Add new "valid_flags" field to CERT_PKEY structure which determines what

[openssl.git] / ssl / ssl_lib.c
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index cb098b300275611e0e5d192ec7890127a1be16b6..b3836b7e685e8ade9ed32091f63a62c38ff62031 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -146,7 +146,6 @@
  #  include <assert.h>
  #endif
  #include <stdio.h>
-#include <openssl/crypto.h>
  #include "ssl_locl.h"
  #include "kssl_lcl.h"
  #include <openssl/objects.h>
@@ -526,6 +525,11 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
         return X509_VERIFY_PARAM_set1(ssl->param, vpm);
         }
  
+void SSL_certs_clear(SSL *s)
+       {
+       ssl_cert_clear_certs(s->cert);
+       }
+
  void SSL_free(SSL *s)
         {
         int i;
@@ -1124,6 +1128,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                 if (s->s3)
                         return s->s3->send_connection_binding;
                 else return 0;
+       case SSL_CTRL_CERT_FLAGS:
+               return(s->cert->cert_flags|=larg);
+       case SSL_CTRL_CLEAR_CERT_FLAGS:
+               return(s->cert->cert_flags &=~larg);
         default:
                 return(s->method->ssl_ctrl(s,cmd,larg,parg));
                 }
@@ -1221,6 +1229,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
                         return 0;
                 ctx->max_send_fragment = larg;
                 return 1;
+       case SSL_CTRL_CERT_FLAGS:
+               return(ctx->cert->cert_flags|=larg);
+       case SSL_CTRL_CLEAR_CERT_FLAGS:
+               return(ctx->cert->cert_flags &=~larg);
         default:
                 return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
                 }
@@ -1650,7 +1662,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned
         ctx->next_proto_select_cb = cb;
         ctx->next_proto_select_cb_arg = arg;
         }
-
  # endif
  #endif
  
@@ -2075,21 +2086,21 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
  #endif
         cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
-       rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+       rsa_enc= cpk->valid_flags;
         rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
         cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-       rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+       rsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
         cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-       dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+       dsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
         cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
-       dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_rsa=  cpk->valid_flags;
         dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
         cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
  /* FIX THIS EAY EAY EAY */
-       dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+       dh_dsa=  cpk->valid_flags;
         dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
         cpk= &(c->pkeys[SSL_PKEY_ECC]);
-       have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
+       have_ecc_cert= cpk->valid_flags;
         mask_k=0;
         mask_a=0;
         emask_k=0;
@@ -2171,13 +2182,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
          */
         if (have_ecc_cert)
                 {
+               cpk = &c->pkeys[SSL_PKEY_ECC];
+               x = cpk->x509;
                 /* This call populates extension flags (ex_flags) */
-               x = (c->pkeys[SSL_PKEY_ECC]).x509;
                 X509_check_purpose(x, -1, 0);
                 ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                     (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
                 ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                     (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+               if (!(cpk->valid_flags & CERT_PKEY_SIGN))
+                       ecdsa_ok = 0;
                 ecc_pkey = X509_get_pubkey(x);
                 ecc_pkey_size = (ecc_pkey != NULL) ?
                     EVP_PKEY_bits(ecc_pkey) : 0;