {
+               static SSL_CIPHER msvc =
+                       {
+                       0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+                       };
+               j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
+               p+=j;
+#ifdef OPENSSL_RI_DEBUG
+               fprintf(stderr, "MCSV sent by client\n");
+#endif
+               }
+
        return(p-q);
        }
 
@@ -1356,6 +1387,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
        STACK_OF(SSL_CIPHER) *sk;
        int i,n;
 
+       s->s3->send_connection_binding = 0;
+
        n=ssl_put_cipher_by_char(s,NULL,NULL);
        if ((num%n) != 0)
                {
@@ -1372,6 +1405,19 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 
        for (i=0; i<num; i+=n)
                {
+               /* Check for MCSV */
+               if ((n != 3 || !p[0]) &&
+                       (p[n-2] == ((SSL3_CK_MCSV >> 8) & 0xff)) &&
+                       (p[n-1] == (SSL3_CK_MCSV & 0xff)))
+                       {
+                       s->s3->send_connection_binding = 1;
+                       p += n;
+#ifdef OPENSSL_RI_DEBUG
+                       fprintf(stderr, "MCSV received by server\n");
+#endif
+                       continue;
+                       }
+
                c=ssl_get_cipher_by_char(s,p);
                p+=n;
                if (c != NULL)
@@ -2369,8 +2415,10 @@ SSL_METHOD *ssl_bad_method(int ver)
 
 const char *SSL_get_version(const SSL *s)
        {
-       if (s->version == TLS1_VERSION)
-               return("TLSv1");
+       if (s->version == TLS1_1_VERSION)
+               return("TLSv1.1");
+       else if (s->version == SSL3_VERSION)
+               return("SSLv3");
        else if (s->version == SSL3_VERSION)
                return("SSLv3");
        else if (s->version == SSL2_VERSION)