Rename X.509 members in |SSL_SESSION| and |CERT|.
This change renames |peer| to |x509_peer| and |cert_chain| to
|x509_chain| in |SSL_SESSION|. It also renames |x509| to |x509_leaf| and
|chain| to |x509_chain| in |CERT|. (All with an eye to maybe making
them lazily initialised in the future).
This a) catches anyone who might be accessing these members directly and
b) makes space for |CRYPTO_BUFFER|-based values to take the unprefixed
names.
Change-Id: I10573304fb7d6f1ea03f9e645f7fc0acdaf71ac2
Reviewed-on: https://boringssl-review.googlesource.com/12162
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 311e9fd..64d3941 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1049,14 +1049,14 @@
goto err;
}
- /* NOTE: Unlike the server half, the client's copy of |cert_chain| includes
+ /* NOTE: Unlike the server half, the client's copy of |x509_chain| includes
* the leaf. */
- sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
- ssl->s3->new_session->cert_chain = chain;
+ sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
+ ssl->s3->new_session->x509_chain = chain;
- X509_free(ssl->s3->new_session->peer);
+ X509_free(ssl->s3->new_session->x509_peer);
X509_up_ref(leaf);
- ssl->s3->new_session->peer = leaf;
+ ssl->s3->new_session->x509_peer = leaf;
return 1;
@@ -1108,7 +1108,7 @@
static int ssl3_verify_server_cert(SSL *ssl) {
if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result,
- ssl->s3->new_session->cert_chain)) {
+ ssl->s3->new_session->x509_chain)) {
return -1;
}
@@ -1282,7 +1282,7 @@
/* ServerKeyExchange should be signed by the server's public key. */
if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
- pkey = X509_get_pubkey(ssl->s3->new_session->peer);
+ pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer);
if (pkey == NULL) {
goto err;
}
@@ -1570,7 +1570,7 @@
goto err;
}
- EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer);
+ EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer);
if (pkey == NULL) {
goto err;
}
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 117be78..f0469d4 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -482,10 +482,10 @@
* now. */
if (ssl->s3->new_session != NULL &&
ssl->ctx->retain_only_sha256_of_client_certs) {
- X509_free(ssl->s3->new_session->peer);
- ssl->s3->new_session->peer = NULL;
- sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
- ssl->s3->new_session->cert_chain = NULL;
+ X509_free(ssl->s3->new_session->x509_peer);
+ ssl->s3->new_session->x509_peer = NULL;
+ sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
+ ssl->s3->new_session->x509_chain = NULL;
}
SSL_SESSION_free(ssl->s3->established_session);
@@ -1380,12 +1380,12 @@
}
}
- X509_free(ssl->s3->new_session->peer);
- ssl->s3->new_session->peer = sk_X509_shift(chain);
+ X509_free(ssl->s3->new_session->x509_peer);
+ ssl->s3->new_session->x509_peer = sk_X509_shift(chain);
- sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
- ssl->s3->new_session->cert_chain = chain;
- /* Inconsistency alert: cert_chain does *not* include the peer's own
+ sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
+ ssl->s3->new_session->x509_chain = chain;
+ /* Inconsistency alert: x509_chain does *not* include the peer's own
* certificate, while we do include it in s3_clnt.c */
return 1;
@@ -1667,7 +1667,7 @@
static int ssl3_get_cert_verify(SSL *ssl) {
int al, ret = 0;
CBS certificate_verify, signature;
- X509 *peer = ssl->s3->new_session->peer;
+ X509 *peer = ssl->s3->new_session->x509_peer;
EVP_PKEY *pkey = NULL;
/* Only RSA and ECDSA client certificates are supported, so a
diff --git a/ssl/internal.h b/ssl/internal.h
index 7badc5b..6b57971 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1171,10 +1171,9 @@
};
typedef struct cert_st {
- X509 *x509;
EVP_PKEY *privatekey;
- /* Chain for this certificate */
- STACK_OF(X509) *chain;
+ X509 *x509_leaf;
+ STACK_OF(X509) *x509_chain;
/* key_method, if non-NULL, is a set of callbacks to call for private key
* operations. */
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 7fa63d9..c1d931f 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -220,12 +220,12 @@
/* The peer certificate is only serialized if the SHA-256 isn't
* serialized instead. */
- if (in->peer && !in->peer_sha256_valid) {
+ if (in->x509_peer && !in->peer_sha256_valid) {
if (!CBB_add_asn1(&session, &child, kPeerTag)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!ssl_add_cert_to_cbb(&child, in->peer)) {
+ if (!ssl_add_cert_to_cbb(&child, in->x509_peer)) {
goto err;
}
}
@@ -340,13 +340,13 @@
/* The certificate chain is only serialized if the leaf's SHA-256 isn't
* serialized instead. */
- if (in->cert_chain != NULL && !in->peer_sha256_valid) {
+ if (in->x509_chain != NULL && !in->peer_sha256_valid) {
if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
- for (size_t i = 0; i < sk_X509_num(in->cert_chain); i++) {
- if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->cert_chain, i))) {
+ for (size_t i = 0; i < sk_X509_num(in->x509_chain); i++) {
+ if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->x509_chain, i))) {
goto err;
}
}
@@ -590,11 +590,11 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
- X509_free(ret->peer);
- ret->peer = NULL;
+ X509_free(ret->x509_peer);
+ ret->x509_peer = NULL;
if (has_peer) {
- ret->peer = parse_x509(&peer);
- if (ret->peer == NULL) {
+ ret->x509_peer = parse_x509(&peer);
+ if (ret->x509_peer == NULL) {
goto err;
}
if (CBS_len(&peer) != 0) {
@@ -670,11 +670,11 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
- sk_X509_pop_free(ret->cert_chain, X509_free);
- ret->cert_chain = NULL;
+ sk_X509_pop_free(ret->x509_chain, X509_free);
+ ret->x509_chain = NULL;
if (has_cert_chain) {
- ret->cert_chain = sk_X509_new_null();
- if (ret->cert_chain == NULL) {
+ ret->x509_chain = sk_X509_new_null();
+ if (ret->x509_chain == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -683,7 +683,7 @@
if (x509 == NULL) {
goto err;
}
- if (!sk_X509_push(ret->cert_chain, x509)) {
+ if (!sk_X509_push(ret->x509_chain, x509)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
X509_free(x509);
goto err;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 55b464f..c3809ef 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -158,9 +158,9 @@
}
memset(ret, 0, sizeof(CERT));
- if (cert->x509 != NULL) {
- X509_up_ref(cert->x509);
- ret->x509 = cert->x509;
+ if (cert->x509_leaf != NULL) {
+ X509_up_ref(cert->x509_leaf);
+ ret->x509_leaf = cert->x509_leaf;
}
if (cert->privatekey != NULL) {
@@ -168,9 +168,9 @@
ret->privatekey = cert->privatekey;
}
- if (cert->chain) {
- ret->chain = X509_chain_up_ref(cert->chain);
- if (!ret->chain) {
+ if (cert->x509_chain) {
+ ret->x509_chain = X509_chain_up_ref(cert->x509_chain);
+ if (!ret->x509_chain) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -220,12 +220,12 @@
return;
}
- X509_free(cert->x509);
- cert->x509 = NULL;
+ X509_free(cert->x509_leaf);
+ cert->x509_leaf = NULL;
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
- sk_X509_pop_free(cert->chain, X509_free);
- cert->chain = NULL;
+ sk_X509_pop_free(cert->x509_chain, X509_free);
+ cert->x509_chain = NULL;
cert->key_method = NULL;
}
@@ -244,8 +244,8 @@
}
int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {
- sk_X509_pop_free(cert->chain, X509_free);
- cert->chain = chain;
+ sk_X509_pop_free(cert->x509_chain, X509_free);
+ cert->x509_chain = chain;
return 1;
}
@@ -269,10 +269,10 @@
}
int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {
- if (cert->chain == NULL) {
- cert->chain = sk_X509_new_null();
+ if (cert->x509_chain == NULL) {
+ cert->x509_chain = sk_X509_new_null();
}
- if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) {
+ if (cert->x509_chain == NULL || !sk_X509_push(cert->x509_chain, x509)) {
return 0;
}
@@ -443,7 +443,7 @@
}
int ssl_has_certificate(const SSL *ssl) {
- return ssl->cert->x509 != NULL && ssl_has_private_key(ssl);
+ return ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl);
}
STACK_OF(X509) *ssl_parse_cert_chain(SSL *ssl, uint8_t *out_alert,
@@ -528,7 +528,7 @@
}
CERT *cert = ssl->cert;
- X509 *x = cert->x509;
+ X509 *x = cert->x509_leaf;
CBB child;
if (!CBB_add_u24_length_prefixed(cbb, &child)) {
@@ -537,7 +537,7 @@
}
int no_chain = 0;
- STACK_OF(X509) *chain = cert->chain;
+ STACK_OF(X509) *chain = cert->x509_chain;
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {
no_chain = 1;
}
@@ -763,7 +763,7 @@
}
int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
- *out_chain = ctx->cert->chain;
+ *out_chain = ctx->cert->x509_chain;
return 1;
}
@@ -773,7 +773,7 @@
}
int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
- *out_chain = ssl->cert->chain;
+ *out_chain = ssl->cert->x509_chain;
return 1;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 22baed0..d8270f3 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1048,11 +1048,11 @@
return NULL;
}
SSL_SESSION *session = SSL_get_session(ssl);
- if (session == NULL || session->peer == NULL) {
+ if (session == NULL || session->x509_peer == NULL) {
return NULL;
}
- X509_up_ref(session->peer);
- return session->peer;
+ X509_up_ref(session->x509_peer);
+ return session->x509_peer;
}
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
@@ -1063,7 +1063,7 @@
if (session == NULL) {
return NULL;
}
- return session->cert_chain;
+ return session->x509_chain;
}
int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
@@ -1336,32 +1336,34 @@
/* Fix this so it checks all the valid key/cert options */
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
- if (ctx->cert->x509 == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return 0;
- }
-
if (ctx->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
return 0;
}
- return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey);
-}
-
-/* Fix this function so that it takes an optional type parameter */
-int SSL_check_private_key(const SSL *ssl) {
- if (ssl->cert->x509 == NULL) {
+ X509 *x509 = ctx->cert->x509_leaf;
+ if (x509 == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
return 0;
}
+ return X509_check_private_key(x509, ctx->cert->privatekey);
+}
+
+/* Fix this function so that it takes an optional type parameter */
+int SSL_check_private_key(const SSL *ssl) {
if (ssl->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
return 0;
}
- return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey);
+ X509 *x509 = ssl->cert->x509_leaf;
+ if (x509 == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
+ return 0;
+ }
+
+ return X509_check_private_key(x509, ssl->cert->privatekey);
}
long SSL_get_default_timeout(const SSL *ssl) {
@@ -2030,7 +2032,7 @@
uint32_t mask_k = 0;
uint32_t mask_a = 0;
- if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
+ if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) {
int type = ssl_private_key_type(ssl);
if (type == NID_rsaEncryption) {
mask_k |= SSL_kRSA;
@@ -2151,7 +2153,7 @@
X509 *SSL_get_certificate(const SSL *ssl) {
if (ssl->cert != NULL) {
- return ssl->cert->x509;
+ return ssl->cert->x509_leaf;
}
return NULL;
@@ -2167,7 +2169,7 @@
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
if (ctx->cert != NULL) {
- return ctx->cert->x509;
+ return ctx->cert->x509_leaf;
}
return NULL;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 29e5f19..e984012 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -134,13 +134,14 @@
return 0;
}
- if (c->x509 != NULL) {
+ X509 *x509_leaf = c->x509_leaf;
+ if (x509_leaf != NULL) {
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(pkey) &&
- !X509_check_private_key(c->x509, pkey)) {
- X509_free(c->x509);
- c->x509 = NULL;
+ !X509_check_private_key(x509_leaf, pkey)) {
+ X509_free(c->x509_leaf);
+ c->x509_leaf = NULL;
return 0;
}
}
@@ -248,9 +249,9 @@
EVP_PKEY_free(pkey);
- X509_free(c->x509);
+ X509_free(c->x509_leaf);
X509_up_ref(x);
- c->x509 = x;
+ c->x509_leaf = x;
return 1;
}
diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c
index 2c074b7..585d051 100644
--- a/ssl/ssl_session.c
+++ b/ssl/ssl_session.c
@@ -199,13 +199,13 @@
goto err;
}
}
- if (session->peer != NULL) {
- X509_up_ref(session->peer);
- new_session->peer = session->peer;
+ if (session->x509_peer != NULL) {
+ X509_up_ref(session->x509_peer);
+ new_session->x509_peer = session->x509_peer;
}
- if (session->cert_chain != NULL) {
- new_session->cert_chain = X509_chain_up_ref(session->cert_chain);
- if (new_session->cert_chain == NULL) {
+ if (session->x509_chain != NULL) {
+ new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
+ if (new_session->x509_chain == NULL) {
goto err;
}
}
@@ -325,8 +325,8 @@
OPENSSL_cleanse(session->master_key, sizeof(session->master_key));
OPENSSL_cleanse(session->session_id, sizeof(session->session_id));
- X509_free(session->peer);
- sk_X509_pop_free(session->cert_chain, X509_free);
+ X509_free(session->x509_peer);
+ sk_X509_pop_free(session->x509_chain, X509_free);
OPENSSL_free(session->tlsext_hostname);
OPENSSL_free(session->tlsext_tick);
OPENSSL_free(session->tlsext_signed_cert_timestamp_list);
@@ -357,7 +357,7 @@
}
X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) {
- return session->peer;
+ return session->x509_peer;
}
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c
index c8681a7..75be849 100644
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c
@@ -214,13 +214,13 @@
goto err;
}
- X509_free(ssl->s3->new_session->peer);
+ X509_free(ssl->s3->new_session->x509_peer);
X509 *leaf = sk_X509_value(chain, 0);
X509_up_ref(leaf);
- ssl->s3->new_session->peer = leaf;
+ ssl->s3->new_session->x509_peer = leaf;
- sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
- ssl->s3->new_session->cert_chain = chain;
+ sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
+ ssl->s3->new_session->x509_chain = chain;
chain = NULL;
ret = 1;
@@ -232,7 +232,7 @@
int tls13_process_certificate_verify(SSL *ssl) {
int ret = 0;
- X509 *peer = ssl->s3->new_session->peer;
+ X509 *peer = ssl->s3->new_session->x509_peer;
EVP_PKEY *pkey = NULL;
uint8_t *msg = NULL;
size_t msg_len;
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index 2b82401..49f8c00 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c
@@ -542,8 +542,8 @@
/* For historical reasons, the server's copy of the chain does not include the
* leaf while the client's does. */
- if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
- X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
+ if (sk_X509_num(ssl->s3->new_session->x509_chain) > 0) {
+ X509_free(sk_X509_shift(ssl->s3->new_session->x509_chain));
}
hs->state = state_process_client_certificate_verify;
@@ -552,7 +552,7 @@
static enum ssl_hs_wait_t do_process_client_certificate_verify(
SSL *ssl, SSL_HANDSHAKE *hs) {
- if (ssl->s3->new_session->peer == NULL) {
+ if (ssl->s3->new_session->x509_peer == NULL) {
/* Skip this state. */
hs->state = state_process_channel_id;
return ssl_hs_ok;
