Rename default credential to legacy credential

Default reads as if it is somehow treated special, as a default when
fancier heuristics do not match, such as trust anchors. Such a concept
does not make sense because servers will have *multiple* fallbacks for
trust anchor matching, e.g. an ECDSA one and an RSA one. Nonetheless,
this was a bit confusing, so call it the "legacy credential" to make it
clearer this is just about whether you use a different API.

Change-Id: Ieb8cf454d1b2e0bf08a2c78cbea644d4f2f12202
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/71727
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index a5c5ab0..6503de5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -864,8 +864,9 @@
 // |SSL_CTX| and |SSL| objects maintain lists of credentials in preference
 // order. During the handshake, BoringSSL will select the first usable
 // credential from the list. Non-credential APIs, such as
-// |SSL_CTX_use_certificate|, configure a "default credential", which is
-// appended to this list if configured.
+// |SSL_CTX_use_certificate|, configure a "legacy credential", which is
+// appended to this list if configured. Using the legacy credential is the same
+// as configuring an equivalent credential with the |SSL_CREDENTIAL| API.
 //
 // When selecting credentials, BoringSSL considers the credential's type, its
 // cryptographic capabilities, and capabilities advertised by the peer. This
@@ -969,7 +970,7 @@
 OPENSSL_EXPORT int SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred);
 
 // SSL_certs_clear removes all credentials configured on |ssl|. It also removes
-// the certificate chain and private key on the default credential.
+// the certificate chain and private key on the legacy credential.
 OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl);
 
 // SSL_get0_selected_credential returns the credential in use in the current
@@ -1000,8 +1001,9 @@
 // than return an error. Additionally, overwriting a previously-configured
 // certificate and key pair only works if the certificate is configured first.
 //
-// Each of these functions configures the default credential. To select between
-// multiple certificates, see |SSL_CREDENTIAL_new_x509| and related APIs.
+// Each of these functions configures the single "legacy credential" on the
+// |SSL_CTX| or |SSL|. To select between multiple certificates, use
+// |SSL_CREDENTIAL_new_x509| and other APIs to configure a list of credentials.
 
 // SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns
 // one on success and zero on failure. If |ctx| has a private key which is
diff --git a/ssl/internal.h b/ssl/internal.h
index f956418..718908b 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1659,7 +1659,7 @@
   ssl_credential_st &operator=(const ssl_credential_st &) = delete;
 
   // Dup returns a copy of the credential, or nullptr on error. The |ex_data|
-  // values are not copied. This is only used on the default credential, whose
+  // values are not copied. This is only used on the legacy credential, whose
   // |ex_data| is inaccessible.
   bssl::UniquePtr<SSL_CREDENTIAL> Dup() const;
 
@@ -2529,32 +2529,32 @@
   explicit CERT(const SSL_X509_METHOD *x509_method);
   ~CERT();
 
-  bool is_valid() const { return default_credential != nullptr; }
+  bool is_valid() const { return legacy_credential != nullptr; }
 
   // credentials is the list of credentials to select between. Elements of this
   // array immutable.
   GrowableArray<UniquePtr<SSL_CREDENTIAL>> credentials;
 
-  // default_credential is the credential configured by the legacy,
+  // legacy_credential is the credential configured by the legacy
   // non-credential-based APIs. If IsComplete() returns true, it is appended to
   // the list of credentials.
-  UniquePtr<SSL_CREDENTIAL> default_credential;
+  UniquePtr<SSL_CREDENTIAL> legacy_credential;
 
   // x509_method contains pointers to functions that might deal with |X509|
   // compatibility, or might be a no-op, depending on the application.
   const SSL_X509_METHOD *x509_method = nullptr;
 
-  // x509_chain may contain a parsed copy of |chain[1..]| from the default
+  // x509_chain may contain a parsed copy of |chain[1..]| from the legacy
   // credential. This is only used as a cache in order to implement “get0”
   // functions that return a non-owning pointer to the certificate chain.
   STACK_OF(X509) *x509_chain = nullptr;
 
   // x509_leaf may contain a parsed copy of the first element of |chain| from
-  // the default credential. This is only used as a cache in order to implement
+  // the legacy credential. This is only used as a cache in order to implement
   // “get0” functions that return a non-owning pointer to the certificate chain.
   X509 *x509_leaf = nullptr;
 
-  // x509_stash contains the last |X509| object append to the default
+  // x509_stash contains the last |X509| object append to the legacy
   // credential's chain. This is a workaround for some third-party code that
   // continue to use an |X509| object even after passing ownership with an
   // “add0” function.
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index e30ec73..e30e27d 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -135,7 +135,7 @@
 BSSL_NAMESPACE_BEGIN
 
 CERT::CERT(const SSL_X509_METHOD *x509_method_arg)
-    : default_credential(MakeUnique<SSL_CREDENTIAL>(SSLCredentialType::kX509)),
+    : legacy_credential(MakeUnique<SSL_CREDENTIAL>(SSLCredentialType::kX509)),
       x509_method(x509_method_arg) {}
 
 CERT::~CERT() { x509_method->cert_free(this); }
@@ -153,10 +153,10 @@
     }
   }
 
-  // |default_credential| is mutable, so it must be copied. We cannot simply
+  // |legacy_credential| is mutable, so it must be copied. We cannot simply
   // bump the reference count.
-  ret->default_credential = cert->default_credential->Dup();
-  if (ret->default_credential == nullptr) {
+  ret->legacy_credential = cert->legacy_credential->Dup();
+  if (ret->legacy_credential == nullptr) {
     return nullptr;
   }
 
@@ -191,8 +191,8 @@
     return 0;
   }
 
-  cert->default_credential->ClearCertAndKey();
-  if (!SSL_CREDENTIAL_set1_cert_chain(cert->default_credential.get(), certs,
+  cert->legacy_credential->ClearCertAndKey();
+  if (!SSL_CREDENTIAL_set1_cert_chain(cert->legacy_credential.get(), certs,
                                       num_certs)) {
     return 0;
   }
@@ -201,18 +201,18 @@
   cert->x509_method->cert_flush_cached_chain(cert);
 
   return privkey != nullptr
-             ? SSL_CREDENTIAL_set1_private_key(cert->default_credential.get(),
+             ? SSL_CREDENTIAL_set1_private_key(cert->legacy_credential.get(),
                                                privkey)
              : SSL_CREDENTIAL_set_private_key_method(
-                   cert->default_credential.get(), privkey_method);
+                   cert->legacy_credential.get(), privkey_method);
 }
 
 bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
   // Don't fail for a cert/key mismatch, just free the current private key.
   // (When switching to a different keypair, the caller should switch the
   // certificate, then the key.)
-  if (!cert->default_credential->SetLeafCert(
-          std::move(buffer), /*discard_key_on_mismatch=*/true)) {
+  if (!cert->legacy_credential->SetLeafCert(std::move(buffer),
+                                            /*discard_key_on_mismatch=*/true)) {
     return false;
   }
 
@@ -578,18 +578,18 @@
   CERT *cert = ssl->config->cert.get();
   cert->x509_method->cert_clear(cert);
   cert->credentials.clear();
-  cert->default_credential->ClearCertAndKey();
+  cert->legacy_credential->ClearCertAndKey();
 }
 
 const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(const SSL_CTX *ctx) {
-  return ctx->cert->default_credential->chain.get();
+  return ctx->cert->legacy_credential->chain.get();
 }
 
 const STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl) {
   if (!ssl->config) {
     return nullptr;
   }
-  return ssl->config->cert->default_credential->chain.get();
+  return ssl->config->cert->legacy_credential->chain.get();
 }
 
 int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
@@ -643,7 +643,7 @@
                                            size_t list_len) {
   UniquePtr<CRYPTO_BUFFER> buf(CRYPTO_BUFFER_new(list, list_len, nullptr));
   return buf != nullptr && SSL_CREDENTIAL_set1_signed_cert_timestamp_list(
-                               ctx->cert->default_credential.get(), buf.get());
+                               ctx->cert->legacy_credential.get(), buf.get());
 }
 
 int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,
@@ -654,7 +654,7 @@
   UniquePtr<CRYPTO_BUFFER> buf(CRYPTO_BUFFER_new(list, list_len, nullptr));
   return buf != nullptr &&
          SSL_CREDENTIAL_set1_signed_cert_timestamp_list(
-             ssl->config->cert->default_credential.get(), buf.get());
+             ssl->config->cert->legacy_credential.get(), buf.get());
 }
 
 int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,
@@ -662,7 +662,7 @@
   UniquePtr<CRYPTO_BUFFER> buf(
       CRYPTO_BUFFER_new(response, response_len, nullptr));
   return buf != nullptr && SSL_CREDENTIAL_set1_ocsp_response(
-                               ctx->cert->default_credential.get(), buf.get());
+                               ctx->cert->legacy_credential.get(), buf.get());
 }
 
 int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,
@@ -674,7 +674,7 @@
       CRYPTO_BUFFER_new(response, response_len, nullptr));
   return buf != nullptr &&
          SSL_CREDENTIAL_set1_ocsp_response(
-             ssl->config->cert->default_credential.get(), buf.get());
+             ssl->config->cert->legacy_credential.get(), buf.get());
 }
 
 void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {
diff --git a/ssl/ssl_credential.cc b/ssl/ssl_credential.cc
index f4bb55e..39c14de 100644
--- a/ssl/ssl_credential.cc
+++ b/ssl/ssl_credential.cc
@@ -37,14 +37,14 @@
 
 bool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array<SSL_CREDENTIAL *> *out) {
   CERT *cert = hs->config->cert.get();
-  // Finish filling in the default credential if needed.
+  // Finish filling in the legacy credential if needed.
   if (!cert->x509_method->ssl_auto_chain_if_needed(hs)) {
     return false;
   }
 
   size_t num_creds = cert->credentials.size();
-  bool include_default = cert->default_credential->IsComplete();
-  if (include_default) {
+  bool include_legacy = cert->legacy_credential->IsComplete();
+  if (include_legacy) {
     num_creds++;
   }
 
@@ -55,8 +55,8 @@
   for (size_t i = 0; i < cert->credentials.size(); i++) {
     (*out)[i] = cert->credentials[i].get();
   }
-  if (include_default) {
-    (*out)[num_creds - 1] = cert->default_credential.get();
+  if (include_legacy) {
+    (*out)[num_creds - 1] = cert->legacy_credential.get();
   }
   return true;
 }
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 071709f..1458b45 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1755,7 +1755,7 @@
 int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
   // There is no need to actually check consistency because inconsistent values
   // can never be configured.
-  return has_cert_and_key(ctx->cert->default_credential.get());
+  return has_cert_and_key(ctx->cert->legacy_credential.get());
 }
 
 int SSL_check_private_key(const SSL *ssl) {
@@ -1765,7 +1765,7 @@
 
   // There is no need to actually check consistency because inconsistent values
   // can never be configured.
-  return has_cert_and_key(ssl->config->cert->default_credential.get());
+  return has_cert_and_key(ssl->config->cert->legacy_credential.get());
 }
 
 long SSL_get_default_timeout(const SSL *ssl) {
@@ -2557,11 +2557,11 @@
     assert(ssl->config);
     return nullptr;
   }
-  return ssl->config->cert->default_credential->privkey.get();
+  return ssl->config->cert->legacy_credential->privkey.get();
 }
 
 EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {
-  return ctx->cert->default_credential->privkey.get();
+  return ctx->cert->legacy_credential->privkey.get();
 }
 
 const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 471be76..76ba084 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -397,7 +397,7 @@
   }
 
   return SSL_CREDENTIAL_set1_private_key(
-      ssl->config->cert->default_credential.get(), pkey);
+      ssl->config->cert->legacy_credential.get(), pkey);
 }
 
 int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,
@@ -450,7 +450,7 @@
     return 0;
   }
 
-  return SSL_CREDENTIAL_set1_private_key(ctx->cert->default_credential.get(),
+  return SSL_CREDENTIAL_set1_private_key(ctx->cert->legacy_credential.get(),
                                          pkey);
 }
 
@@ -477,13 +477,13 @@
     return;
   }
   BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
-      ssl->config->cert->default_credential.get(), key_method));
+      ssl->config->cert->legacy_credential.get(), key_method));
 }
 
 void SSL_CTX_set_private_key_method(SSL_CTX *ctx,
                                     const SSL_PRIVATE_KEY_METHOD *key_method) {
   BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(
-      ctx->cert->default_credential.get(), key_method));
+      ctx->cert->legacy_credential.get(), key_method));
 }
 
 static constexpr size_t kMaxSignatureAlgorithmNameLen = 24;
@@ -657,7 +657,7 @@
 int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,
                                         size_t num_prefs) {
   return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
-      ctx->cert->default_credential.get(), prefs, num_prefs);
+      ctx->cert->legacy_credential.get(), prefs, num_prefs);
 }
 
 int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,
@@ -666,7 +666,7 @@
     return 0;
   }
   return SSL_CREDENTIAL_set1_signing_algorithm_prefs(
-      ssl->config->cert->default_credential.get(), prefs, num_prefs);
+      ssl->config->cert->legacy_credential.get(), prefs, num_prefs);
 }
 
 static constexpr struct {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 34dd5ed..17fe5c6 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -6068,7 +6068,7 @@
       continue;
     }
 
-    ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
+    ExpectSigAlgsEqual(test.expected, ctx->cert->legacy_credential->sigalgs);
   }
 }
 
@@ -6126,7 +6126,7 @@
       continue;
     }
 
-    ExpectSigAlgsEqual(test.expected, ctx->cert->default_credential->sigalgs);
+    ExpectSigAlgsEqual(test.expected, ctx->cert->legacy_credential->sigalgs);
   }
 }
 
diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc
index 66c3210..e121ff8 100644
--- a/ssl/ssl_x509.cc
+++ b/ssl/ssl_x509.cc
@@ -198,11 +198,11 @@
 // which case no change to |cert->chain| is made. It preverses the existing
 // leaf from |cert->chain|, if any.
 static bool ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
-  cert->default_credential->ClearIntermediateCerts();
+  cert->legacy_credential->ClearIntermediateCerts();
   for (X509 *x509 : chain) {
     UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
     if (!buffer ||
-        !cert->default_credential->AppendIntermediateCert(std::move(buffer))) {
+        !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {
       return false;
     }
   }
@@ -412,10 +412,10 @@
 }
 
 static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
-  // Only build a chain if the feature isn't disabled, the default credential
+  // Only build a chain if the feature isn't disabled, the legacy credential
   // exists but has no intermediates configured.
   SSL *ssl = hs->ssl;
-  SSL_CREDENTIAL *cred = hs->config->cert->default_credential.get();
+  SSL_CREDENTIAL *cred = hs->config->cert->legacy_credential.get();
   if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !cred->IsComplete() ||
       sk_CRYPTO_BUFFER_num(cred->chain.get()) != 1) {
     return true;
@@ -720,9 +720,8 @@
 static int ssl_cert_cache_leaf_cert(CERT *cert) {
   assert(cert->x509_method);
 
-  const SSL_CREDENTIAL *cred = cert->default_credential.get();
-  if (cert->x509_leaf != NULL ||
-      cred->chain == NULL) {
+  const SSL_CREDENTIAL *cred = cert->legacy_credential.get();
+  if (cert->x509_leaf != NULL || cred->chain == NULL) {
     return 1;
   }
 
@@ -764,7 +763,7 @@
 
   UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
   if (!buffer ||
-      !cert->default_credential->AppendIntermediateCert(std::move(buffer))) {
+      !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {
     return 0;
   }
 
@@ -867,9 +866,8 @@
 static int ssl_cert_cache_chain_certs(CERT *cert) {
   assert(cert->x509_method);
 
-  const SSL_CREDENTIAL *cred = cert->default_credential.get();
-  if (cert->x509_chain != nullptr ||
-      cred->chain == nullptr ||
+  const SSL_CREDENTIAL *cred = cert->legacy_credential.get();
+  if (cert->x509_chain != nullptr || cred->chain == nullptr ||
       sk_CRYPTO_BUFFER_num(cred->chain.get()) < 2) {
     return 1;
   }
@@ -1155,7 +1153,7 @@
   // Should only be called during handshake, but check to be sure.
   BSSL_CHECK(ssl->config);
 
-  if (ssl->config->cert->default_credential->IsComplete() ||
+  if (ssl->config->cert->legacy_credential->IsComplete() ||
       ssl->ctx->client_cert_cb == nullptr) {
     return 1;
   }
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 2db2a89..abd66ed 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -486,7 +486,7 @@
                 &TestConfig::expect_selected_credential),
         // Credential flags are stateful. First, use one of the
         // -new-*-credential flags to introduce a new credential. Then the flags
-        // below switch from acting on the default credential to the newly-added
+        // below switch from acting on the legacy credential to the newly-added
         // one. Repeat this process to continue adding them.
         NewCredentialFlag("-new-x509-credential", CredentialConfigType::kX509),
         NewCredentialFlag("-new-delegated-credential",