X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=4720680769f4736da7a62ecb1e3c2744cfb92a3f;hp=54f02a67c49978b9a240d819298db18ceca7abf0;hb=0930251df814f3993bf2c598761e0c7c6d0d62a2;hpb=5eda213ebe382009c2f37a8eade5cbcdae6017ed

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 54f02a67c4..4720680769 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -536,6 +536,16 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
 	return X509_VERIFY_PARAM_set1(ssl->param, vpm);
 	}
 
+X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
+	{
+	return ctx->param;
+	}
+
+X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
+	{
+	return ssl->param;
+	}
+
 void SSL_certs_clear(SSL *s)
 	{
 	ssl_cert_clear_certs(s->cert);
@@ -1332,6 +1342,33 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
 	return(NULL);
 	}
 
+STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
+	{
+	STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
+	int i;
+	ciphers = SSL_get_ciphers(s);
+	if (!ciphers)
+		return NULL;
+	ssl_set_client_disabled(s);
+	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
+		{
+		const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
+		if (!ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
+			{
+			if (!sk)
+				sk = sk_SSL_CIPHER_new_null();
+			if (!sk)
+				return NULL;
+			if (!sk_SSL_CIPHER_push(sk, c))
+				{
+				sk_SSL_CIPHER_free(sk);
+				return NULL;
+				}
+			}
+		}
+	return sk;
+	}
+
 /** return a STACK of the ciphers available for the SSL and in order of
  * algorithm id */
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
@@ -1422,6 +1459,10 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 
 	p=buf;
 	sk=s->session->ciphers;
+
+	if (sk_SSL_CIPHER_num(sk) == 0)
+		return NULL;
+
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
 		int n;
@@ -1449,7 +1490,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 	{
 	int i,j=0;
 	SSL_CIPHER *c;
-	CERT *ct = s->cert;
 	unsigned char *q;
 	int no_scsv = s->renegotiate;
 	/* Set disabled masks for this session */
@@ -1462,9 +1502,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		{
 		c=sk_SSL_CIPHER_value(sk,i);
 		/* Skip disabled ciphers */
-		if (c->algorithm_ssl & ct->mask_ssl ||
-			c->algorithm_mkey & ct->mask_k ||
-			c->algorithm_auth & ct->mask_a)
+		if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
 			continue;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 		if (c->id == SSL3_CK_SCSV)
@@ -1596,7 +1634,6 @@ int SSL_get_servername_type(const SSL *s)
 	return -1;
 	}
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
 /* SSL_select_next_proto implements the standard protocol selection. It is
  * expected that this function is called from the callback set by
  * SSL_CTX_set_next_proto_select_cb.
@@ -1663,6 +1700,7 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsi
 	return status;
 	}
 
+# ifndef OPENSSL_NO_NEXTPROTONEG
 /* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
  * requested protocol for this connection and returns 0. If the client didn't
  * request any protocol, then *data is set to NULL.
@@ -2343,8 +2381,8 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	rsa_tmp=rsa_tmp_export=0;
 #endif
 #ifndef OPENSSL_NO_DH
-	dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
-	dh_tmp_export=(c->dh_tmp_cb != NULL ||
+	dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
+	dh_tmp_export= !c->dh_tmp_auto && (c->dh_tmp_cb != NULL ||
 		(dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
 #else
 	dh_tmp=dh_tmp_export=0;
@@ -2401,20 +2439,20 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		emask_k|=SSL_kRSA;
 
 #if 0
-	/* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
+	/* The match needs to be both kDHE and aRSA or aDSA, so don't worry */
 	if (	(dh_tmp || dh_rsa || dh_dsa) &&
 		(rsa_enc || rsa_sign || dsa_sign))
-		mask_k|=SSL_kEDH;
+		mask_k|=SSL_kDHE;
 	if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
 		(rsa_enc || rsa_sign || dsa_sign))
-		emask_k|=SSL_kEDH;
+		emask_k|=SSL_kDHE;
 #endif
 
 	if (dh_tmp_export)
-		emask_k|=SSL_kEDH;
+		emask_k|=SSL_kDHE;
 
 	if (dh_tmp)
-		mask_k|=SSL_kEDH;
+		mask_k|=SSL_kDHE;
 
 	if (dh_rsa) mask_k|=SSL_kDHr;
 	if (dh_rsa_export) emask_k|=SSL_kDHr;
@@ -2512,8 +2550,8 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #ifndef OPENSSL_NO_ECDH
 	if (have_ecdh_tmp)
 		{
-		mask_k|=SSL_kEECDH;
-		emask_k|=SSL_kEECDH;
+		mask_k|=SSL_kECDHE;
+		emask_k|=SSL_kECDHE;
 		}
 #endif
 
@@ -2625,6 +2663,8 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
 	int i;
 
 	c = s->cert;
+	if (!s->s3 || !s->s3->tmp.new_cipher)
+		return NULL;
 	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
 
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
@@ -2740,6 +2780,11 @@ void ssl_update_cache(SSL *s,int mode)
 		}
 	}
 
+const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
+	{
+	return ctx->method;
+	}
+
 const SSL_METHOD *SSL_get_ssl_method(SSL *s)
 	{
 	return(s->method);
@@ -3103,7 +3148,6 @@ void ssl_clear_cipher_ctx(SSL *s)
 #endif
 	}
 
-/* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
 	{
 	if (s->cert != NULL)
@@ -3112,8 +3156,7 @@ X509 *SSL_get_certificate(const SSL *s)
 		return(NULL);
 	}
 
-/* Fix this function so that it takes an optional type parameter */
-EVP_PKEY *SSL_get_privatekey(SSL *s)
+EVP_PKEY *SSL_get_privatekey(const SSL *s)
 	{
 	if (s->cert != NULL)
 		return(s->cert->key->privatekey);
@@ -3121,6 +3164,22 @@ EVP_PKEY *SSL_get_privatekey(SSL *s)
 		return(NULL);
 	}
 
+X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx)
+	{
+	if (ctx->cert != NULL)
+		return ctx->cert->key->x509;
+	else
+		return NULL;
+	}
+
+EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
+	{
+	if (ctx->cert != NULL)
+		return ctx->cert->key->privatekey;
+	else
+		return NULL ;
+	}
+
 const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
 	{
 	if ((s->session != NULL) && (s->session->cipher != NULL))
@@ -3585,6 +3644,67 @@ int SSL_is_server(SSL *s)
 	return s->server;
 	}
 
+void SSL_set_security_level(SSL *s, int level)
+	{
+	s->cert->sec_level = level;
+	}
+
+int SSL_get_security_level(const SSL *s)
+	{
+	return s->cert->sec_level;
+	}
+
+void SSL_set_security_callback(SSL *s, int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex))
+	{
+	s->cert->sec_cb = cb;
+	}
+
+int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex)
+	{
+	return s->cert->sec_cb;
+	}
+
+void SSL_set0_security_ex_data(SSL *s, void *ex)
+	{
+	s->cert->sec_ex = ex;
+	}
+
+void *SSL_get0_security_ex_data(const SSL *s)
+	{
+	return s->cert->sec_ex;
+	}
+
+void SSL_CTX_set_security_level(SSL_CTX *ctx, int level)
+	{
+	ctx->cert->sec_level = level;
+	}
+
+int SSL_CTX_get_security_level(const SSL_CTX *ctx)
+	{
+	return ctx->cert->sec_level;
+	}
+
+void SSL_CTX_set_security_callback(SSL_CTX *ctx, int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex))
+	{
+	ctx->cert->sec_cb = cb;
+	}
+
+int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex)
+	{
+	return ctx->cert->sec_cb;
+	}
+
+void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex)
+	{
+	ctx->cert->sec_ex = ex;
+	}
+
+void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
+	{
+	return ctx->cert->sec_ex;
+	}
+
+
 #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
 #include "../crypto/bio/bss_file.c"
 #endif