New function ssl_set_client_disabled to set masks for any ciphersuites

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

  *) New function ssl_set_client_disabled to set a ciphersuite disabled

     mask based on the current session, check mask when sending client

     hello and checking the requested ciphersuite.

     [Steve Henson]

  *) New ctrls to retrieve and set certificate types in a certificate

  *) New ctrls to retrieve and set certificate types in a certificate

     request message. Print out received values in s_client. If certificate

     request message. Print out received values in s_client. If certificate

     types is not set with custom values set sensible values based on

     types is not set with custom values set sensible values based on

	{

	{

	STACK_OF(SSL_CIPHER) *sk;

	STACK_OF(SSL_CIPHER) *sk;

	const SSL_CIPHER *c;

	const SSL_CIPHER *c;

	CERT *ct = s->cert;

	unsigned char *p,*d;

	unsigned char *p,*d;

	int i,al=SSL_AD_INTERNAL_ERROR,ok;

	int i,al=SSL_AD_INTERNAL_ERROR,ok;

	unsigned int j;

	unsigned int j;

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);

		goto f_err;

		goto f_err;

		}

		}

	/* TLS v1.2 only ciphersuites require v1.2 or later */

	/* If it is a disabled cipher we didn't send it in client hello,

	if ((c->algorithm_ssl & SSL_TLSV1_2) && 

	 * so return an error.

		(TLS1_get_version(s) < TLS1_2_VERSION))

	 */

	if (c->algorithm_ssl & ct->mask_ssl ||

		c->algorithm_mkey & ct->mask_k ||

		c->algorithm_auth & ct->mask_a)

		{

		{

		al=SSL_AD_ILLEGAL_PARAMETER;

		al=SSL_AD_ILLEGAL_PARAMETER;

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

		if (TLS1_get_version(s) >= TLS1_2_VERSION)

			{

			{

			nl = tls12_get_sig_algs(s, p + 2);

			const unsigned char *psigs;

			nl = tls12_get_psigalgs(s, &psigs);

			s2n(nl, p);

			s2n(nl, p);

			p += nl + 2;

			memcpy(p, psigs, nl);

			p += nl;

			n += nl + 2;

			n += nl + 2;

			}

			}

	{

	{

	int i,j=0;

	int i,j=0;

	SSL_CIPHER *c;

	SSL_CIPHER *c;

	CERT *ct = s->cert;

	unsigned char *q;

	unsigned char *q;

#ifndef OPENSSL_NO_KRB5

	/* Set disabled masks for this session */

	int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);

	ssl_set_client_disabled(s);

#endif /* OPENSSL_NO_KRB5 */

	if (sk == NULL) return(0);

	if (sk == NULL) return(0);

	q=p;

	q=p;

	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)

	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)

		{

		{

		c=sk_SSL_CIPHER_value(sk,i);

		c=sk_SSL_CIPHER_value(sk,i);

		/* Skip TLS v1.2 only ciphersuites if lower than v1.2 */

		/* Skip disabled ciphers */

		if ((c->algorithm_ssl & SSL_TLSV1_2) && 

		if (c->algorithm_ssl & ct->mask_ssl ||

			(TLS1_get_client_version(s) < TLS1_2_VERSION))

			c->algorithm_mkey & ct->mask_k ||

			continue;

			c->algorithm_auth & ct->mask_a)

#ifndef OPENSSL_NO_KRB5

		if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&

		    nokrb5)

		    continue;

#endif /* OPENSSL_NO_KRB5 */

#ifndef OPENSSL_NO_PSK

		/* with PSK there must be client callback set */

		if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&

		    s->psk_client_callback == NULL)

			continue;

			continue;

#endif /* OPENSSL_NO_PSK */

		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);

		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);

		p+=j;

		p+=j;

		}

		}

			 * Probably it would make more sense to store

			 * Probably it would make more sense to store

			 * an index, not a pointer. */

			 * an index, not a pointer. */

	/* The following masks are for the key and auth

	/* For servers the following masks are for the key and auth

	 * algorithms that are supported by the certs below */

	 * algorithms that are supported by the certs below.

	 * For clients they are masks of *disabled* algorithms based

	 * on the current session.

	 */

	int valid;

	int valid;

	unsigned long mask_k;

	unsigned long mask_k;

	unsigned long mask_a;

	unsigned long mask_a;

	unsigned long export_mask_k;

	unsigned long export_mask_k;

	unsigned long export_mask_a;

	unsigned long export_mask_a;

	/* Client only */

	unsigned long mask_ssl;

#ifndef OPENSSL_NO_RSA

#ifndef OPENSSL_NO_RSA

	RSA *rsa_tmp;

	RSA *rsa_tmp;

	RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);

	RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);

					  int *al);

					  int *al);

long ssl_get_algorithm2(SSL *s);

long ssl_get_algorithm2(SSL *s);

int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);

int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);

size_t tls12_get_sig_algs(SSL *s, unsigned char *p);

size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);

void ssl_set_client_disabled(SSL *s);

int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);

int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);

int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);

int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);