SSL/TLS record tracing code (backport from HEAD).

[oweals/openssl.git] / ssl / ssl_lib.c
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 71128f512410f4998cb90f8ef0b6d216139a797c..6e1b27c5fae8a2904b7db63a40745883f37e4449 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1131,6 +1131,17 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                 return(s->cert->cert_flags|=larg);
         case SSL_CTRL_CLEAR_CERT_FLAGS:
                 return(s->cert->cert_flags &=~larg);
+
+       case SSL_CTRL_GET_RAW_CIPHERLIST:
+               if (parg)
+                       {
+                       if (s->cert->ciphers_raw == NULL)
+                               return 0;
+                       *(unsigned char **)parg = s->cert->ciphers_raw;
+                       return (int)s->cert->ciphers_rawlen;
+                       }
+               else
+                       return ssl_put_cipher_by_char(s,NULL,NULL);
         default:
                 return(s->method->ssl_ctrl(s,cmd,larg,parg));
                 }
@@ -1470,6 +1481,16 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                 sk_SSL_CIPHER_zero(sk);
                 }
  
+       if (s->cert->ciphers_raw)
+               OPENSSL_free(s->cert->ciphers_raw);
+       s->cert->ciphers_raw = BUF_memdup(p, num);
+       if (s->cert->ciphers_raw == NULL)
+               {
+               SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
+       s->cert->ciphers_rawlen = (size_t)num;
+
         for (i=0; i<num; i+=n)
                 {
                 /* Check for SCSV */
@@ -2335,56 +2356,15 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
  
  #endif
  
-/* THIS NEEDS CLEANING UP */
  static int ssl_get_server_cert_index(const SSL *s)
         {
-       unsigned long alg_k, alg_a;
-
-       alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-
-       if (alg_k & (SSL_kECDHr|SSL_kECDHe))
-               {
-               /* we don't need to look at SSL_kEECDH
-                * since no certificate is needed for
-                * anon ECDH and for authenticated
-                * EECDH, the check for the auth
-                * algorithm will set i correctly
-                * NOTE: For ECDH-RSA, we need an ECC
-                * not an RSA cert but for EECDH-RSA
-                * we need an RSA cert. Placing the
-                * checks for SSL_kECDH before RSA
-                * checks ensures the correct cert is chosen.
-                */
-               return SSL_PKEY_ECC;
-               }
-       else if (alg_a & SSL_aECDSA)
-               return SSL_PKEY_ECC;
-       else if (alg_k & SSL_kDHr)
-               return SSL_PKEY_DH_RSA;
-       else if (alg_k & SSL_kDHd)
-               return SSL_PKEY_DH_DSA;
-       else if (alg_a & SSL_aDSS)
-               return SSL_PKEY_DSA_SIGN;
-       else if (alg_a & SSL_aRSA)
-               {
-               if (s->cert->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
-                       return SSL_PKEY_RSA_SIGN;
-               else
-                       return SSL_PKEY_RSA_ENC;
-               }
-       else if (alg_a & SSL_aKRB5)
-               /* VRS something else here? */
-               return -1;
-       else if (alg_a & SSL_aGOST94) 
-               return SSL_PKEY_GOST94;
-       else if (alg_a & SSL_aGOST01)
-               return SSL_PKEY_GOST01;
-       else /* if (alg_a & SSL_aNULL) */
-               {
+       int idx;
+       idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+       if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
+               idx = SSL_PKEY_RSA_SIGN;
+       if (idx == -1)
                 SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR);
-               return -1;
-               }
+       return idx;
         }
  
  CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)