From c5ac2b6c78ecde42bcbb9cbe0fd9c2b5b66677bf Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 7 Nov 2016 12:02:35 -0800 Subject: [PATCH] Rename X.509 members in |SSL_SESSION| and |CERT|. This change renames |peer| to |x509_peer| and |cert_chain| to |x509_chain| in |SSL_SESSION|. It also renames |x509| to |x509_leaf| and |chain| to |x509_chain| in |CERT|. (All with an eye to maybe making them lazily initialised in the future). This a) catches anyone who might be accessing these members directly and b) makes space for |CRYPTO_BUFFER|-based values to take the unprefixed names. Change-Id: I10573304fb7d6f1ea03f9e645f7fc0acdaf71ac2 Reviewed-on: https://boringssl-review.googlesource.com/12162 Reviewed-by: David Benjamin --- include/openssl/ssl.h | 8 ++++---- ssl/handshake_client.c | 16 ++++++++-------- ssl/handshake_server.c | 20 ++++++++++---------- ssl/internal.h | 5 ++--- ssl/ssl_asn1.c | 28 ++++++++++++++-------------- ssl/ssl_cert.c | 40 ++++++++++++++++++++-------------------- ssl/ssl_lib.c | 36 +++++++++++++++++++----------------- ssl/ssl_rsa.c | 13 +++++++------ ssl/ssl_session.c | 18 +++++++++--------- ssl/tls13_both.c | 10 +++++----- ssl/tls13_server.c | 6 +++--- 11 files changed, 101 insertions(+), 99 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1b0633e3..cc63d6f4 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -3675,13 +3675,13 @@ struct ssl_session_st { uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; char *psk_identity; - /* peer is the peer's certificate. */ - X509 *peer; + /* x509_peer is the peer's certificate. */ + X509 *x509_peer; - /* cert_chain is the certificate chain sent by the peer. NOTE: for historical + /* x509_chain is the certificate chain sent by the peer. NOTE: for historical * reasons, when a client (so the peer is a server), the chain includes * |peer|, but when a server it does not. */ - STACK_OF(X509) *cert_chain; + STACK_OF(X509) *x509_chain; /* verify_result is the result of certificate verification in the case of * non-fatal certificate errors. */ diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c index 311e9fd1..64d39415 100644 --- a/ssl/handshake_client.c +++ b/ssl/handshake_client.c @@ -1049,14 +1049,14 @@ static int ssl3_get_server_certificate(SSL *ssl) { goto err; } - /* NOTE: Unlike the server half, the client's copy of |cert_chain| includes + /* NOTE: Unlike the server half, the client's copy of |x509_chain| includes * the leaf. */ - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; - X509_free(ssl->s3->new_session->peer); + X509_free(ssl->s3->new_session->x509_peer); X509_up_ref(leaf); - ssl->s3->new_session->peer = leaf; + ssl->s3->new_session->x509_peer = leaf; return 1; @@ -1108,7 +1108,7 @@ f_err: static int ssl3_verify_server_cert(SSL *ssl) { if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result, - ssl->s3->new_session->cert_chain)) { + ssl->s3->new_session->x509_chain)) { return -1; } @@ -1282,7 +1282,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { /* ServerKeyExchange should be signed by the server's public key. */ if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { - pkey = X509_get_pubkey(ssl->s3->new_session->peer); + pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); if (pkey == NULL) { goto err; } @@ -1570,7 +1570,7 @@ static int ssl3_send_client_key_exchange(SSL *ssl) { goto err; } - EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer); + EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); if (pkey == NULL) { goto err; } diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c index 117be780..f0469d42 100644 --- a/ssl/handshake_server.c +++ b/ssl/handshake_server.c @@ -482,10 +482,10 @@ int ssl3_accept(SSL *ssl) { * now. */ if (ssl->s3->new_session != NULL && ssl->ctx->retain_only_sha256_of_client_certs) { - X509_free(ssl->s3->new_session->peer); - ssl->s3->new_session->peer = NULL; - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = NULL; + X509_free(ssl->s3->new_session->x509_peer); + ssl->s3->new_session->x509_peer = NULL; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = NULL; } SSL_SESSION_free(ssl->s3->established_session); @@ -1380,12 +1380,12 @@ static int ssl3_get_client_certificate(SSL *ssl) { } } - X509_free(ssl->s3->new_session->peer); - ssl->s3->new_session->peer = sk_X509_shift(chain); + X509_free(ssl->s3->new_session->x509_peer); + ssl->s3->new_session->x509_peer = sk_X509_shift(chain); - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; - /* Inconsistency alert: cert_chain does *not* include the peer's own + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; + /* Inconsistency alert: x509_chain does *not* include the peer's own * certificate, while we do include it in s3_clnt.c */ return 1; @@ -1667,7 +1667,7 @@ err: static int ssl3_get_cert_verify(SSL *ssl) { int al, ret = 0; CBS certificate_verify, signature; - X509 *peer = ssl->s3->new_session->peer; + X509 *peer = ssl->s3->new_session->x509_peer; EVP_PKEY *pkey = NULL; /* Only RSA and ECDSA client certificates are supported, so a diff --git a/ssl/internal.h b/ssl/internal.h index 7badc5b0..6b579719 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -1171,10 +1171,9 @@ enum ssl_hash_message_t { }; typedef struct cert_st { - X509 *x509; EVP_PKEY *privatekey; - /* Chain for this certificate */ - STACK_OF(X509) *chain; + X509 *x509_leaf; + STACK_OF(X509) *x509_chain; /* key_method, if non-NULL, is a set of callbacks to call for private key * operations. */ diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 7fa63d98..c1d931fa 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -220,12 +220,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, /* The peer certificate is only serialized if the SHA-256 isn't * serialized instead. */ - if (in->peer && !in->peer_sha256_valid) { + if (in->x509_peer && !in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kPeerTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } - if (!ssl_add_cert_to_cbb(&child, in->peer)) { + if (!ssl_add_cert_to_cbb(&child, in->x509_peer)) { goto err; } } @@ -340,13 +340,13 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, /* The certificate chain is only serialized if the leaf's SHA-256 isn't * serialized instead. */ - if (in->cert_chain != NULL && !in->peer_sha256_valid) { + if (in->x509_chain != NULL && !in->peer_sha256_valid) { if (!CBB_add_asn1(&session, &child, kCertChainTag)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } - for (size_t i = 0; i < sk_X509_num(in->cert_chain); i++) { - if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->cert_chain, i))) { + for (size_t i = 0; i < sk_X509_num(in->x509_chain); i++) { + if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->x509_chain, i))) { goto err; } } @@ -590,11 +590,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } - X509_free(ret->peer); - ret->peer = NULL; + X509_free(ret->x509_peer); + ret->x509_peer = NULL; if (has_peer) { - ret->peer = parse_x509(&peer); - if (ret->peer == NULL) { + ret->x509_peer = parse_x509(&peer); + if (ret->x509_peer == NULL) { goto err; } if (CBS_len(&peer) != 0) { @@ -670,11 +670,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); goto err; } - sk_X509_pop_free(ret->cert_chain, X509_free); - ret->cert_chain = NULL; + sk_X509_pop_free(ret->x509_chain, X509_free); + ret->x509_chain = NULL; if (has_cert_chain) { - ret->cert_chain = sk_X509_new_null(); - if (ret->cert_chain == NULL) { + ret->x509_chain = sk_X509_new_null(); + if (ret->x509_chain == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } @@ -683,7 +683,7 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { if (x509 == NULL) { goto err; } - if (!sk_X509_push(ret->cert_chain, x509)) { + if (!sk_X509_push(ret->x509_chain, x509)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); X509_free(x509); goto err; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 55b464fe..c3809efd 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -158,9 +158,9 @@ CERT *ssl_cert_dup(CERT *cert) { } memset(ret, 0, sizeof(CERT)); - if (cert->x509 != NULL) { - X509_up_ref(cert->x509); - ret->x509 = cert->x509; + if (cert->x509_leaf != NULL) { + X509_up_ref(cert->x509_leaf); + ret->x509_leaf = cert->x509_leaf; } if (cert->privatekey != NULL) { @@ -168,9 +168,9 @@ CERT *ssl_cert_dup(CERT *cert) { ret->privatekey = cert->privatekey; } - if (cert->chain) { - ret->chain = X509_chain_up_ref(cert->chain); - if (!ret->chain) { + if (cert->x509_chain) { + ret->x509_chain = X509_chain_up_ref(cert->x509_chain); + if (!ret->x509_chain) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); goto err; } @@ -220,12 +220,12 @@ void ssl_cert_clear_certs(CERT *cert) { return; } - X509_free(cert->x509); - cert->x509 = NULL; + X509_free(cert->x509_leaf); + cert->x509_leaf = NULL; EVP_PKEY_free(cert->privatekey); cert->privatekey = NULL; - sk_X509_pop_free(cert->chain, X509_free); - cert->chain = NULL; + sk_X509_pop_free(cert->x509_chain, X509_free); + cert->x509_chain = NULL; cert->key_method = NULL; } @@ -244,8 +244,8 @@ void ssl_cert_free(CERT *c) { } int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { - sk_X509_pop_free(cert->chain, X509_free); - cert->chain = chain; + sk_X509_pop_free(cert->x509_chain, X509_free); + cert->x509_chain = chain; return 1; } @@ -269,10 +269,10 @@ int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { } int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) { - if (cert->chain == NULL) { - cert->chain = sk_X509_new_null(); + if (cert->x509_chain == NULL) { + cert->x509_chain = sk_X509_new_null(); } - if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) { + if (cert->x509_chain == NULL || !sk_X509_push(cert->x509_chain, x509)) { return 0; } @@ -443,7 +443,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) { } int ssl_has_certificate(const SSL *ssl) { - return ssl->cert->x509 != NULL && ssl_has_private_key(ssl); + return ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl); } STACK_OF(X509) *ssl_parse_cert_chain(SSL *ssl, uint8_t *out_alert, @@ -528,7 +528,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { } CERT *cert = ssl->cert; - X509 *x = cert->x509; + X509 *x = cert->x509_leaf; CBB child; if (!CBB_add_u24_length_prefixed(cbb, &child)) { @@ -537,7 +537,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { } int no_chain = 0; - STACK_OF(X509) *chain = cert->chain; + STACK_OF(X509) *chain = cert->x509_chain; if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) { no_chain = 1; } @@ -763,7 +763,7 @@ int SSL_clear_chain_certs(SSL *ssl) { } int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { - *out_chain = ctx->cert->chain; + *out_chain = ctx->cert->x509_chain; return 1; } @@ -773,7 +773,7 @@ int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx, } int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) { - *out_chain = ssl->cert->chain; + *out_chain = ssl->cert->x509_chain; return 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 22baed02..d8270f33 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1048,11 +1048,11 @@ X509 *SSL_get_peer_certificate(const SSL *ssl) { return NULL; } SSL_SESSION *session = SSL_get_session(ssl); - if (session == NULL || session->peer == NULL) { + if (session == NULL || session->x509_peer == NULL) { return NULL; } - X509_up_ref(session->peer); - return session->peer; + X509_up_ref(session->x509_peer); + return session->x509_peer; } STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { @@ -1063,7 +1063,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { if (session == NULL) { return NULL; } - return session->cert_chain; + return session->x509_chain; } int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, @@ -1336,32 +1336,34 @@ int SSL_pending(const SSL *ssl) { /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if (ctx->cert->x509 == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); + if (ctx->cert->privatekey == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return 0; } - if (ctx->cert->privatekey == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); + X509 *x509 = ctx->cert->x509_leaf; + if (x509 == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } - return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey); + return X509_check_private_key(x509, ctx->cert->privatekey); } /* Fix this function so that it takes an optional type parameter */ int SSL_check_private_key(const SSL *ssl) { - if (ssl->cert->x509 == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); + if (ssl->cert->privatekey == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return 0; } - if (ssl->cert->privatekey == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); + X509 *x509 = ssl->cert->x509_leaf; + if (x509 == NULL) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } - return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey); + return X509_check_private_key(x509, ssl->cert->privatekey); } long SSL_get_default_timeout(const SSL *ssl) { @@ -2030,7 +2032,7 @@ void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k, uint32_t mask_k = 0; uint32_t mask_a = 0; - if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) { + if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) { int type = ssl_private_key_type(ssl); if (type == NID_rsaEncryption) { mask_k |= SSL_kRSA; @@ -2151,7 +2153,7 @@ const char *SSL_SESSION_get_version(const SSL_SESSION *session) { X509 *SSL_get_certificate(const SSL *ssl) { if (ssl->cert != NULL) { - return ssl->cert->x509; + return ssl->cert->x509_leaf; } return NULL; @@ -2167,7 +2169,7 @@ EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { if (ctx->cert != NULL) { - return ctx->cert->x509; + return ctx->cert->x509_leaf; } return NULL; diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 29e5f194..e9840127 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -134,13 +134,14 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { return 0; } - if (c->x509 != NULL) { + X509 *x509_leaf = c->x509_leaf; + if (x509_leaf != NULL) { /* Sanity-check that the private key and the certificate match, unless the * key is opaque (in case of, say, a smartcard). */ if (!EVP_PKEY_is_opaque(pkey) && - !X509_check_private_key(c->x509, pkey)) { - X509_free(c->x509); - c->x509 = NULL; + !X509_check_private_key(x509_leaf, pkey)) { + X509_free(c->x509_leaf); + c->x509_leaf = NULL; return 0; } } @@ -248,9 +249,9 @@ static int ssl_set_cert(CERT *c, X509 *x) { EVP_PKEY_free(pkey); - X509_free(c->x509); + X509_free(c->x509_leaf); X509_up_ref(x); - c->x509 = x; + c->x509_leaf = x; return 1; } diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c index 2c074b73..585d0517 100644 --- a/ssl/ssl_session.c +++ b/ssl/ssl_session.c @@ -199,13 +199,13 @@ SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { goto err; } } - if (session->peer != NULL) { - X509_up_ref(session->peer); - new_session->peer = session->peer; + if (session->x509_peer != NULL) { + X509_up_ref(session->x509_peer); + new_session->x509_peer = session->x509_peer; } - if (session->cert_chain != NULL) { - new_session->cert_chain = X509_chain_up_ref(session->cert_chain); - if (new_session->cert_chain == NULL) { + if (session->x509_chain != NULL) { + new_session->x509_chain = X509_chain_up_ref(session->x509_chain); + if (new_session->x509_chain == NULL) { goto err; } } @@ -325,8 +325,8 @@ void SSL_SESSION_free(SSL_SESSION *session) { OPENSSL_cleanse(session->master_key, sizeof(session->master_key)); OPENSSL_cleanse(session->session_id, sizeof(session->session_id)); - X509_free(session->peer); - sk_X509_pop_free(session->cert_chain, X509_free); + X509_free(session->x509_peer); + sk_X509_pop_free(session->x509_chain, X509_free); OPENSSL_free(session->tlsext_hostname); OPENSSL_free(session->tlsext_tick); OPENSSL_free(session->tlsext_signed_cert_timestamp_list); @@ -357,7 +357,7 @@ long SSL_SESSION_get_time(const SSL_SESSION *session) { } X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { - return session->peer; + return session->x509_peer; } size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out, diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c index c8681a71..75be8497 100644 --- a/ssl/tls13_both.c +++ b/ssl/tls13_both.c @@ -214,13 +214,13 @@ int tls13_process_certificate(SSL *ssl, int allow_anonymous) { goto err; } - X509_free(ssl->s3->new_session->peer); + X509_free(ssl->s3->new_session->x509_peer); X509 *leaf = sk_X509_value(chain, 0); X509_up_ref(leaf); - ssl->s3->new_session->peer = leaf; + ssl->s3->new_session->x509_peer = leaf; - sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); - ssl->s3->new_session->cert_chain = chain; + sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); + ssl->s3->new_session->x509_chain = chain; chain = NULL; ret = 1; @@ -232,7 +232,7 @@ err: int tls13_process_certificate_verify(SSL *ssl) { int ret = 0; - X509 *peer = ssl->s3->new_session->peer; + X509 *peer = ssl->s3->new_session->x509_peer; EVP_PKEY *pkey = NULL; uint8_t *msg = NULL; size_t msg_len; diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index 2b824012..49f8c00f 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -542,8 +542,8 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, /* For historical reasons, the server's copy of the chain does not include the * leaf while the client's does. */ - if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) { - X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain)); + if (sk_X509_num(ssl->s3->new_session->x509_chain) > 0) { + X509_free(sk_X509_shift(ssl->s3->new_session->x509_chain)); } hs->state = state_process_client_certificate_verify; @@ -552,7 +552,7 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, static enum ssl_hs_wait_t do_process_client_certificate_verify( SSL *ssl, SSL_HANDSHAKE *hs) { - if (ssl->s3->new_session->peer == NULL) { + if (ssl->s3->new_session->x509_peer == NULL) { /* Skip this state. */ hs->state = state_process_channel_id; return ssl_hs_ok;