Add a SSL_get_pending_cipher API.
Conscrypt needs to, in the certificate verification callback, know the key
exchange + auth method of the current cipher suite to pass into
X509TrustManager.checkServerTrusted. Currently it reaches into the struct to
get it. Add an API for this.
Change-Id: Ib4e0a1fbf1d9ea24e0114f760b7524e1f7bafe33
Reviewed-on: https://boringssl-review.googlesource.com/6881
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index af1f7b8..f261219 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2880,6 +2880,10 @@
OPENSSL_EXPORT size_t SSL_get_server_random(const SSL *ssl, uint8_t *out,
size_t max_out);
+/* SSL_get_pending_cipher returns the cipher suite for the current handshake or
+ * NULL if one has not been negotiated yet or there is no pending handshake. */
+OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
+
/* Deprecated functions. */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 483e386..5946fc2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2572,6 +2572,13 @@
return max_out;
}
+const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {
+ if (!SSL_in_init(ssl)) {
+ return NULL;
+ }
+ return ssl->s3->tmp.new_cipher;
+}
+
int SSL_clear(SSL *ssl) {
if (ssl->method == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_METHOD_SPECIFIED);
