* Probably it would make more sense to store
* an index, not a pointer. */
- /* The following masks are for the key and auth
- * algorithms that are supported by the certs below */
+ /* For servers the following masks are for the key and auth
+ * algorithms that are supported by the certs below.
+ * For clients they are masks of *disabled* algorithms based
+ * on the current session.
+ */
int valid;
unsigned long mask_k;
unsigned long mask_a;
unsigned long export_mask_k;
unsigned long export_mask_a;
+ /* Client only */
+ unsigned long mask_ssl;
#ifndef OPENSSL_NO_RSA
RSA *rsa_tmp;
RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
unsigned int cert_flags;
CERT_PKEY pkeys[SSL_PKEY_NUM];
+ /* Certificate types (received or sent) in certificate request
+ * message. On receive this is only set if number of certificate
+ * types exceeds SSL3_CT_NUMBER.
+ */
+ unsigned char *ctypes;
+ size_t ctype_num;
+
/* signature algorithms peer reports: e.g. supported signature
* algorithms extension for server or as part of a certificate
* request for client.
unsigned char *peer_sigalgs;
/* Size of above array */
size_t peer_sigalgslen;
- /* configured signature algorithms (can be NULL for default).
- * sent in signature algorithms extension or certificate request.
+ /* suppported signature algorithms.
+ * When set on a client this is sent in the client hello as the
+ * supported signature algorithms extension. For servers
+ * it represents the signature algorithms we are willing to use.
*/
unsigned char *conf_sigalgs;
/* Size of above array */
size_t conf_sigalgslen;
+ /* Client authentication signature algorithms, if not set then
+ * uses conf_sigalgs. On servers these will be the signature
+ * algorithms sent to the client in a cerificate request for TLS 1.2.
+ * On a client this represents the signature algortithms we are
+ * willing to use for client authentication.
+ */
+ unsigned char *client_sigalgs;
+ /* Size of above array */
+ size_t client_sigalgslen;
/* Signature algorithms shared by client and server: cached
- * because these are used most often
+ * because these are used most often.
*/
TLS_SIGALGS *shared_sigalgs;
size_t shared_sigalgslen;
int tls12_get_sigid(const EVP_PKEY *pk);
const EVP_MD *tls12_get_hash(unsigned char hash_alg);
-int tls1_set_sigalgs_list(CERT *c, const char *str);
-int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen);
+int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
+int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, int client);
int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
int idx);
void tls1_set_cert_validity(SSL *s);
int *al);
long ssl_get_algorithm2(SSL *s);
int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
-size_t tls12_get_sig_algs(SSL *s, unsigned char *p);
+size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
+void ssl_set_client_disabled(SSL *s);
int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);