# include <assert.h>
#endif
#include <stdio.h>
-#include <openssl/crypto.h>
#include "ssl_locl.h"
#include "kssl_lcl.h"
#include <openssl/objects.h>
return X509_VERIFY_PARAM_set1(ssl->param, vpm);
}
+void SSL_certs_clear(SSL *s)
+ {
+ ssl_cert_clear_certs(s->cert);
+ }
+
void SSL_free(SSL *s)
{
int i;
if (s->s3)
return s->s3->send_connection_binding;
else return 0;
+ case SSL_CTRL_CERT_FLAGS:
+ return(s->cert->cert_flags|=larg);
+ case SSL_CTRL_CLEAR_CERT_FLAGS:
+ return(s->cert->cert_flags &=~larg);
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
return 0;
ctx->max_send_fragment = larg;
return 1;
+ case SSL_CTRL_CERT_FLAGS:
+ return(ctx->cert->cert_flags|=larg);
+ case SSL_CTRL_CLEAR_CERT_FLAGS:
+ return(ctx->cert->cert_flags &=~larg);
default:
return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg));
}
{
int i,j=0;
SSL_CIPHER *c;
+ CERT *ct = s->cert;
unsigned char *q;
-#ifndef OPENSSL_NO_KRB5
- int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
+ /* Set disabled masks for this session */
+ ssl_set_client_disabled(s);
if (sk == NULL) return(0);
q=p;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
c=sk_SSL_CIPHER_value(sk,i);
- /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
- if ((c->algorithm_ssl & SSL_TLSV1_2) &&
- (TLS1_get_client_version(s) < TLS1_2_VERSION))
- continue;
-#ifndef OPENSSL_NO_KRB5
- if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
- nokrb5)
- continue;
-#endif /* OPENSSL_NO_KRB5 */
-#ifndef OPENSSL_NO_PSK
- /* with PSK there must be client callback set */
- if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
- s->psk_client_callback == NULL)
+ /* Skip disabled ciphers */
+ if (c->algorithm_ssl & ct->mask_ssl ||
+ c->algorithm_mkey & ct->mask_k ||
+ c->algorithm_auth & ct->mask_a)
continue;
-#endif /* OPENSSL_NO_PSK */
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
ctx->next_proto_select_cb = cb;
ctx->next_proto_select_cb_arg = arg;
}
-
# endif
#endif
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
}
+void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb)(SSL *ssl, void *arg), void *arg)
+ {
+ ssl_cert_set_cert_cb(c->cert, cb, arg);
+ }
+
+void SSL_set_cert_cb(SSL *s, int (*cb)(SSL *ssl, void *arg), void *arg)
+ {
+ ssl_cert_set_cert_cb(s->cert, cb, arg);
+ }
+
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
{
CERT_PKEY *cpk;
have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
- rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ rsa_enc= cpk->valid_flags & CERT_PKEY_VALID;
rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
- rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+ rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
+ dsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
- dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ dh_rsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */
- dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ dh_dsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_ECC]);
- have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
+ have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
mask_k=0;
mask_a=0;
emask_k=0;
*/
if (have_ecc_cert)
{
+ cpk = &c->pkeys[SSL_PKEY_ECC];
+ x = cpk->x509;
/* This call populates extension flags (ex_flags) */
- x = (c->pkeys[SSL_PKEY_ECC]).x509;
X509_check_purpose(x, -1, 0);
ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
(x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
+ if (!(cpk->valid_flags & CERT_PKEY_SIGN))
+ ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ?
EVP_PKEY_bits(ecc_pkey) : 0;
#endif
/* THIS NEEDS CLEANING UP */
-CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
+static int ssl_get_server_cert_index(SSL *s)
{
- unsigned long alg_k,alg_a;
- CERT *c;
- int i;
+ unsigned long alg_k, alg_a;
- c=s->cert;
- ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
* checks for SSL_kECDH before RSA
* checks ensures the correct cert is chosen.
*/
- i=SSL_PKEY_ECC;
+ return SSL_PKEY_ECC;
}
else if (alg_a & SSL_aECDSA)
- {
- i=SSL_PKEY_ECC;
- }
+ return SSL_PKEY_ECC;
else if (alg_k & SSL_kDHr)
- i=SSL_PKEY_DH_RSA;
+ return SSL_PKEY_DH_RSA;
else if (alg_k & SSL_kDHd)
- i=SSL_PKEY_DH_DSA;
+ return SSL_PKEY_DH_DSA;
else if (alg_a & SSL_aDSS)
- i=SSL_PKEY_DSA_SIGN;
+ return SSL_PKEY_DSA_SIGN;
else if (alg_a & SSL_aRSA)
{
- if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
- i=SSL_PKEY_RSA_SIGN;
+ if (s->cert->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
+ return SSL_PKEY_RSA_SIGN;
else
- i=SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA_ENC;
}
else if (alg_a & SSL_aKRB5)
- {
/* VRS something else here? */
- return(NULL);
- }
+ return -1;
else if (alg_a & SSL_aGOST94)
- i=SSL_PKEY_GOST94;
+ return SSL_PKEY_GOST94;
else if (alg_a & SSL_aGOST01)
- i=SSL_PKEY_GOST01;
+ return SSL_PKEY_GOST01;
else /* if (alg_a & SSL_aNULL) */
{
- SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
- return(NULL);
+ SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR);
+ return -1;
}
- if (c->pkeys[i].x509 == NULL) return(NULL);
+ }
+
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
+ {
+ CERT *c;
+ int i;
+
+ c = s->cert;
+ ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
+
+ i = ssl_get_server_cert_index(s);
- return(&c->pkeys[i]);
+ /* This may or may not be an error. */
+ if (i < 0)
+ return NULL;
+
+ /* May be NULL. */
+ return &c->pkeys[i];
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
return c->pkeys[idx].privatekey;
}
+#ifndef OPENSSL_NO_TLSEXT
+unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length)
+ {
+ CERT *c;
+ int i;
+
+ c = s->cert;
+ i = ssl_get_server_cert_index(s);
+
+ if (i == -1)
+ return NULL;
+
+ *authz_length = 0;
+ if (c->pkeys[i].authz == NULL)
+ return(NULL);
+ *authz_length = c->pkeys[i].authz_length;
+
+ return c->pkeys[i].authz;
+ }
+#endif
+
void ssl_update_cache(SSL *s,int mode)
{
int i;
return s->hit;
}
+int SSL_is_server(SSL *s)
+ {
+ return s->server;
+ }
+
#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
#include "../crypto/bio/bss_file.c"
#endif
projects / openssl.git / blobdiff