Rename default credential to legacy credential Default reads as if it is somehow treated special, as a default when fancier heuristics do not match, such as trust anchors. Such a concept does not make sense because servers will have *multiple* fallbacks for trust anchor matching, e.g. an ECDSA one and an RSA one. Nonetheless, this was a bit confusing, so call it the "legacy credential" to make it clearer this is just about whether you use a different API. Change-Id: Ieb8cf454d1b2e0bf08a2c78cbea644d4f2f12202 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71727 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index a5c5ab0..6503de5 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -864,8 +864,9 @@ // |SSL_CTX| and |SSL| objects maintain lists of credentials in preference // order. During the handshake, BoringSSL will select the first usable // credential from the list. Non-credential APIs, such as -// |SSL_CTX_use_certificate|, configure a "default credential", which is -// appended to this list if configured. +// |SSL_CTX_use_certificate|, configure a "legacy credential", which is +// appended to this list if configured. Using the legacy credential is the same +// as configuring an equivalent credential with the |SSL_CREDENTIAL| API. // // When selecting credentials, BoringSSL considers the credential's type, its // cryptographic capabilities, and capabilities advertised by the peer. This @@ -969,7 +970,7 @@ OPENSSL_EXPORT int SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred); // SSL_certs_clear removes all credentials configured on |ssl|. It also removes -// the certificate chain and private key on the default credential. +// the certificate chain and private key on the legacy credential. OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl); // SSL_get0_selected_credential returns the credential in use in the current @@ -1000,8 +1001,9 @@ // than return an error. Additionally, overwriting a previously-configured // certificate and key pair only works if the certificate is configured first. // -// Each of these functions configures the default credential. To select between -// multiple certificates, see |SSL_CREDENTIAL_new_x509| and related APIs. +// Each of these functions configures the single "legacy credential" on the +// |SSL_CTX| or |SSL|. To select between multiple certificates, use +// |SSL_CREDENTIAL_new_x509| and other APIs to configure a list of credentials. // SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns // one on success and zero on failure. If |ctx| has a private key which is
diff --git a/ssl/internal.h b/ssl/internal.h index f956418..718908b 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -1659,7 +1659,7 @@ ssl_credential_st &operator=(const ssl_credential_st &) = delete; // Dup returns a copy of the credential, or nullptr on error. The |ex_data| - // values are not copied. This is only used on the default credential, whose + // values are not copied. This is only used on the legacy credential, whose // |ex_data| is inaccessible. bssl::UniquePtr<SSL_CREDENTIAL> Dup() const; @@ -2529,32 +2529,32 @@ explicit CERT(const SSL_X509_METHOD *x509_method); ~CERT(); - bool is_valid() const { return default_credential != nullptr; } + bool is_valid() const { return legacy_credential != nullptr; } // credentials is the list of credentials to select between. Elements of this // array immutable. GrowableArray<UniquePtr<SSL_CREDENTIAL>> credentials; - // default_credential is the credential configured by the legacy, + // legacy_credential is the credential configured by the legacy // non-credential-based APIs. If IsComplete() returns true, it is appended to // the list of credentials. - UniquePtr<SSL_CREDENTIAL> default_credential; + UniquePtr<SSL_CREDENTIAL> legacy_credential; // x509_method contains pointers to functions that might deal with |X509| // compatibility, or might be a no-op, depending on the application. const SSL_X509_METHOD *x509_method = nullptr; - // x509_chain may contain a parsed copy of |chain[1..]| from the default + // x509_chain may contain a parsed copy of |chain[1..]| from the legacy // credential. This is only used as a cache in order to implement “get0” // functions that return a non-owning pointer to the certificate chain. STACK_OF(X509) *x509_chain = nullptr; // x509_leaf may contain a parsed copy of the first element of |chain| from - // the default credential. This is only used as a cache in order to implement + // the legacy credential. This is only used as a cache in order to implement // “get0” functions that return a non-owning pointer to the certificate chain. X509 *x509_leaf = nullptr; - // x509_stash contains the last |X509| object append to the default + // x509_stash contains the last |X509| object append to the legacy // credential's chain. This is a workaround for some third-party code that // continue to use an |X509| object even after passing ownership with an // “add0” function.
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc index e30ec73..e30e27d 100644 --- a/ssl/ssl_cert.cc +++ b/ssl/ssl_cert.cc
@@ -135,7 +135,7 @@ BSSL_NAMESPACE_BEGIN CERT::CERT(const SSL_X509_METHOD *x509_method_arg) - : default_credential(MakeUnique<SSL_CREDENTIAL>(SSLCredentialType::kX509)), + : legacy_credential(MakeUnique<SSL_CREDENTIAL>(SSLCredentialType::kX509)), x509_method(x509_method_arg) {} CERT::~CERT() { x509_method->cert_free(this); } @@ -153,10 +153,10 @@ } } - // |default_credential| is mutable, so it must be copied. We cannot simply + // |legacy_credential| is mutable, so it must be copied. We cannot simply // bump the reference count. - ret->default_credential = cert->default_credential->Dup(); - if (ret->default_credential == nullptr) { + ret->legacy_credential = cert->legacy_credential->Dup(); + if (ret->legacy_credential == nullptr) { return nullptr; } @@ -191,8 +191,8 @@ return 0; } - cert->default_credential->ClearCertAndKey(); - if (!SSL_CREDENTIAL_set1_cert_chain(cert->default_credential.get(), certs, + cert->legacy_credential->ClearCertAndKey(); + if (!SSL_CREDENTIAL_set1_cert_chain(cert->legacy_credential.get(), certs, num_certs)) { return 0; } @@ -201,18 +201,18 @@ cert->x509_method->cert_flush_cached_chain(cert); return privkey != nullptr - ? SSL_CREDENTIAL_set1_private_key(cert->default_credential.get(), + ? SSL_CREDENTIAL_set1_private_key(cert->legacy_credential.get(), privkey) : SSL_CREDENTIAL_set_private_key_method( - cert->default_credential.get(), privkey_method); + cert->legacy_credential.get(), privkey_method); } bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) { // Don't fail for a cert/key mismatch, just free the current private key. // (When switching to a different keypair, the caller should switch the // certificate, then the key.) - if (!cert->default_credential->SetLeafCert( - std::move(buffer), /*discard_key_on_mismatch=*/true)) { + if (!cert->legacy_credential->SetLeafCert(std::move(buffer), + /*discard_key_on_mismatch=*/true)) { return false; } @@ -578,18 +578,18 @@ CERT *cert = ssl->config->cert.get(); cert->x509_method->cert_clear(cert); cert->credentials.clear(); - cert->default_credential->ClearCertAndKey(); + cert->legacy_credential->ClearCertAndKey(); } const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(const SSL_CTX *ctx) { - return ctx->cert->default_credential->chain.get(); + return ctx->cert->legacy_credential->chain.get(); } const STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl) { if (!ssl->config) { return nullptr; } - return ssl->config->cert->default_credential->chain.get(); + return ssl->config->cert->legacy_credential->chain.get(); } int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len, @@ -643,7 +643,7 @@ size_t list_len) { UniquePtr<CRYPTO_BUFFER> buf(CRYPTO_BUFFER_new(list, list_len, nullptr)); return buf != nullptr && SSL_CREDENTIAL_set1_signed_cert_timestamp_list( - ctx->cert->default_credential.get(), buf.get()); + ctx->cert->legacy_credential.get(), buf.get()); } int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, @@ -654,7 +654,7 @@ UniquePtr<CRYPTO_BUFFER> buf(CRYPTO_BUFFER_new(list, list_len, nullptr)); return buf != nullptr && SSL_CREDENTIAL_set1_signed_cert_timestamp_list( - ssl->config->cert->default_credential.get(), buf.get()); + ssl->config->cert->legacy_credential.get(), buf.get()); } int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response, @@ -662,7 +662,7 @@ UniquePtr<CRYPTO_BUFFER> buf( CRYPTO_BUFFER_new(response, response_len, nullptr)); return buf != nullptr && SSL_CREDENTIAL_set1_ocsp_response( - ctx->cert->default_credential.get(), buf.get()); + ctx->cert->legacy_credential.get(), buf.get()); } int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response, @@ -674,7 +674,7 @@ CRYPTO_BUFFER_new(response, response_len, nullptr)); return buf != nullptr && SSL_CREDENTIAL_set1_ocsp_response( - ssl->config->cert->default_credential.get(), buf.get()); + ssl->config->cert->legacy_credential.get(), buf.get()); } void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {
diff --git a/ssl/ssl_credential.cc b/ssl/ssl_credential.cc index f4bb55e..39c14de 100644 --- a/ssl/ssl_credential.cc +++ b/ssl/ssl_credential.cc
@@ -37,14 +37,14 @@ bool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array<SSL_CREDENTIAL *> *out) { CERT *cert = hs->config->cert.get(); - // Finish filling in the default credential if needed. + // Finish filling in the legacy credential if needed. if (!cert->x509_method->ssl_auto_chain_if_needed(hs)) { return false; } size_t num_creds = cert->credentials.size(); - bool include_default = cert->default_credential->IsComplete(); - if (include_default) { + bool include_legacy = cert->legacy_credential->IsComplete(); + if (include_legacy) { num_creds++; } @@ -55,8 +55,8 @@ for (size_t i = 0; i < cert->credentials.size(); i++) { (*out)[i] = cert->credentials[i].get(); } - if (include_default) { - (*out)[num_creds - 1] = cert->default_credential.get(); + if (include_legacy) { + (*out)[num_creds - 1] = cert->legacy_credential.get(); } return true; }
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 071709f..1458b45 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -1755,7 +1755,7 @@ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { // There is no need to actually check consistency because inconsistent values // can never be configured. - return has_cert_and_key(ctx->cert->default_credential.get()); + return has_cert_and_key(ctx->cert->legacy_credential.get()); } int SSL_check_private_key(const SSL *ssl) { @@ -1765,7 +1765,7 @@ // There is no need to actually check consistency because inconsistent values // can never be configured. - return has_cert_and_key(ssl->config->cert->default_credential.get()); + return has_cert_and_key(ssl->config->cert->legacy_credential.get()); } long SSL_get_default_timeout(const SSL *ssl) { @@ -2557,11 +2557,11 @@ assert(ssl->config); return nullptr; } - return ssl->config->cert->default_credential->privkey.get(); + return ssl->config->cert->legacy_credential->privkey.get(); } EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { - return ctx->cert->default_credential->privkey.get(); + return ctx->cert->legacy_credential->privkey.get(); } const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc index 471be76..76ba084 100644 --- a/ssl/ssl_privkey.cc +++ b/ssl/ssl_privkey.cc
@@ -397,7 +397,7 @@ } return SSL_CREDENTIAL_set1_private_key( - ssl->config->cert->default_credential.get(), pkey); + ssl->config->cert->legacy_credential.get(), pkey); } int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, @@ -450,7 +450,7 @@ return 0; } - return SSL_CREDENTIAL_set1_private_key(ctx->cert->default_credential.get(), + return SSL_CREDENTIAL_set1_private_key(ctx->cert->legacy_credential.get(), pkey); } @@ -477,13 +477,13 @@ return; } BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method( - ssl->config->cert->default_credential.get(), key_method)); + ssl->config->cert->legacy_credential.get(), key_method)); } void SSL_CTX_set_private_key_method(SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method) { BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method( - ctx->cert->default_credential.get(), key_method)); + ctx->cert->legacy_credential.get(), key_method)); } static constexpr size_t kMaxSignatureAlgorithmNameLen = 24; @@ -657,7 +657,7 @@ int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, size_t num_prefs) { return SSL_CREDENTIAL_set1_signing_algorithm_prefs( - ctx->cert->default_credential.get(), prefs, num_prefs); + ctx->cert->legacy_credential.get(), prefs, num_prefs); } int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, @@ -666,7 +666,7 @@ return 0; } return SSL_CREDENTIAL_set1_signing_algorithm_prefs( - ssl->config->cert->default_credential.get(), prefs, num_prefs); + ssl->config->cert->legacy_credential.get(), prefs, num_prefs); } static constexpr struct {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 34dd5ed..17fe5c6 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -6068,7 +6068,7 @@ continue; } - ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs); + ExpectSigAlgsEqual(test.expected, ctx->cert->legacy_credential->sigalgs); } } @@ -6126,7 +6126,7 @@ continue; } - ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs); + ExpectSigAlgsEqual(test.expected, ctx->cert->legacy_credential->sigalgs); } }
diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc index 66c3210..e121ff8 100644 --- a/ssl/ssl_x509.cc +++ b/ssl/ssl_x509.cc
@@ -198,11 +198,11 @@ // which case no change to |cert->chain| is made. It preverses the existing // leaf from |cert->chain|, if any. static bool ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { - cert->default_credential->ClearIntermediateCerts(); + cert->legacy_credential->ClearIntermediateCerts(); for (X509 *x509 : chain) { UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509); if (!buffer || - !cert->default_credential->AppendIntermediateCert(std::move(buffer))) { + !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) { return false; } } @@ -412,10 +412,10 @@ } static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { - // Only build a chain if the feature isn't disabled, the default credential + // Only build a chain if the feature isn't disabled, the legacy credential // exists but has no intermediates configured. SSL *ssl = hs->ssl; - SSL_CREDENTIAL *cred = hs->config->cert->default_credential.get(); + SSL_CREDENTIAL *cred = hs->config->cert->legacy_credential.get(); if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !cred->IsComplete() || sk_CRYPTO_BUFFER_num(cred->chain.get()) != 1) { return true; @@ -720,9 +720,8 @@ static int ssl_cert_cache_leaf_cert(CERT *cert) { assert(cert->x509_method); - const SSL_CREDENTIAL *cred = cert->default_credential.get(); - if (cert->x509_leaf != NULL || - cred->chain == NULL) { + const SSL_CREDENTIAL *cred = cert->legacy_credential.get(); + if (cert->x509_leaf != NULL || cred->chain == NULL) { return 1; } @@ -764,7 +763,7 @@ UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509); if (!buffer || - !cert->default_credential->AppendIntermediateCert(std::move(buffer))) { + !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) { return 0; } @@ -867,9 +866,8 @@ static int ssl_cert_cache_chain_certs(CERT *cert) { assert(cert->x509_method); - const SSL_CREDENTIAL *cred = cert->default_credential.get(); - if (cert->x509_chain != nullptr || - cred->chain == nullptr || + const SSL_CREDENTIAL *cred = cert->legacy_credential.get(); + if (cert->x509_chain != nullptr || cred->chain == nullptr || sk_CRYPTO_BUFFER_num(cred->chain.get()) < 2) { return 1; } @@ -1155,7 +1153,7 @@ // Should only be called during handshake, but check to be sure. BSSL_CHECK(ssl->config); - if (ssl->config->cert->default_credential->IsComplete() || + if (ssl->config->cert->legacy_credential->IsComplete() || ssl->ctx->client_cert_cb == nullptr) { return 1; }
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 2db2a89..abd66ed 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc
@@ -486,7 +486,7 @@ &TestConfig::expect_selected_credential), // Credential flags are stateful. First, use one of the // -new-*-credential flags to introduce a new credential. Then the flags - // below switch from acting on the default credential to the newly-added + // below switch from acting on the legacy credential to the newly-added // one. Repeat this process to continue adding them. NewCredentialFlag("-new-x509-credential", CredentialConfigType::kX509), NewCredentialFlag("-new-delegated-credential",