Add SSL_get_client_certificate_types.

openssl/ssl/ssl_cert.c

Index: openssl/ssl/ssl_cert.c
diff --git a/openssl/ssl/ssl_cert.c b/openssl/ssl/ssl_cert.c
index 5123a89182e590267edcb5b382ab5a767128fb85..e32153167f94ecb22bf7f1eb7e1d60d70b29fbf7 100644
--- a/openssl/ssl/ssl_cert.c
+++ b/openssl/ssl/ssl_cert.c
@@ -660,6 +660,22 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
 	return(X509_NAME_cmp(*a,*b));
 	}
 
+void SSL_get_client_certificate_types(SSL *s, char **ctype, size_t *ctype_num)
+	{
+	/* Nothing to return for the server or SSL2. */
+	if (s->server ||
+		(s->version < SSL3_VERSION && s->version != DTLS1_BAD_VER) ||
+		s->s3 == NULL)

[wtc, 2014/04/25 17:59:59]

I would match the code in SSL_get_client_CA_list:

        if (s->type == SSL_ST_CONNECT)
                { /* we are in the client */
                if (((s->version>>8) == SSL3_VERSION_MAJOR) &&
                        (s->s3 != NULL))
                        {
                        *ctype = s->s3->tmp.ctype;
                        *ctype_num = s->s3->tmp.ctype_num;
                        }
                else
                        {
                        *ctype = NULL;
                        *ctype_num = 0;
                        }
                }
        else
                {
                /* TODO: implement this on the server side. */
                *ctype = NULL;
                *ctype_num = 0;
                }

[davidben, 2014/05/02 22:42:02]

There's not really anything to implement on the server's end. The server
implementation just outputs the types it knows about and are compatible with the
cipher suite chosen. The library user doesn't get to set it right now.

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/openss...

Otherwise, yeah, that's what the original version of the patch was. :-)

I've changed it to just check s->s3. I think that's much simpler and the
structure is initialized to 0 anyway, so ctype_num will be 0.

[wtc, 2014/05/06 17:10:08]

I see. The function prototype of SSL_get_client_certificate_types makes it hard
to implement on the server side because we can't return a pointer that points to
an array inside the |s| structure. We will need to change
SSL_get_client_certificate_types to copy the results to an output buffer.

[davidben, 2014/05/06 21:54:01]

Oh, yeah, we could do that and just call the function here. I'm not sure when
you'd need to do that as a server though. In the client CA case, the library
user configures it. In the certificate_types case, OpenSSL doesn't let the
library user change it anyway.

[wtc, 2014/05/06 23:49:45]

I agree SSL_get_client_certificate_types doesn't seem as useful as
SSL_get_client_CA_list on the server side because the library user can't
configure the certificate types.

+		{
+		*ctype = NULL;
+		*ctype_num = 0;
+		return;
+		}
+
+	*ctype = s->s3->tmp.ctype;
+	*ctype_num = s->s3->tmp.ctype_num;
+	}
+
 #ifndef OPENSSL_NO_STDIO
 /*!
  * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;