/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
if (c == NULL)
return;
-
CRYPTO_DOWN_REF(&c->references, &i, c->lock);
REF_PRINT_COUNT("CERT", c);
if (i > 0)
return 1;
}
-int SSL_add1_CA_list(SSL *ssl, const X509 *x)
+int SSL_add1_to_CA_list(SSL *ssl, const X509 *x)
{
return add_ca_name(&ssl->ca_names, x);
}
-int SSL_CTX_add1_CA_list(SSL_CTX *ctx, const X509 *x)
+int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x)
{
return add_ca_name(&ctx->ca_names, x);
}
+/*
+ * The following two are older names are to be replaced with
+ * SSL(_CTX)_add1_to_CA_list
+ */
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
return add_ca_name(&ssl->ca_names, x);
return add_ca_name(&ctx->ca_names, x);
}
-static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
+static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
{
- return X509_NAME_cmp(*a, *b);
+ unsigned char *abuf = NULL, *bbuf = NULL;
+ int alen, blen, ret;
+
+ /* X509_NAME_cmp() itself casts away constness in this way, so
+ * assume it's safe:
+ */
+ alen = i2d_X509_NAME((X509_NAME *)a, &abuf);
+ blen = i2d_X509_NAME((X509_NAME *)b, &bbuf);
+
+ if (alen < 0 || blen < 0)
+ ret = -2;
+ else if (alen != blen)
+ ret = alen - blen;
+ else /* alen == blen */
+ ret = memcmp(abuf, bbuf, alen);
+
+ OPENSSL_free(abuf);
+ OPENSSL_free(bbuf);
+
+ return ret;
}
-static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
+static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
{
- return X509_NAME_cmp(a, b);
+ return xname_cmp(*a, *b);
}
static unsigned long xname_hash(const X509_NAME *a)
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
return 0;
break;
}
ctx->cert->sec_ex);
}
-const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
+int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
{
- int nid = EVP_PKEY_id(pk);
size_t i;
- if (nid == NID_undef)
- return NULL;
-
for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
if (ssl_cert_info[i].nid == nid) {
- if (pidx != NULL)
- *pidx = i;
- return &ssl_cert_info[i];
+ *pidx = i;
+ return 1;
}
}
- return NULL;
+
+ return 0;
+}
+
+const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
+{
+ int nid = EVP_PKEY_id(pk);
+ size_t tmpidx;
+
+ if (nid == NID_undef)
+ return NULL;
+
+ if (!ssl_cert_lookup_by_nid(nid, &tmpidx))
+ return NULL;
+
+ if (pidx != NULL)
+ *pidx = tmpidx;
+
+ return &ssl_cert_info[tmpidx];
}
const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)