if (s->srtp_profiles)
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
+#ifndef OPENSSL_NO_DANE
+ if (s->tlsa_record && s->tlsa_record!=(void *)-1)
+ OPENSSL_free(s->tlsa_record);
+#endif
+
OPENSSL_free(s);
}
}
else
return ssl_put_cipher_by_char(s,NULL,NULL);
+#ifndef OPENSSL_NO_DANE
+ case SSL_CTRL_PULL_TLSA_RECORD:
+ parg = SSL_get_tlsa_record_byname (parg,larg,s->version<0xF000?1:0);
+ /* yes, fall through */
+ case SSL_CTRL_SET_TLSA_RECORD:
+ s->tlsa_record = parg;
+ return 1;
+#endif
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
{
switch (cmd)
{
+#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_CURVES_LIST:
return tls1_set_curves_list(NULL, NULL, parg);
+#endif
case SSL_CTRL_SET_SIGALGS_LIST:
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
return tls1_set_sigalgs_list(NULL, parg, 0);
SSL_CIPHER *c;
CERT *ct = s->cert;
unsigned char *q;
+ int no_scsv = s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
c->algorithm_mkey & ct->mask_k ||
c->algorithm_auth & ct->mask_a)
continue;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ if (c->id == SSL3_CK_SCSV)
+ {
+ if (no_scsv)
+ continue;
+ else
+ no_scsv = 1;
+ }
+#endif
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
/* If p == q, no ciphers and caller indicates an error. Otherwise
* add SCSV if not renegotiating.
*/
- if (p != q && !s->renegotiate)
+ if (p != q && !no_scsv)
{
static SSL_CIPHER scsv =
{
ctx->next_proto_select_cb_arg = arg;
}
# endif
+
+int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
+ custom_cli_ext_first_cb_fn fn1,
+ custom_cli_ext_second_cb_fn fn2, void* arg)
+ {
+ size_t i;
+ custom_cli_ext_record* record;
+
+ /* Check for duplicates */
+ for (i=0; i < ctx->custom_cli_ext_records_count; i++)
+ if (ext_type == ctx->custom_cli_ext_records[i].ext_type)
+ return 0;
+
+ ctx->custom_cli_ext_records = OPENSSL_realloc(ctx->custom_cli_ext_records,
+ (ctx->custom_cli_ext_records_count + 1) *
+ sizeof(custom_cli_ext_record));
+ if (!ctx->custom_cli_ext_records) {
+ ctx->custom_cli_ext_records_count = 0;
+ return 0;
+ }
+ ctx->custom_cli_ext_records_count++;
+ record = &ctx->custom_cli_ext_records[ctx->custom_cli_ext_records_count - 1];
+ record->ext_type = ext_type;
+ record->fn1 = fn1;
+ record->fn2 = fn2;
+ record->arg = arg;
+ return 1;
+ }
+
+int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
+ custom_srv_ext_first_cb_fn fn1,
+ custom_srv_ext_second_cb_fn fn2, void* arg)
+ {
+ size_t i;
+ custom_srv_ext_record* record;
+
+ /* Check for duplicates */
+ for (i=0; i < ctx->custom_srv_ext_records_count; i++)
+ if (ext_type == ctx->custom_srv_ext_records[i].ext_type)
+ return 0;
+
+ ctx->custom_srv_ext_records = OPENSSL_realloc(ctx->custom_srv_ext_records,
+ (ctx->custom_srv_ext_records_count + 1) *
+ sizeof(custom_srv_ext_record));
+ if (!ctx->custom_srv_ext_records) {
+ ctx->custom_srv_ext_records_count = 0;
+ return 0;
+ }
+ ctx->custom_srv_ext_records_count++;
+ record = &ctx->custom_srv_ext_records[ctx->custom_srv_ext_records_count - 1];
+ record->ext_type = ext_type;
+ record->fn1 = fn1;
+ record->fn2 = fn2;
+ record->arg = arg;
+ return 1;
+ }
+
#endif
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
ret->extra_certs=NULL;
- ret->comp_methods=SSL_COMP_get_compression_methods();
+ /* No compression for DTLS */
+ if (meth->version != DTLS1_VERSION)
+ ret->comp_methods=SSL_COMP_get_compression_methods();
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
#ifndef OPENSSL_NO_SRP
SSL_CTX_SRP_CTX_init(ret);
#endif
+ ret->custom_cli_ext_records = NULL;
+ ret->custom_cli_ext_records_count = 0;
+ ret->custom_srv_ext_records = NULL;
+ ret->custom_srv_ext_records_count = 0;
#ifndef OPENSSL_NO_BUF_FREELISTS
ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
#ifndef OPENSSL_NO_SRP
SSL_CTX_SRP_CTX_free(a);
#endif
+#ifndef OPENSSL_NO_TLSEXT
+ OPENSSL_free(a->custom_cli_ext_records);
+ OPENSSL_free(a->custom_srv_ext_records);
+#endif
#ifndef OPENSSL_NO_ENGINE
if (a->client_cert_engine)
ENGINE_finish(a->client_cert_engine);
int rsa_enc_export,dh_rsa_export,dh_dsa_export;
int rsa_tmp_export,dh_tmp_export,kl;
unsigned long mask_k,mask_a,emask_k,emask_a;
- int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
+#ifndef OPENSSL_NO_ECDSA
+ int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
+#endif
#ifndef OPENSSL_NO_ECDH
- int have_ecdh_tmp;
+ int have_ecdh_tmp, ecdh_ok;
#endif
+#ifndef OPENSSL_NO_EC
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
int signature_nid = 0, pk_nid = 0, md_nid = 0;
-
+#endif
if (c == NULL) return;
kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
dh_dsa= cpk->valid_flags & CERT_PKEY_VALID;
dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
cpk= &(c->pkeys[SSL_PKEY_ECC]);
+#ifndef OPENSSL_NO_EC
have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID;
+#endif
mask_k=0;
mask_a=0;
emask_k=0;
/* An ECC certificate may be usable for ECDH and/or
* ECDSA cipher suites depending on the key usage extension.
*/
+#ifndef OPENSSL_NO_EC
if (have_ecc_cert)
{
cpk = &c->pkeys[SSL_PKEY_ECC];
}
#endif
}
+#endif
#ifndef OPENSSL_NO_ECDH
if (have_ecdh_tmp)
c = s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ /* Broken protocol test: return last used certificate: which may
+ * mismatch the one expected.
+ */
+ if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
+ return c->key;
+#endif
+
i = ssl_get_server_cert_index(s);
/* This may or may not be an error. */
alg_a = cipher->algorithm_auth;
c=s->cert;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ /* Broken protocol test: use last key: which may
+ * mismatch the one expected.
+ */
+ if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
+ idx = c->key - c->pkeys;
+ else
+#endif
+
if ((alg_a & SSL_aDSS) &&
(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
idx = SSL_PKEY_DSA_SIGN;
return c->pkeys[i].authz;
}
+
+int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
+ size_t *serverinfo_length)
+ {
+ CERT *c = NULL;
+ int i = 0;
+ *serverinfo_length = 0;
+
+ c = s->cert;
+ i = ssl_get_server_cert_index(s);
+
+ if (i == -1)
+ return 0;
+ if (c->pkeys[i].serverinfo == NULL)
+ return 0;
+
+ *serverinfo = c->pkeys[i].serverinfo;
+ *serverinfo_length = c->pkeys[i].serverinfo_length;
+ return 1;
+ }
#endif
void ssl_update_cache(SSL *s,int mode)
projects / oweals / openssl.git / blobdiff