More stuff for new TLS ciphersuites.

apps/s_server.c

@@ -75,7 +75,7 @@
 #include "s_apps.h"
 
 #ifndef NOPROTO
-static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export);
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export,int keylength);
 static int sv_body(char *hostname, int s);
 static int www_body(char *hostname, int s);
 static void close_accept_socket(void );
@@ -1211,9 +1211,10 @@ err:
 	return(ret);
 	}
 
-static RSA MS_CALLBACK *tmp_rsa_cb(s,export)
+static RSA MS_CALLBACK *tmp_rsa_cb(s,export,keylength)
 SSL *s;
 int export;
+int keylength;
 	{
 	static RSA *rsa_tmp=NULL;
 
@@ -1221,11 +1222,11 @@ int export;
 		{
 		if (!s_quiet)
 			{
-			BIO_printf(bio_err,"Generating temp (512 bit) RSA key...");
+			BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
 			BIO_flush(bio_err);
 			}
 #ifndef NO_RSA
-		rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL);
+		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
 #endif
 		if (!s_quiet)
 			{

ssl/s3_lib.c

@@ -752,15 +752,16 @@ STACK *have,*pref;
 	else
 		cert=s->ctx->default_cert;
 
-	ssl_set_cert_masks(cert);
-	mask=cert->mask;
-	emask=cert->export_mask;
-			
 	sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
 
 	for (i=0; i<sk_num(have); i++)
 		{
 		c=(SSL_CIPHER *)sk_value(have,i);
+
+		ssl_set_cert_masks(cert,c);
+		mask=cert->mask;
+		emask=cert->export_mask;
+			
 		alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 		if (SSL_IS_EXPORT(alg))
 			{

ssl/s3_srvr.c

@@ -945,7 +945,8 @@ SSL *s;
 			if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
 				{
 				rsa=s->ctx->default_cert->rsa_tmp_cb(s,
-					!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
+				      !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 				CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
 				cert->rsa_tmp=rsa;
 				}
@@ -967,7 +968,8 @@ SSL *s;
 			dhp=cert->dh_tmp;
 			if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
 				dhp=cert->dh_tmp_cb(s,
-					!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
+				      !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 			if (dhp == NULL)
 				{
 				al=SSL_AD_HANDSHAKE_FAILURE;

ssl/ssl.h

@@ -1022,13 +1022,12 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
 #define SSL_CTX_set_read_ahead(ctx,m) \
 	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
 
-/* For the next 2, the callbacks are 
- * RSA *tmp_rsa_cb(SSL *ssl,int export)
- * DH *tmp_dh_cb(SSL *ssl,int export)
- */
+     /* NB: the keylength is only applicable when export is true */
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
-				  RSA *(*cb)(SSL *ssl,int export));
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export));
+				  RSA *(*cb)(SSL *ssl,int export,
+					     int keylength));
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
+				 DH *(*dh)(SSL *ssl,int export,int keylength));
 
 #ifdef HEADER_COMP_H
 int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);

ssl/ssl_lib.c

@@ -1131,46 +1131,49 @@ int (*cb)();
 	X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
 	}
 
-void ssl_set_cert_masks(c)
+void ssl_set_cert_masks(c,cipher)
 CERT *c;
+SSL_CIPHER *cipher;
 	{
 	CERT_PKEY *cpk;
 	int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
 	int rsa_enc_export,dh_rsa_export,dh_dsa_export;
-	int rsa_tmp_export,dh_tmp_export;
+	int rsa_tmp_export,dh_tmp_export,kl;
 	unsigned long mask,emask;
 
 	if ((c == NULL) || (c->valid)) return;
 
+	kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
+
 #ifndef NO_RSA
-	rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0;
-	rsa_tmp_export=((c->rsa_tmp_cb != NULL) ||
-		(rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0;
+	rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
+	rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
+		(rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
 #else
 	rsa_tmp=rsa_tmp_export=0;
 #endif
 #ifndef NO_DH
-	dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0;
-	dh_tmp_export=((c->dh_tmp_cb != NULL) ||
-		(dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0;
+	dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
+	dh_tmp_export=(c->dh_tmp_cb != NULL ||
+		(dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
 #else
 	dh_tmp=dh_tmp_export=0;
 #endif
 
 	cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]);
-	rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-	rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+	rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL);
+	rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
 	cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-	rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+	rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
 	cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-	dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
+	dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL);
 	cpk= &(c->pkeys[SSL_PKEY_DH_RSA]);
-	dh_rsa=  ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-	dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+	dh_rsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+	dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
 	cpk= &(c->pkeys[SSL_PKEY_DH_DSA]);
 /* FIX THIS EAY EAY EAY */
-	dh_dsa=  ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0;
-	dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0;
+	dh_dsa=  (cpk->x509 != NULL && cpk->privatekey != NULL);
+	dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
 
 	mask=0;
 	emask=0;
@@ -1236,13 +1239,13 @@ SSL *s;
 	{
 	unsigned long alg,mask,kalg;
 	CERT *c;
-	int i,_export;
+	int i,export;
 
 	c=s->cert;
-	ssl_set_cert_masks(c);
+	ssl_set_cert_masks(c,s->s3->tmp.new_cipher);
 	alg=s->s3->tmp.new_cipher->algorithms;
-	_export=SSL_IS_EXPORT(alg);
-	mask=_export?c->export_mask:c->mask;
+	export=SSL_IS_EXPORT(alg);
+	mask=export?c->export_mask:c->mask;
 	kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
 
 	if 	(kalg & SSL_kDHr)
@@ -1888,10 +1891,12 @@ SSL *s;
 	return(s->rwstate);
 	}
 
-void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export))
+void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export,
+							  int keylength))
     { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
 
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export))
+void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export,
+							int keylength))
     { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
 
 #if defined(_WINDLL) && defined(WIN16)

ssl/ssl_locl.h

@@ -275,8 +275,8 @@ typedef struct cert_st
 
 	RSA *rsa_tmp;
 	DH *dh_tmp;
-	RSA *(*rsa_tmp_cb)();
-	DH *(*dh_tmp_cb)();
+	RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize);
+	DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize);
 	CERT_PKEY pkeys[SSL_PKEY_NUM];
 
 	STACK *cert_chain;
@@ -366,7 +366,7 @@ int ssl_undefined_function(SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c);
+void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher);
 STACK *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 

ssl/ssltest.c

@@ -75,7 +75,7 @@
 
 #ifndef NOPROTO
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
-static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export);
+static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export,int keylength);
 #ifndef NO_DSA
 static DH *get_dh512(void);
 #endif
@@ -730,18 +730,19 @@ static DH *get_dh512()
 	}
 #endif
 
-static RSA MS_CALLBACK *tmp_rsa_cb(s,export)
+static RSA MS_CALLBACK *tmp_rsa_cb(s,export,keylength)
 SSL *s;
 int export;
+int keylength;
 	{
 	static RSA *rsa_tmp=NULL;
 
 	if (rsa_tmp == NULL)
 		{
-		BIO_printf(bio_err,"Generating temp (512 bit) RSA key...");
+		BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
 		BIO_flush(bio_err);
 #ifndef NO_RSA
-		rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL);
+		rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL);
 #endif
 		BIO_printf(bio_err,"\n");
 		BIO_flush(bio_err);