Add new "valid_flags" field to CERT_PKEY structure which determines what
[openssl.git] / ssl / ssl_lib.c
index 6091ea9..585411a 100644 (file)
@@ -1127,6 +1127,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                if (s->s3)
                        return s->s3->send_connection_binding;
                else return 0;
                if (s->s3)
                        return s->s3->send_connection_binding;
                else return 0;
+       case SSL_CTRL_CERT_FLAGS:
+               return(s->cert->cert_flags|=larg);
+       case SSL_CTRL_CLEAR_CERT_FLAGS:
+               return(s->cert->cert_flags &=~larg);
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
@@ -1224,6 +1228,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
                        return 0;
                ctx->max_send_fragment = larg;
                return 1;
                        return 0;
                ctx->max_send_fragment = larg;
                return 1;
+       case SSL_CTRL_CERT_FLAGS:
+               return(ctx->cert->cert_flags|=larg);
+       case SSL_CTRL_CLEAR_CERT_FLAGS:
+               return(ctx->cert->cert_flags &=~larg);
        default:
                return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
                }
        default:
                return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
                }
@@ -2077,21 +2085,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
 #endif
        cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
        have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
 #endif
        cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
-       rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+       rsa_enc= cpk->valid_flags;
        rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
        rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-       rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+       rsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
        cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
        cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-       dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+       dsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
        cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
        cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
-       dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_rsa=  cpk->valid_flags;
        dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
 /* FIX THIS EAY EAY EAY */
        dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
 /* FIX THIS EAY EAY EAY */
-       dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_dsa=  cpk->valid_flags;
        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_ECC]);
        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_ECC]);
-       have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
+       have_ecc_cert= cpk->valid_flags;
        mask_k=0;
        mask_a=0;
        emask_k=0;
        mask_k=0;
        mask_a=0;
        emask_k=0;
@@ -2173,13 +2181,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         */
        if (have_ecc_cert)
                {
         */
        if (have_ecc_cert)
                {
+               cpk = &c->pkeys[SSL_PKEY_ECC];
+               x = cpk->x509;
                /* This call populates extension flags (ex_flags) */
                /* This call populates extension flags (ex_flags) */
-               x = (c->pkeys[SSL_PKEY_ECC]).x509;
                X509_check_purpose(x, -1, 0);
                ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
                ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
                X509_check_purpose(x, -1, 0);
                ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
                ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+               if (!(cpk->valid_flags & CERT_PKEY_SIGN))
+                       ecdsa_ok = 0;
                ecc_pkey = X509_get_pubkey(x);
                ecc_pkey_size = (ecc_pkey != NULL) ?
                    EVP_PKEY_bits(ecc_pkey) : 0;
                ecc_pkey = X509_get_pubkey(x);
                ecc_pkey_size = (ecc_pkey != NULL) ?
                    EVP_PKEY_bits(ecc_pkey) : 0;