kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
Bladeren bron

Rename X.509 members in |SSL_SESSION| and |CERT|. 

This change renames |peer| to |x509_peer| and |cert_chain| to
|x509_chain| in |SSL_SESSION|. It also renames |x509| to |x509_leaf| and
|chain| to |x509_chain| in |CERT|. (All with an eye to maybe making
them lazily initialised in the future).

This a) catches anyone who might be accessing these members directly and
b) makes space for |CRYPTO_BUFFER|-based values to take the unprefixed
names.

Change-Id: I10573304fb7d6f1ea03f9e645f7fc0acdaf71ac2
Reviewed-on: https://boringssl-review.googlesource.com/12162
Reviewed-by: David Benjamin <davidben@google.com>
kris/onging/CECPQ3_patch15
Adam Langley 8 jaren geleden
committed by David Benjamin
bovenliggende
a983b4c248
commit
c5ac2b6c78
11 gewijzigde bestanden met toevoegingen van 101 en 99 verwijderingen
Zij-aan-zij weergave
Diff opties
Statistieken weergeven Download Patch-bestand Download Diff-bestand
  1. +4
    -4
      include/openssl/ssl.h
  2. +8
    -8
      ssl/handshake_client.c
  3. +10
    -10
      ssl/handshake_server.c
  4. +2
    -3
      ssl/internal.h
  5. +14
    -14
      ssl/ssl_asn1.c
  6. +20
    -20
      ssl/ssl_cert.c
  7. +19
    -17
      ssl/ssl_lib.c
  8. +7
    -6
      ssl/ssl_rsa.c
  9. +9
    -9
      ssl/ssl_session.c
  10. +5
    -5
      ssl/tls13_both.c
  11. +3
    -3
      ssl/tls13_server.c

+ 4
- 4
include/openssl/ssl.h Bestand weergeven

@@ -3675,13 +3675,13 @@ struct ssl_session_st {
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];

char *psk_identity;
/* peer is the peer's certificate. */
X509 *peer;
/* x509_peer is the peer's certificate. */
X509 *x509_peer;

/* cert_chain is the certificate chain sent by the peer. NOTE: for historical
/* x509_chain is the certificate chain sent by the peer. NOTE: for historical
* reasons, when a client (so the peer is a server), the chain includes
* |peer|, but when a server it does not. */
STACK_OF(X509) *cert_chain;
STACK_OF(X509) *x509_chain;

/* verify_result is the result of certificate verification in the case of
* non-fatal certificate errors. */


+ 8
- 8
ssl/handshake_client.c Bestand weergeven

@@ -1049,14 +1049,14 @@ static int ssl3_get_server_certificate(SSL *ssl) {
goto err;
}

/* NOTE: Unlike the server half, the client's copy of |cert_chain| includes
/* NOTE: Unlike the server half, the client's copy of |x509_chain| includes
* the leaf. */
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
ssl->s3->new_session->cert_chain = chain;
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
ssl->s3->new_session->x509_chain = chain;

X509_free(ssl->s3->new_session->peer);
X509_free(ssl->s3->new_session->x509_peer);
X509_up_ref(leaf);
ssl->s3->new_session->peer = leaf;
ssl->s3->new_session->x509_peer = leaf;

return 1;

@@ -1108,7 +1108,7 @@ f_err:

static int ssl3_verify_server_cert(SSL *ssl) {
if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result,
ssl->s3->new_session->cert_chain)) {
ssl->s3->new_session->x509_chain)) {
return -1;
}

@@ -1282,7 +1282,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) {

/* ServerKeyExchange should be signed by the server's public key. */
if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
pkey = X509_get_pubkey(ssl->s3->new_session->peer);
pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer);
if (pkey == NULL) {
goto err;
}
@@ -1570,7 +1570,7 @@ static int ssl3_send_client_key_exchange(SSL *ssl) {
goto err;
}

EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer);
EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer);
if (pkey == NULL) {
goto err;
}


+ 10
- 10
ssl/handshake_server.c Bestand weergeven

@@ -482,10 +482,10 @@ int ssl3_accept(SSL *ssl) {
* now. */
if (ssl->s3->new_session != NULL &&
ssl->ctx->retain_only_sha256_of_client_certs) {
X509_free(ssl->s3->new_session->peer);
ssl->s3->new_session->peer = NULL;
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
ssl->s3->new_session->cert_chain = NULL;
X509_free(ssl->s3->new_session->x509_peer);
ssl->s3->new_session->x509_peer = NULL;
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
ssl->s3->new_session->x509_chain = NULL;
}

SSL_SESSION_free(ssl->s3->established_session);
@@ -1380,12 +1380,12 @@ static int ssl3_get_client_certificate(SSL *ssl) {
}
}

X509_free(ssl->s3->new_session->peer);
ssl->s3->new_session->peer = sk_X509_shift(chain);
X509_free(ssl->s3->new_session->x509_peer);
ssl->s3->new_session->x509_peer = sk_X509_shift(chain);

sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
ssl->s3->new_session->cert_chain = chain;
/* Inconsistency alert: cert_chain does *not* include the peer's own
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
ssl->s3->new_session->x509_chain = chain;
/* Inconsistency alert: x509_chain does *not* include the peer's own
* certificate, while we do include it in s3_clnt.c */

return 1;
@@ -1667,7 +1667,7 @@ err:
static int ssl3_get_cert_verify(SSL *ssl) {
int al, ret = 0;
CBS certificate_verify, signature;
X509 *peer = ssl->s3->new_session->peer;
X509 *peer = ssl->s3->new_session->x509_peer;
EVP_PKEY *pkey = NULL;

/* Only RSA and ECDSA client certificates are supported, so a


+ 2
- 3
ssl/internal.h Bestand weergeven

@@ -1171,10 +1171,9 @@ enum ssl_hash_message_t {
};

typedef struct cert_st {
X509 *x509;
EVP_PKEY *privatekey;
/* Chain for this certificate */
STACK_OF(X509) *chain;
X509 *x509_leaf;
STACK_OF(X509) *x509_chain;

/* key_method, if non-NULL, is a set of callbacks to call for private key
* operations. */


+ 14
- 14
ssl/ssl_asn1.c Bestand weergeven

@@ -220,12 +220,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,

/* The peer certificate is only serialized if the SHA-256 isn't
* serialized instead. */
if (in->peer && !in->peer_sha256_valid) {
if (in->x509_peer && !in->peer_sha256_valid) {
if (!CBB_add_asn1(&session, &child, kPeerTag)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!ssl_add_cert_to_cbb(&child, in->peer)) {
if (!ssl_add_cert_to_cbb(&child, in->x509_peer)) {
goto err;
}
}
@@ -340,13 +340,13 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,

/* The certificate chain is only serialized if the leaf's SHA-256 isn't
* serialized instead. */
if (in->cert_chain != NULL && !in->peer_sha256_valid) {
if (in->x509_chain != NULL && !in->peer_sha256_valid) {
if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
for (size_t i = 0; i < sk_X509_num(in->cert_chain); i++) {
if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->cert_chain, i))) {
for (size_t i = 0; i < sk_X509_num(in->x509_chain); i++) {
if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->x509_chain, i))) {
goto err;
}
}
@@ -590,11 +590,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
X509_free(ret->peer);
ret->peer = NULL;
X509_free(ret->x509_peer);
ret->x509_peer = NULL;
if (has_peer) {
ret->peer = parse_x509(&peer);
if (ret->peer == NULL) {
ret->x509_peer = parse_x509(&peer);
if (ret->x509_peer == NULL) {
goto err;
}
if (CBS_len(&peer) != 0) {
@@ -670,11 +670,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
goto err;
}
sk_X509_pop_free(ret->cert_chain, X509_free);
ret->cert_chain = NULL;
sk_X509_pop_free(ret->x509_chain, X509_free);
ret->x509_chain = NULL;
if (has_cert_chain) {
ret->cert_chain = sk_X509_new_null();
if (ret->cert_chain == NULL) {
ret->x509_chain = sk_X509_new_null();
if (ret->x509_chain == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -683,7 +683,7 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) {
if (x509 == NULL) {
goto err;
}
if (!sk_X509_push(ret->cert_chain, x509)) {
if (!sk_X509_push(ret->x509_chain, x509)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
X509_free(x509);
goto err;


+ 20
- 20
ssl/ssl_cert.c Bestand weergeven

@@ -158,9 +158,9 @@ CERT *ssl_cert_dup(CERT *cert) {
}
memset(ret, 0, sizeof(CERT));

if (cert->x509 != NULL) {
X509_up_ref(cert->x509);
ret->x509 = cert->x509;
if (cert->x509_leaf != NULL) {
X509_up_ref(cert->x509_leaf);
ret->x509_leaf = cert->x509_leaf;
}

if (cert->privatekey != NULL) {
@@ -168,9 +168,9 @@ CERT *ssl_cert_dup(CERT *cert) {
ret->privatekey = cert->privatekey;
}

if (cert->chain) {
ret->chain = X509_chain_up_ref(cert->chain);
if (!ret->chain) {
if (cert->x509_chain) {
ret->x509_chain = X509_chain_up_ref(cert->x509_chain);
if (!ret->x509_chain) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -220,12 +220,12 @@ void ssl_cert_clear_certs(CERT *cert) {
return;
}

X509_free(cert->x509);
cert->x509 = NULL;
X509_free(cert->x509_leaf);
cert->x509_leaf = NULL;
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
sk_X509_pop_free(cert->chain, X509_free);
cert->chain = NULL;
sk_X509_pop_free(cert->x509_chain, X509_free);
cert->x509_chain = NULL;
cert->key_method = NULL;
}

@@ -244,8 +244,8 @@ void ssl_cert_free(CERT *c) {
}

int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) {
sk_X509_pop_free(cert->chain, X509_free);
cert->chain = chain;
sk_X509_pop_free(cert->x509_chain, X509_free);
cert->x509_chain = chain;
return 1;
}

@@ -269,10 +269,10 @@ int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
}

int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {
if (cert->chain == NULL) {
cert->chain = sk_X509_new_null();
if (cert->x509_chain == NULL) {
cert->x509_chain = sk_X509_new_null();
}
if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) {
if (cert->x509_chain == NULL || !sk_X509_push(cert->x509_chain, x509)) {
return 0;
}

@@ -443,7 +443,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {
}

int ssl_has_certificate(const SSL *ssl) {
return ssl->cert->x509 != NULL && ssl_has_private_key(ssl);
return ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl);
}

STACK_OF(X509) *ssl_parse_cert_chain(SSL *ssl, uint8_t *out_alert,
@@ -528,7 +528,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
}

CERT *cert = ssl->cert;
X509 *x = cert->x509;
X509 *x = cert->x509_leaf;

CBB child;
if (!CBB_add_u24_length_prefixed(cbb, &child)) {
@@ -537,7 +537,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
}

int no_chain = 0;
STACK_OF(X509) *chain = cert->chain;
STACK_OF(X509) *chain = cert->x509_chain;
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) {
no_chain = 1;
}
@@ -763,7 +763,7 @@ int SSL_clear_chain_certs(SSL *ssl) {
}

int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
*out_chain = ctx->cert->chain;
*out_chain = ctx->cert->x509_chain;
return 1;
}

@@ -773,7 +773,7 @@ int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
}

int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {
*out_chain = ssl->cert->chain;
*out_chain = ssl->cert->x509_chain;
return 1;
}



+ 19
- 17
ssl/ssl_lib.c Bestand weergeven

@@ -1048,11 +1048,11 @@ X509 *SSL_get_peer_certificate(const SSL *ssl) {
return NULL;
}
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL || session->peer == NULL) {
if (session == NULL || session->x509_peer == NULL) {
return NULL;
}
X509_up_ref(session->peer);
return session->peer;
X509_up_ref(session->x509_peer);
return session->x509_peer;
}

STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
@@ -1063,7 +1063,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
if (session == NULL) {
return NULL;
}
return session->cert_chain;
return session->x509_chain;
}

int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
@@ -1336,32 +1336,34 @@ int SSL_pending(const SSL *ssl) {

/* Fix this so it checks all the valid key/cert options */
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
if (ctx->cert->x509 == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
if (ctx->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
return 0;
}

if (ctx->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
X509 *x509 = ctx->cert->x509_leaf;
if (x509 == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
return 0;
}

return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey);
return X509_check_private_key(x509, ctx->cert->privatekey);
}

/* Fix this function so that it takes an optional type parameter */
int SSL_check_private_key(const SSL *ssl) {
if (ssl->cert->x509 == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
if (ssl->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
return 0;
}

if (ssl->cert->privatekey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
X509 *x509 = ssl->cert->x509_leaf;
if (x509 == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
return 0;
}

return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey);
return X509_check_private_key(x509, ssl->cert->privatekey);
}

long SSL_get_default_timeout(const SSL *ssl) {
@@ -2030,7 +2032,7 @@ void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k,
uint32_t mask_k = 0;
uint32_t mask_a = 0;

if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) {
int type = ssl_private_key_type(ssl);
if (type == NID_rsaEncryption) {
mask_k |= SSL_kRSA;
@@ -2151,7 +2153,7 @@ const char *SSL_SESSION_get_version(const SSL_SESSION *session) {

X509 *SSL_get_certificate(const SSL *ssl) {
if (ssl->cert != NULL) {
return ssl->cert->x509;
return ssl->cert->x509_leaf;
}

return NULL;
@@ -2167,7 +2169,7 @@ EVP_PKEY *SSL_get_privatekey(const SSL *ssl) {

X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
if (ctx->cert != NULL) {
return ctx->cert->x509;
return ctx->cert->x509_leaf;
}

return NULL;


+ 7
- 6
ssl/ssl_rsa.c Bestand weergeven

@@ -134,13 +134,14 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
return 0;
}

if (c->x509 != NULL) {
X509 *x509_leaf = c->x509_leaf;
if (x509_leaf != NULL) {
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(pkey) &&
!X509_check_private_key(c->x509, pkey)) {
X509_free(c->x509);
c->x509 = NULL;
!X509_check_private_key(x509_leaf, pkey)) {
X509_free(c->x509_leaf);
c->x509_leaf = NULL;
return 0;
}
}
@@ -248,9 +249,9 @@ static int ssl_set_cert(CERT *c, X509 *x) {

EVP_PKEY_free(pkey);

X509_free(c->x509);
X509_free(c->x509_leaf);
X509_up_ref(x);
c->x509 = x;
c->x509_leaf = x;

return 1;
}


+ 9
- 9
ssl/ssl_session.c Bestand weergeven

@@ -199,13 +199,13 @@ SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
goto err;
}
}
if (session->peer != NULL) {
X509_up_ref(session->peer);
new_session->peer = session->peer;
if (session->x509_peer != NULL) {
X509_up_ref(session->x509_peer);
new_session->x509_peer = session->x509_peer;
}
if (session->cert_chain != NULL) {
new_session->cert_chain = X509_chain_up_ref(session->cert_chain);
if (new_session->cert_chain == NULL) {
if (session->x509_chain != NULL) {
new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
if (new_session->x509_chain == NULL) {
goto err;
}
}
@@ -325,8 +325,8 @@ void SSL_SESSION_free(SSL_SESSION *session) {

OPENSSL_cleanse(session->master_key, sizeof(session->master_key));
OPENSSL_cleanse(session->session_id, sizeof(session->session_id));
X509_free(session->peer);
sk_X509_pop_free(session->cert_chain, X509_free);
X509_free(session->x509_peer);
sk_X509_pop_free(session->x509_chain, X509_free);
OPENSSL_free(session->tlsext_hostname);
OPENSSL_free(session->tlsext_tick);
OPENSSL_free(session->tlsext_signed_cert_timestamp_list);
@@ -357,7 +357,7 @@ long SSL_SESSION_get_time(const SSL_SESSION *session) {
}

X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) {
return session->peer;
return session->x509_peer;
}

size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,


+ 5
- 5
ssl/tls13_both.c Bestand weergeven

@@ -214,13 +214,13 @@ int tls13_process_certificate(SSL *ssl, int allow_anonymous) {
goto err;
}

X509_free(ssl->s3->new_session->peer);
X509_free(ssl->s3->new_session->x509_peer);
X509 *leaf = sk_X509_value(chain, 0);
X509_up_ref(leaf);
ssl->s3->new_session->peer = leaf;
ssl->s3->new_session->x509_peer = leaf;

sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free);
ssl->s3->new_session->cert_chain = chain;
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free);
ssl->s3->new_session->x509_chain = chain;
chain = NULL;

ret = 1;
@@ -232,7 +232,7 @@ err:

int tls13_process_certificate_verify(SSL *ssl) {
int ret = 0;
X509 *peer = ssl->s3->new_session->peer;
X509 *peer = ssl->s3->new_session->x509_peer;
EVP_PKEY *pkey = NULL;
uint8_t *msg = NULL;
size_t msg_len;


+ 3
- 3
ssl/tls13_server.c Bestand weergeven

@@ -542,8 +542,8 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,

/* For historical reasons, the server's copy of the chain does not include the
* leaf while the client's does. */
if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
if (sk_X509_num(ssl->s3->new_session->x509_chain) > 0) {
X509_free(sk_X509_shift(ssl->s3->new_session->x509_chain));
}

hs->state = state_process_client_certificate_verify;
@@ -552,7 +552,7 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,

static enum ssl_hs_wait_t do_process_client_certificate_verify(
SSL *ssl, SSL_HANDSHAKE *hs) {
if (ssl->s3->new_session->peer == NULL) {
if (ssl->s3->new_session->x509_peer == NULL) {
/* Skip this state. */
hs->state = state_process_channel_id;
return ssl_hs_ok;


Schrijf Voorbeeld
Laden…
Annuleren
Opslaan