Rename X.509 members in |SSL_SESSION| and |CERT|. This change renames |peer| to |x509_peer| and |cert_chain| to |x509_chain| in |SSL_SESSION|. It also renames |x509| to |x509_leaf| and |chain| to |x509_chain| in |CERT|. (All with an eye to maybe making them lazily initialised in the future). This a) catches anyone who might be accessing these members directly and b) makes space for |CRYPTO_BUFFER|-based values to take the unprefixed names. Change-Id: I10573304fb7d6f1ea03f9e645f7fc0acdaf71ac2 Reviewed-on: https://boringssl-review.googlesource.com/12162 Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1b0633e..cc63d6f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -3675,13 +3675,13 @@ uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; char *psk_identity; - /* peer is the peer's certificate. */ - X509 *peer; + /* x509_peer is the peer's certificate. */ + X509 *x509_peer; - /* cert_chain is the certificate chain sent by the peer. NOTE: for historical + /* x509_chain is the certificate chain sent by the peer. NOTE: for historical * reasons, when a client (so the peer is a server), the chain includes * |peer|, but when a server it does not. */ - STACK_OF(X509) *cert_chain; + STACK_OF(X509) *x509_chain; /* verify_result is the result of certificate verification in the case of * non-fatal certificate errors. */
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index 311e9fd..64d3941 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c
@@ -1049,14 +1049,14 @@ goto err; } - /* NOTE: Unlike the server half, the client's copy of |cert_chain| includes + /* NOTE: Unlike the server half, the client's copy of |x509_chain| includes * the leaf. */ - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; - X509_free(ssl->s3->new_session->peer); + X509_free(ssl->s3->new_session->x509_peer); X509_up_ref(leaf); - ssl->s3->new_session->peer = leaf; + ssl->s3->new_session->x509_peer = leaf; return 1; @@ -1108,7 +1108,7 @@ static int ssl3_verify_server_cert(SSL *ssl) { if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result, - ssl->s3->new_session->cert_chain)) { + ssl->s3->new_session->x509_chain)) { return -1; } @@ -1282,7 +1282,7 @@ /* ServerKeyExchange should be signed by the server's public key. */ if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { - pkey = X509_get_pubkey(ssl->s3->new_session->peer); + pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); if (pkey == NULL) { goto err; } @@ -1570,7 +1570,7 @@ goto err; } - EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer); + EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); if (pkey == NULL) { goto err; }
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c index 117be78..f0469d4 100644 --- a/ssl/handshake_server.c +++ b/ssl/handshake_server.c
@@ -482,10 +482,10 @@ * now. */ if (ssl->s3->new_session != NULL && ssl->ctx->retain_only_sha256_of_client_certs) { - X509_free(ssl->s3->new_session->peer); - ssl->s3->new_session->peer = NULL; - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = NULL; + X509_free(ssl->s3->new_session->x509_peer); + ssl->s3->new_session->x509_peer = NULL; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = NULL; } SSL_SESSION_free(ssl->s3->established_session); @@ -1380,12 +1380,12 @@ } } - X509_free(ssl->s3->new_session->peer); - ssl->s3->new_session->peer = sk_X509_shift(chain); + X509_free(ssl->s3->new_session->x509_peer); + ssl->s3->new_session->x509_peer = sk_X509_shift(chain); - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; - /* Inconsistency alert: cert_chain does *not* include the peer's own + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; + /* Inconsistency alert: x509_chain does *not* include the peer's own * certificate, while we do include it in s3_clnt.c */ return 1; @@ -1667,7 +1667,7 @@ static int ssl3_get_cert_verify(SSL *ssl) { int al, ret = 0; CBS certificate_verify, signature; - X509 *peer = ssl->s3->new_session->peer; + X509 *peer = ssl->s3->new_session->x509_peer; EVP_PKEY *pkey = NULL; /* Only RSA and ECDSA client certificates are supported, so a
diff --git a/ssl/internal.h b/ssl/internal.h index 7badc5b..6b57971 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -1171,10 +1171,9 @@ }; typedef struct cert_st { - X509 *x509; EVP_PKEY *privatekey; - /* Chain for this certificate */ - STACK_OF(X509) *chain; + X509 *x509_leaf; + STACK_OF(X509) *x509_chain; /* key_method, if non-NULL, is a set of callbacks to call for private key * operations. */
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 7fa63d9..c1d931f 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c
@@ -220,12 +220,12 @@ /* The peer certificate is only serialized if the SHA-256 isn't * serialized instead. */ - if (in->peer && !in->peer_sha256_valid) { + if (in->x509_peer && !in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kPeerTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } - if (!ssl_add_cert_to_cbb(&child, in->peer)) { + if (!ssl_add_cert_to_cbb(&child, in->x509_peer)) { goto err; } } @@ -340,13 +340,13 @@ /* The certificate chain is only serialized if the leaf's SHA-256 isn't * serialized instead. */ - if (in->cert_chain != NULL && !in->peer_sha256_valid) { + if (in->x509_chain != NULL && !in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kCertChainTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } - for (size_t i = 0; i < sk_X509_num(in->cert_chain); i++) { - if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->cert_chain, i))) { + for (size_t i = 0; i < sk_X509_num(in->x509_chain); i++) { + if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->x509_chain, i))) { goto err; } } @@ -590,11 +590,11 @@ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } - X509_free(ret->peer); - ret->peer = NULL; + X509_free(ret->x509_peer); + ret->x509_peer = NULL; if (has_peer) { - ret->peer = parse_x509(&peer); - if (ret->peer == NULL) { + ret->x509_peer = parse_x509(&peer); + if (ret->x509_peer == NULL) { goto err; } if (CBS_len(&peer) != 0) { @@ -670,11 +670,11 @@ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } - sk_X509_pop_free(ret->cert_chain, X509_free); - ret->cert_chain = NULL; + sk_X509_pop_free(ret->x509_chain, X509_free); + ret->x509_chain = NULL; if (has_cert_chain) { - ret->cert_chain = sk_X509_new_null(); - if (ret->cert_chain == NULL) { + ret->x509_chain = sk_X509_new_null(); + if (ret->x509_chain == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } @@ -683,7 +683,7 @@ if (x509 == NULL) { goto err; } - if (!sk_X509_push(ret->cert_chain, x509)) { + if (!sk_X509_push(ret->x509_chain, x509)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); X509_free(x509); goto err;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 55b464f..c3809ef 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c
@@ -158,9 +158,9 @@ } memset(ret, 0, sizeof(CERT)); - if (cert->x509 != NULL) { - X509_up_ref(cert->x509); - ret->x509 = cert->x509; + if (cert->x509_leaf != NULL) { + X509_up_ref(cert->x509_leaf); + ret->x509_leaf = cert->x509_leaf; } if (cert->privatekey != NULL) { @@ -168,9 +168,9 @@ ret->privatekey = cert->privatekey; } - if (cert->chain) { - ret->chain = X509_chain_up_ref(cert->chain); - if (!ret->chain) { + if (cert->x509_chain) { + ret->x509_chain = X509_chain_up_ref(cert->x509_chain); + if (!ret->x509_chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } @@ -220,12 +220,12 @@ return; } - X509_free(cert->x509); - cert->x509 = NULL; + X509_free(cert->x509_leaf); + cert->x509_leaf = NULL; EVP_PKEY_free(cert->privatekey); cert->privatekey = NULL; - sk_X509_pop_free(cert->chain, X509_free); - cert->chain = NULL; + sk_X509_pop_free(cert->x509_chain, X509_free); + cert->x509_chain = NULL; cert->key_method = NULL; } @@ -244,8 +244,8 @@ } int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { - sk_X509_pop_free(cert->chain, X509_free); - cert->chain = chain; + sk_X509_pop_free(cert->x509_chain, X509_free); + cert->x509_chain = chain; return 1; } @@ -269,10 +269,10 @@ } int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) { - if (cert->chain == NULL) { - cert->chain = sk_X509_new_null(); + if (cert->x509_chain == NULL) { + cert->x509_chain = sk_X509_new_null(); } - if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) { + if (cert->x509_chain == NULL || !sk_X509_push(cert->x509_chain, x509)) { return 0; } @@ -443,7 +443,7 @@ } int ssl_has_certificate(const SSL *ssl) { - return ssl->cert->x509 != NULL && ssl_has_private_key(ssl); + return ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl); } STACK_OF(X509) *ssl_parse_cert_chain(SSL *ssl, uint8_t *out_alert, @@ -528,7 +528,7 @@ } CERT *cert = ssl->cert; - X509 *x = cert->x509; + X509 *x = cert->x509_leaf; CBB child; if (!CBB_add_u24_length_prefixed(cbb, &child)) { @@ -537,7 +537,7 @@ } int no_chain = 0; - STACK_OF(X509) *chain = cert->chain; + STACK_OF(X509) *chain = cert->x509_chain; if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) { no_chain = 1; } @@ -763,7 +763,7 @@ } int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { - *out_chain = ctx->cert->chain; + *out_chain = ctx->cert->x509_chain; return 1; } @@ -773,7 +773,7 @@ } int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) { - *out_chain = ssl->cert->chain; + *out_chain = ssl->cert->x509_chain; return 1; }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 22baed0..d8270f3 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -1048,11 +1048,11 @@ return NULL; } SSL_SESSION *session = SSL_get_session(ssl); - if (session == NULL || session->peer == NULL) { + if (session == NULL || session->x509_peer == NULL) { return NULL; } - X509_up_ref(session->peer); - return session->peer; + X509_up_ref(session->x509_peer); + return session->x509_peer; } STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { @@ -1063,7 +1063,7 @@ if (session == NULL) { return NULL; } - return session->cert_chain; + return session->x509_chain; } int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, @@ -1336,32 +1336,34 @@ /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if (ctx->cert->x509 == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); - return 0; - } - if (ctx->cert->privatekey == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return 0; } - return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey); -} - -/* Fix this function so that it takes an optional type parameter */ -int SSL_check_private_key(const SSL *ssl) { - if (ssl->cert->x509 == NULL) { + X509 *x509 = ctx->cert->x509_leaf; + if (x509 == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } + return X509_check_private_key(x509, ctx->cert->privatekey); +} + +/* Fix this function so that it takes an optional type parameter */ +int SSL_check_private_key(const SSL *ssl) { if (ssl->cert->privatekey == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return 0; } - return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey); + X509 *x509 = ssl->cert->x509_leaf; + if (x509 == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); + return 0; + } + + return X509_check_private_key(x509, ssl->cert->privatekey); } long SSL_get_default_timeout(const SSL *ssl) { @@ -2030,7 +2032,7 @@ uint32_t mask_k = 0; uint32_t mask_a = 0; - if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) { + if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) { int type = ssl_private_key_type(ssl); if (type == NID_rsaEncryption) { mask_k |= SSL_kRSA; @@ -2151,7 +2153,7 @@ X509 *SSL_get_certificate(const SSL *ssl) { if (ssl->cert != NULL) { - return ssl->cert->x509; + return ssl->cert->x509_leaf; } return NULL; @@ -2167,7 +2169,7 @@ X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { if (ctx->cert != NULL) { - return ctx->cert->x509; + return ctx->cert->x509_leaf; } return NULL;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 29e5f19..e984012 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c
@@ -134,13 +134,14 @@ return 0; } - if (c->x509 != NULL) { + X509 *x509_leaf = c->x509_leaf; + if (x509_leaf != NULL) { /* Sanity-check that the private key and the certificate match, unless the * key is opaque (in case of, say, a smartcard). */ if (!EVP_PKEY_is_opaque(pkey) && - !X509_check_private_key(c->x509, pkey)) { - X509_free(c->x509); - c->x509 = NULL; + !X509_check_private_key(x509_leaf, pkey)) { + X509_free(c->x509_leaf); + c->x509_leaf = NULL; return 0; } } @@ -248,9 +249,9 @@ EVP_PKEY_free(pkey); - X509_free(c->x509); + X509_free(c->x509_leaf); X509_up_ref(x); - c->x509 = x; + c->x509_leaf = x; return 1; }
diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c index 2c074b7..585d051 100644 --- a/ssl/ssl_session.c +++ b/ssl/ssl_session.c
@@ -199,13 +199,13 @@ goto err; } } - if (session->peer != NULL) { - X509_up_ref(session->peer); - new_session->peer = session->peer; + if (session->x509_peer != NULL) { + X509_up_ref(session->x509_peer); + new_session->x509_peer = session->x509_peer; } - if (session->cert_chain != NULL) { - new_session->cert_chain = X509_chain_up_ref(session->cert_chain); - if (new_session->cert_chain == NULL) { + if (session->x509_chain != NULL) { + new_session->x509_chain = X509_chain_up_ref(session->x509_chain); + if (new_session->x509_chain == NULL) { goto err; } } @@ -325,8 +325,8 @@ OPENSSL_cleanse(session->master_key, sizeof(session->master_key)); OPENSSL_cleanse(session->session_id, sizeof(session->session_id)); - X509_free(session->peer); - sk_X509_pop_free(session->cert_chain, X509_free); + X509_free(session->x509_peer); + sk_X509_pop_free(session->x509_chain, X509_free); OPENSSL_free(session->tlsext_hostname); OPENSSL_free(session->tlsext_tick); OPENSSL_free(session->tlsext_signed_cert_timestamp_list); @@ -357,7 +357,7 @@ } X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { - return session->peer; + return session->x509_peer; } size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c index c8681a7..75be849 100644 --- a/ssl/tls13_both.c +++ b/ssl/tls13_both.c
@@ -214,13 +214,13 @@ goto err; } - X509_free(ssl->s3->new_session->peer); + X509_free(ssl->s3->new_session->x509_peer); X509 *leaf = sk_X509_value(chain, 0); X509_up_ref(leaf); - ssl->s3->new_session->peer = leaf; + ssl->s3->new_session->x509_peer = leaf; - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; chain = NULL; ret = 1; @@ -232,7 +232,7 @@ int tls13_process_certificate_verify(SSL *ssl) { int ret = 0; - X509 *peer = ssl->s3->new_session->peer; + X509 *peer = ssl->s3->new_session->x509_peer; EVP_PKEY *pkey = NULL; uint8_t *msg = NULL; size_t msg_len;
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index 2b82401..49f8c00 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c
@@ -542,8 +542,8 @@ /* For historical reasons, the server's copy of the chain does not include the * leaf while the client's does. */ - if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) { - X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain)); + if (sk_X509_num(ssl->s3->new_session->x509_chain) > 0) { + X509_free(sk_X509_shift(ssl->s3->new_session->x509_chain)); } hs->state = state_process_client_certificate_verify; @@ -552,7 +552,7 @@ static enum ssl_hs_wait_t do_process_client_certificate_verify( SSL *ssl, SSL_HANDSHAKE *hs) { - if (ssl->s3->new_session->peer == NULL) { + if (ssl->s3->new_session->x509_peer == NULL) { /* Skip this state. */ hs->state = state_process_channel_id; return ssl_hs_ok;