Update copyright year

[openssl.git] / ssl / ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 82028ec5b76d0e6c2794475c51fe3f2c86d03454..e8c11eabc36394659b287d27f2132cb2bedbe404 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -212,7 +212,7 @@ void ssl_cert_clear_certs(CERT *c)
         cpk->x509 = NULL;
         EVP_PKEY_free(cpk->privatekey);
         cpk->privatekey = NULL;
-        sk_X509_pop_free(cpk->chain, X509_free);
+        OSSL_STACK_OF_X509_free(cpk->chain);
         cpk->chain = NULL;
         OPENSSL_free(cpk->serverinfo);
         cpk->serverinfo = NULL;
@@ -264,7 +264,7 @@ int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
             return 0;
         }
     }
-    sk_X509_pop_free(cpk->chain, X509_free);
+    OSSL_STACK_OF_X509_free(cpk->chain);
     cpk->chain = chain;
     return 1;
 }
@@ -278,7 +278,7 @@ int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
     if (!dchain)
         return 0;
     if (!ssl_cert_set0_chain(s, ctx, dchain)) {
-        sk_X509_pop_free(dchain, X509_free);
+        OSSL_STACK_OF_X509_free(dchain);
         return 0;
     }
     return 1;
@@ -440,7 +440,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     }
 
     s->verify_result = X509_STORE_CTX_get_error(ctx);
-    sk_X509_pop_free(s->verified_chain, X509_free);
+    OSSL_STACK_OF_X509_free(s->verified_chain);
     s->verified_chain = NULL;
     if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
         s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
@@ -940,12 +940,12 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
         rv = ssl_security_cert(s, ctx, x, 0, 0);
         if (rv != 1) {
             ERR_raise(ERR_LIB_SSL, rv);
-            sk_X509_pop_free(chain, X509_free);
+            OSSL_STACK_OF_X509_free(chain);
             rv = 0;
             goto err;
         }
     }
-    sk_X509_pop_free(cpk->chain, X509_free);
+    OSSL_STACK_OF_X509_free(cpk->chain);
     cpk->chain = chain;
     if (rv == 0)
         rv = 1;
@@ -971,6 +971,12 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
     return 1;
 }
 
+int ssl_cert_get_cert_store(CERT *c, X509_STORE **pstore, int chain)
+{
+    *pstore = (chain ? c->chain_store : c->verify_store);
+    return 1;
+}
+
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
 {
     int level;
@@ -1001,7 +1007,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
                                          int op, int bits, int nid, void *other,
                                          void *ex)
 {
-    int level, minbits;
+    int level, minbits, pfs_mask;
 
     minbits = ssl_get_security_level_bits(s, ctx, &level);
 
@@ -1033,8 +1039,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
             if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
                 return 0;
             /* Level 3: forward secure ciphersuites only */
+            pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
             if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
-                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+                               !(c->algorithm_mkey & pfs_mask))
                 return 0;
             break;
         }