Dual DTLS version methods.

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4289a745c9e45eca5037bdbb5cf270462773668e..c3b40323687cd0ddbd733044b83319150f00c9a8 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1112,8 +1112,7 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                        return 0;
 #endif
 
-               if (SSL_version(s) == DTLS1_VERSION ||
-                   SSL_version(s) == DTLS1_BAD_VER)
+               if (SSL_IS_DTLS(s))
                        {
                        s->d1->mtu = larg;
                        return larg;
@@ -1132,6 +1131,17 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                return(s->cert->cert_flags|=larg);
        case SSL_CTRL_CLEAR_CERT_FLAGS:
                return(s->cert->cert_flags &=~larg);
+
+       case SSL_CTRL_GET_RAW_CIPHERLIST:
+               if (parg)
+                       {
+                       if (s->cert->ciphers_raw == NULL)
+                               return 0;
+                       *(unsigned char **)parg = s->cert->ciphers_raw;
+                       return (int)s->cert->ciphers_rawlen;
+                       }
+               else
+                       return ssl_put_cipher_by_char(s,NULL,NULL);
        default:
                return(s->method->ssl_ctrl(s,cmd,larg,parg));
                }
@@ -1158,6 +1168,20 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
 long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
        {
        long l;
+       /* For some cases with ctx == NULL perform syntax checks */
+       if (ctx == NULL)
+               {
+               switch (cmd)
+                       {
+               case SSL_CTRL_SET_CURVES_LIST:
+                       return tls1_set_curves_list(NULL, NULL, parg);
+               case SSL_CTRL_SET_SIGALGS_LIST:
+               case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+                       return tls1_set_sigalgs_list(NULL, parg, 0);
+               default:
+                       return 0;
+                       }
+               }
 
        switch (cmd)
                {
@@ -1412,6 +1436,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
        SSL_CIPHER *c;
        CERT *ct = s->cert;
        unsigned char *q;
+       int no_scsv = s->renegotiate;
        /* Set disabled masks for this session */
        ssl_set_client_disabled(s);
 
@@ -1426,13 +1451,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                        c->algorithm_mkey & ct->mask_k ||
                        c->algorithm_auth & ct->mask_a)
                        continue;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               if (c->id == SSL3_CK_SCSV)
+                       {
+                       if (no_scsv)
+                               continue;
+                       else
+                               no_scsv = 1;
+                       }
+#endif
                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
                p+=j;
                }
        /* If p == q, no ciphers and caller indicates an error. Otherwise
         * add SCSV if not renegotiating.
         */
-       if (p != q && !s->renegotiate)
+       if (p != q && !no_scsv)
                {
                static SSL_CIPHER scsv =
                        {
@@ -1471,6 +1505,16 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                sk_SSL_CIPHER_zero(sk);
                }
 
+       if (s->cert->ciphers_raw)
+               OPENSSL_free(s->cert->ciphers_raw);
+       s->cert->ciphers_raw = BUF_memdup(p, num);
+       if (s->cert->ciphers_raw == NULL)
+               {
+               SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
+       s->cert->ciphers_rawlen = (size_t)num;
+
        for (i=0; i<num; i+=n)
                {
                /* Check for SCSV */
@@ -1821,7 +1865,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
 
        ret->extra_certs=NULL;
-       ret->comp_methods=SSL_COMP_get_compression_methods();
+       /* No compression for DTLS */
+       if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
+               ret->comp_methods=SSL_COMP_get_compression_methods();
 
        ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
@@ -2336,7 +2382,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 
 #endif
 
-static int ssl_get_server_cert_index(SSL *s)
+static int ssl_get_server_cert_index(const SSL *s)
        {
        int idx;
        idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
@@ -2347,7 +2393,7 @@ static int ssl_get_server_cert_index(SSL *s)
        return idx;
        }
 
-CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
        {
        CERT *c;
        int i;
@@ -2359,7 +2405,7 @@ CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
        /* Broken protocol test: return last used certificate: which may
         * mismatch the one expected.
         */
-       if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL)
+       if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
                return c->key;
 #endif
 
@@ -2386,7 +2432,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
        /* Broken protocol test: use last key: which may
         * mismatch the one expected.
         */
-       if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL)
+       if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
                idx = c->key - c->pkeys;
        else
 #endif