sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
{
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return(s->cert->cert_flags|=larg);
case SSL_CTRL_CLEAR_CERT_FLAGS:
return(s->cert->cert_flags &=~larg);
+
+ case SSL_CTRL_GET_RAW_CIPHERLIST:
+ if (parg)
+ {
+ if (s->cert->ciphers_raw == NULL)
+ return 0;
+ *(unsigned char **)parg = s->cert->ciphers_raw;
+ return (int)s->cert->ciphers_rawlen;
+ }
+ else
+ return ssl_put_cipher_by_char(s,NULL,NULL);
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
STACK_OF(SSL_CIPHER) *sk;
sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list,
- &ctx->cipher_list_by_id,str);
+ &ctx->cipher_list_by_id,str, ctx->cert);
/* ssl_create_cipher_list may return an empty stack if it
* was unable to find a cipher matching the given rule string
* (for example if the rule string specifies a cipher which
STACK_OF(SSL_CIPHER) *sk;
sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list,
- &s->cipher_list_by_id,str);
+ &s->cipher_list_by_id,str, s->cert);
/* see comment in SSL_CTX_set_cipher_list */
if (sk == NULL)
return 0;
sk_SSL_CIPHER_zero(sk);
}
+ if (s->cert->ciphers_raw)
+ OPENSSL_free(s->cert->ciphers_raw);
+ s->cert->ciphers_raw = BUF_memdup(p, num);
+ if (s->cert->ciphers_raw == NULL)
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ s->cert->ciphers_rawlen = (size_t)num;
+
for (i=0; i<num; i+=n)
{
/* Check for SCSV */
ssl_create_cipher_list(ret->method,
&ret->cipher_list,&ret->cipher_list_by_id,
- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ret->cert);
if (ret->cipher_list == NULL
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
{
have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
#endif
cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
- rsa_enc= cpk->valid_flags;
+ rsa_enc= cpk->valid_flags & CERT_PKEY_VALID;
rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
- rsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
+ rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
- dsa_sign= (cpk->valid_flags & CERT_PKEY_SIGN);
+ dsa_sign= cpk->valid_flags & CERT_PKEY_SIGN;
cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
- dh_rsa= cpk->valid_flags;
+ dh_rsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
/* FIX THIS EAY EAY EAY */
- dh_dsa= cpk->valid_flags;
+ dh_dsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_ECC]);
- have_ecc_cert= cpk->valid_flags;
+ have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
mask_k=0;
mask_a=0;
emask_k=0;
#endif
-/* THIS NEEDS CLEANING UP */
static int ssl_get_server_cert_index(const SSL *s)
{
- unsigned long alg_k, alg_a;
-
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
- alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-
- if (alg_k & (SSL_kECDHr|SSL_kECDHe))
- {
- /* we don't need to look at SSL_kEECDH
- * since no certificate is needed for
- * anon ECDH and for authenticated
- * EECDH, the check for the auth
- * algorithm will set i correctly
- * NOTE: For ECDH-RSA, we need an ECC
- * not an RSA cert but for EECDH-RSA
- * we need an RSA cert. Placing the
- * checks for SSL_kECDH before RSA
- * checks ensures the correct cert is chosen.
- */
- return SSL_PKEY_ECC;
- }
- else if (alg_a & SSL_aECDSA)
- return SSL_PKEY_ECC;
- else if (alg_k & SSL_kDHr)
- return SSL_PKEY_DH_RSA;
- else if (alg_k & SSL_kDHd)
- return SSL_PKEY_DH_DSA;
- else if (alg_a & SSL_aDSS)
- return SSL_PKEY_DSA_SIGN;
- else if (alg_a & SSL_aRSA)
- {
- if (s->cert->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
- return SSL_PKEY_RSA_SIGN;
- else
- return SSL_PKEY_RSA_ENC;
- }
- else if (alg_a & SSL_aKRB5)
- /* VRS something else here? */
- return -1;
- else if (alg_a & SSL_aGOST94)
- return SSL_PKEY_GOST94;
- else if (alg_a & SSL_aGOST01)
- return SSL_PKEY_GOST01;
- else /* if (alg_a & SSL_aNULL) */
- {
+ int idx;
+ idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+ if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509)
+ idx = SSL_PKEY_RSA_SIGN;
+ if (idx == -1)
SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR);
- return -1;
- }
+ return idx;
}
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)