X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=555a630b1ba8da6e316c2e2ed5b6111c37135e8b;hb=da8512aaffe3580e3701198ef9eba2471c5edbc2;hp=dd7012b00f1ed278f3aff18225d6246b986e962d;hpb=6b870763ac55ce1c748e68293e8169aa61cb4eb2;p=oweals%2Fopenssl.git diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index dd7012b00f..555a630b1b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2069,7 +2069,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #endif #ifndef OPENSSL_NO_ECDH - have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); + have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); @@ -2320,15 +2320,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -CERT_PKEY *ssl_get_server_send_pkey(SSL *s) +static int ssl_get_server_cert_index(const SSL *s) { - unsigned long alg_k,alg_a; - CERT *c; - int i; + unsigned long alg_k, alg_a; - c=s->cert; - ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -2345,42 +2340,53 @@ CERT_PKEY *ssl_get_server_send_pkey(SSL *s) * checks for SSL_kECDH before RSA * checks ensures the correct cert is chosen. */ - i=SSL_PKEY_ECC; + return SSL_PKEY_ECC; } else if (alg_a & SSL_aECDSA) - { - i=SSL_PKEY_ECC; - } + return SSL_PKEY_ECC; else if (alg_k & SSL_kDHr) - i=SSL_PKEY_DH_RSA; + return SSL_PKEY_DH_RSA; else if (alg_k & SSL_kDHd) - i=SSL_PKEY_DH_DSA; + return SSL_PKEY_DH_DSA; else if (alg_a & SSL_aDSS) - i=SSL_PKEY_DSA_SIGN; + return SSL_PKEY_DSA_SIGN; else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - i=SSL_PKEY_RSA_SIGN; + if (s->cert->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) + return SSL_PKEY_RSA_SIGN; else - i=SSL_PKEY_RSA_ENC; + return SSL_PKEY_RSA_ENC; } else if (alg_a & SSL_aKRB5) - { /* VRS something else here? */ - return(NULL); - } + return -1; else if (alg_a & SSL_aGOST94) - i=SSL_PKEY_GOST94; + return SSL_PKEY_GOST94; else if (alg_a & SSL_aGOST01) - i=SSL_PKEY_GOST01; + return SSL_PKEY_GOST01; else /* if (alg_a & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); - return(NULL); + SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR); + return -1; } - if (c->pkeys[i].x509 == NULL) return(NULL); + } + +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) + { + CERT *c; + int i; + + c = s->cert; + ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - return(&c->pkeys[i]); + i = ssl_get_server_cert_index(s); + + /* This may or may not be an error. */ + if (i < 0) + return NULL; + + /* May be NULL. */ + return &c->pkeys[i]; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) @@ -2415,6 +2421,27 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) return c->pkeys[idx].privatekey; } +#ifndef OPENSSL_NO_TLSEXT +unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length) + { + CERT *c; + int i; + + c = s->cert; + i = ssl_get_server_cert_index(s); + + if (i == -1) + return NULL; + + *authz_length = 0; + if (c->pkeys[i].authz == NULL) + return(NULL); + *authz_length = c->pkeys[i].authz_length; + + return c->pkeys[i].authz; + } +#endif + void ssl_update_cache(SSL *s,int mode) { int i; @@ -2641,7 +2668,7 @@ const char *SSL_get_version(const SSL *s) return("TLSv1.2"); else if (s->version == TLS1_1_VERSION) return("TLSv1.1"); - if (s->version == TLS1_VERSION) + else if (s->version == TLS1_VERSION) return("TLSv1"); else if (s->version == SSL3_VERSION) return("SSLv3"); @@ -2813,6 +2840,14 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { + if (s->server) + { + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + if (certpkey && certpkey->x509) + return certpkey->x509; + } + if (s->cert != NULL) return(s->cert->key->x509); else