This change renames |peer| to |x509_peer| and |cert_chain| to |x509_chain| in |SSL_SESSION|. It also renames |x509| to |x509_leaf| and |chain| to |x509_chain| in |CERT|. (All with an eye to maybe making them lazily initialised in the future). This a) catches anyone who might be accessing these members directly and b) makes space for |CRYPTO_BUFFER|-based values to take the unprefixed names. Change-Id: I10573304fb7d6f1ea03f9e645f7fc0acdaf71ac2 Reviewed-on: https://boringssl-review.googlesource.com/12162 Reviewed-by: David Benjamin <davidben@google.com>kris/onging/CECPQ3_patch15
@@ -3675,13 +3675,13 @@ struct ssl_session_st { | |||
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; | |||
char *psk_identity; | |||
/* peer is the peer's certificate. */ | |||
X509 *peer; | |||
/* x509_peer is the peer's certificate. */ | |||
X509 *x509_peer; | |||
/* cert_chain is the certificate chain sent by the peer. NOTE: for historical | |||
/* x509_chain is the certificate chain sent by the peer. NOTE: for historical | |||
* reasons, when a client (so the peer is a server), the chain includes | |||
* |peer|, but when a server it does not. */ | |||
STACK_OF(X509) *cert_chain; | |||
STACK_OF(X509) *x509_chain; | |||
/* verify_result is the result of certificate verification in the case of | |||
* non-fatal certificate errors. */ | |||
@@ -1049,14 +1049,14 @@ static int ssl3_get_server_certificate(SSL *ssl) { | |||
goto err; | |||
} | |||
/* NOTE: Unlike the server half, the client's copy of |cert_chain| includes | |||
/* NOTE: Unlike the server half, the client's copy of |x509_chain| includes | |||
* the leaf. */ | |||
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); | |||
ssl->s3->new_session->cert_chain = chain; | |||
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); | |||
ssl->s3->new_session->x509_chain = chain; | |||
X509_free(ssl->s3->new_session->peer); | |||
X509_free(ssl->s3->new_session->x509_peer); | |||
X509_up_ref(leaf); | |||
ssl->s3->new_session->peer = leaf; | |||
ssl->s3->new_session->x509_peer = leaf; | |||
return 1; | |||
@@ -1108,7 +1108,7 @@ f_err: | |||
static int ssl3_verify_server_cert(SSL *ssl) { | |||
if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result, | |||
ssl->s3->new_session->cert_chain)) { | |||
ssl->s3->new_session->x509_chain)) { | |||
return -1; | |||
} | |||
@@ -1282,7 +1282,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) { | |||
/* ServerKeyExchange should be signed by the server's public key. */ | |||
if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) { | |||
pkey = X509_get_pubkey(ssl->s3->new_session->peer); | |||
pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); | |||
if (pkey == NULL) { | |||
goto err; | |||
} | |||
@@ -1570,7 +1570,7 @@ static int ssl3_send_client_key_exchange(SSL *ssl) { | |||
goto err; | |||
} | |||
EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->peer); | |||
EVP_PKEY *pkey = X509_get_pubkey(ssl->s3->new_session->x509_peer); | |||
if (pkey == NULL) { | |||
goto err; | |||
} | |||
@@ -482,10 +482,10 @@ int ssl3_accept(SSL *ssl) { | |||
* now. */ | |||
if (ssl->s3->new_session != NULL && | |||
ssl->ctx->retain_only_sha256_of_client_certs) { | |||
X509_free(ssl->s3->new_session->peer); | |||
ssl->s3->new_session->peer = NULL; | |||
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); | |||
ssl->s3->new_session->cert_chain = NULL; | |||
X509_free(ssl->s3->new_session->x509_peer); | |||
ssl->s3->new_session->x509_peer = NULL; | |||
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); | |||
ssl->s3->new_session->x509_chain = NULL; | |||
} | |||
SSL_SESSION_free(ssl->s3->established_session); | |||
@@ -1380,12 +1380,12 @@ static int ssl3_get_client_certificate(SSL *ssl) { | |||
} | |||
} | |||
X509_free(ssl->s3->new_session->peer); | |||
ssl->s3->new_session->peer = sk_X509_shift(chain); | |||
X509_free(ssl->s3->new_session->x509_peer); | |||
ssl->s3->new_session->x509_peer = sk_X509_shift(chain); | |||
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); | |||
ssl->s3->new_session->cert_chain = chain; | |||
/* Inconsistency alert: cert_chain does *not* include the peer's own | |||
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); | |||
ssl->s3->new_session->x509_chain = chain; | |||
/* Inconsistency alert: x509_chain does *not* include the peer's own | |||
* certificate, while we do include it in s3_clnt.c */ | |||
return 1; | |||
@@ -1667,7 +1667,7 @@ err: | |||
static int ssl3_get_cert_verify(SSL *ssl) { | |||
int al, ret = 0; | |||
CBS certificate_verify, signature; | |||
X509 *peer = ssl->s3->new_session->peer; | |||
X509 *peer = ssl->s3->new_session->x509_peer; | |||
EVP_PKEY *pkey = NULL; | |||
/* Only RSA and ECDSA client certificates are supported, so a | |||
@@ -1171,10 +1171,9 @@ enum ssl_hash_message_t { | |||
}; | |||
typedef struct cert_st { | |||
X509 *x509; | |||
EVP_PKEY *privatekey; | |||
/* Chain for this certificate */ | |||
STACK_OF(X509) *chain; | |||
X509 *x509_leaf; | |||
STACK_OF(X509) *x509_chain; | |||
/* key_method, if non-NULL, is a set of callbacks to call for private key | |||
* operations. */ | |||
@@ -220,12 +220,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
/* The peer certificate is only serialized if the SHA-256 isn't | |||
* serialized instead. */ | |||
if (in->peer && !in->peer_sha256_valid) { | |||
if (in->x509_peer && !in->peer_sha256_valid) { | |||
if (!CBB_add_asn1(&session, &child, kPeerTag)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
goto err; | |||
} | |||
if (!ssl_add_cert_to_cbb(&child, in->peer)) { | |||
if (!ssl_add_cert_to_cbb(&child, in->x509_peer)) { | |||
goto err; | |||
} | |||
} | |||
@@ -340,13 +340,13 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
/* The certificate chain is only serialized if the leaf's SHA-256 isn't | |||
* serialized instead. */ | |||
if (in->cert_chain != NULL && !in->peer_sha256_valid) { | |||
if (in->x509_chain != NULL && !in->peer_sha256_valid) { | |||
if (!CBB_add_asn1(&session, &child, kCertChainTag)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
goto err; | |||
} | |||
for (size_t i = 0; i < sk_X509_num(in->cert_chain); i++) { | |||
if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->cert_chain, i))) { | |||
for (size_t i = 0; i < sk_X509_num(in->x509_chain); i++) { | |||
if (!ssl_add_cert_to_cbb(&child, sk_X509_value(in->x509_chain, i))) { | |||
goto err; | |||
} | |||
} | |||
@@ -590,11 +590,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); | |||
goto err; | |||
} | |||
X509_free(ret->peer); | |||
ret->peer = NULL; | |||
X509_free(ret->x509_peer); | |||
ret->x509_peer = NULL; | |||
if (has_peer) { | |||
ret->peer = parse_x509(&peer); | |||
if (ret->peer == NULL) { | |||
ret->x509_peer = parse_x509(&peer); | |||
if (ret->x509_peer == NULL) { | |||
goto err; | |||
} | |||
if (CBS_len(&peer) != 0) { | |||
@@ -670,11 +670,11 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); | |||
goto err; | |||
} | |||
sk_X509_pop_free(ret->cert_chain, X509_free); | |||
ret->cert_chain = NULL; | |||
sk_X509_pop_free(ret->x509_chain, X509_free); | |||
ret->x509_chain = NULL; | |||
if (has_cert_chain) { | |||
ret->cert_chain = sk_X509_new_null(); | |||
if (ret->cert_chain == NULL) { | |||
ret->x509_chain = sk_X509_new_null(); | |||
if (ret->x509_chain == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
goto err; | |||
} | |||
@@ -683,7 +683,7 @@ static SSL_SESSION *SSL_SESSION_parse(CBS *cbs) { | |||
if (x509 == NULL) { | |||
goto err; | |||
} | |||
if (!sk_X509_push(ret->cert_chain, x509)) { | |||
if (!sk_X509_push(ret->x509_chain, x509)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
X509_free(x509); | |||
goto err; | |||
@@ -158,9 +158,9 @@ CERT *ssl_cert_dup(CERT *cert) { | |||
} | |||
memset(ret, 0, sizeof(CERT)); | |||
if (cert->x509 != NULL) { | |||
X509_up_ref(cert->x509); | |||
ret->x509 = cert->x509; | |||
if (cert->x509_leaf != NULL) { | |||
X509_up_ref(cert->x509_leaf); | |||
ret->x509_leaf = cert->x509_leaf; | |||
} | |||
if (cert->privatekey != NULL) { | |||
@@ -168,9 +168,9 @@ CERT *ssl_cert_dup(CERT *cert) { | |||
ret->privatekey = cert->privatekey; | |||
} | |||
if (cert->chain) { | |||
ret->chain = X509_chain_up_ref(cert->chain); | |||
if (!ret->chain) { | |||
if (cert->x509_chain) { | |||
ret->x509_chain = X509_chain_up_ref(cert->x509_chain); | |||
if (!ret->x509_chain) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
goto err; | |||
} | |||
@@ -220,12 +220,12 @@ void ssl_cert_clear_certs(CERT *cert) { | |||
return; | |||
} | |||
X509_free(cert->x509); | |||
cert->x509 = NULL; | |||
X509_free(cert->x509_leaf); | |||
cert->x509_leaf = NULL; | |||
EVP_PKEY_free(cert->privatekey); | |||
cert->privatekey = NULL; | |||
sk_X509_pop_free(cert->chain, X509_free); | |||
cert->chain = NULL; | |||
sk_X509_pop_free(cert->x509_chain, X509_free); | |||
cert->x509_chain = NULL; | |||
cert->key_method = NULL; | |||
} | |||
@@ -244,8 +244,8 @@ void ssl_cert_free(CERT *c) { | |||
} | |||
int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { | |||
sk_X509_pop_free(cert->chain, X509_free); | |||
cert->chain = chain; | |||
sk_X509_pop_free(cert->x509_chain, X509_free); | |||
cert->x509_chain = chain; | |||
return 1; | |||
} | |||
@@ -269,10 +269,10 @@ int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { | |||
} | |||
int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) { | |||
if (cert->chain == NULL) { | |||
cert->chain = sk_X509_new_null(); | |||
if (cert->x509_chain == NULL) { | |||
cert->x509_chain = sk_X509_new_null(); | |||
} | |||
if (cert->chain == NULL || !sk_X509_push(cert->chain, x509)) { | |||
if (cert->x509_chain == NULL || !sk_X509_push(cert->x509_chain, x509)) { | |||
return 0; | |||
} | |||
@@ -443,7 +443,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) { | |||
} | |||
int ssl_has_certificate(const SSL *ssl) { | |||
return ssl->cert->x509 != NULL && ssl_has_private_key(ssl); | |||
return ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl); | |||
} | |||
STACK_OF(X509) *ssl_parse_cert_chain(SSL *ssl, uint8_t *out_alert, | |||
@@ -528,7 +528,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { | |||
} | |||
CERT *cert = ssl->cert; | |||
X509 *x = cert->x509; | |||
X509 *x = cert->x509_leaf; | |||
CBB child; | |||
if (!CBB_add_u24_length_prefixed(cbb, &child)) { | |||
@@ -537,7 +537,7 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { | |||
} | |||
int no_chain = 0; | |||
STACK_OF(X509) *chain = cert->chain; | |||
STACK_OF(X509) *chain = cert->x509_chain; | |||
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || chain != NULL) { | |||
no_chain = 1; | |||
} | |||
@@ -763,7 +763,7 @@ int SSL_clear_chain_certs(SSL *ssl) { | |||
} | |||
int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { | |||
*out_chain = ctx->cert->chain; | |||
*out_chain = ctx->cert->x509_chain; | |||
return 1; | |||
} | |||
@@ -773,7 +773,7 @@ int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx, | |||
} | |||
int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) { | |||
*out_chain = ssl->cert->chain; | |||
*out_chain = ssl->cert->x509_chain; | |||
return 1; | |||
} | |||
@@ -1048,11 +1048,11 @@ X509 *SSL_get_peer_certificate(const SSL *ssl) { | |||
return NULL; | |||
} | |||
SSL_SESSION *session = SSL_get_session(ssl); | |||
if (session == NULL || session->peer == NULL) { | |||
if (session == NULL || session->x509_peer == NULL) { | |||
return NULL; | |||
} | |||
X509_up_ref(session->peer); | |||
return session->peer; | |||
X509_up_ref(session->x509_peer); | |||
return session->x509_peer; | |||
} | |||
STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { | |||
@@ -1063,7 +1063,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { | |||
if (session == NULL) { | |||
return NULL; | |||
} | |||
return session->cert_chain; | |||
return session->x509_chain; | |||
} | |||
int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, | |||
@@ -1336,32 +1336,34 @@ int SSL_pending(const SSL *ssl) { | |||
/* Fix this so it checks all the valid key/cert options */ | |||
int SSL_CTX_check_private_key(const SSL_CTX *ctx) { | |||
if (ctx->cert->x509 == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); | |||
if (ctx->cert->privatekey == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); | |||
return 0; | |||
} | |||
if (ctx->cert->privatekey == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); | |||
X509 *x509 = ctx->cert->x509_leaf; | |||
if (x509 == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); | |||
return 0; | |||
} | |||
return X509_check_private_key(ctx->cert->x509, ctx->cert->privatekey); | |||
return X509_check_private_key(x509, ctx->cert->privatekey); | |||
} | |||
/* Fix this function so that it takes an optional type parameter */ | |||
int SSL_check_private_key(const SSL *ssl) { | |||
if (ssl->cert->x509 == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); | |||
if (ssl->cert->privatekey == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); | |||
return 0; | |||
} | |||
if (ssl->cert->privatekey == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); | |||
X509 *x509 = ssl->cert->x509_leaf; | |||
if (x509 == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); | |||
return 0; | |||
} | |||
return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey); | |||
return X509_check_private_key(x509, ssl->cert->privatekey); | |||
} | |||
long SSL_get_default_timeout(const SSL *ssl) { | |||
@@ -2030,7 +2032,7 @@ void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k, | |||
uint32_t mask_k = 0; | |||
uint32_t mask_a = 0; | |||
if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) { | |||
if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) { | |||
int type = ssl_private_key_type(ssl); | |||
if (type == NID_rsaEncryption) { | |||
mask_k |= SSL_kRSA; | |||
@@ -2151,7 +2153,7 @@ const char *SSL_SESSION_get_version(const SSL_SESSION *session) { | |||
X509 *SSL_get_certificate(const SSL *ssl) { | |||
if (ssl->cert != NULL) { | |||
return ssl->cert->x509; | |||
return ssl->cert->x509_leaf; | |||
} | |||
return NULL; | |||
@@ -2167,7 +2169,7 @@ EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { | |||
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { | |||
if (ctx->cert != NULL) { | |||
return ctx->cert->x509; | |||
return ctx->cert->x509_leaf; | |||
} | |||
return NULL; | |||
@@ -134,13 +134,14 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) { | |||
return 0; | |||
} | |||
if (c->x509 != NULL) { | |||
X509 *x509_leaf = c->x509_leaf; | |||
if (x509_leaf != NULL) { | |||
/* Sanity-check that the private key and the certificate match, unless the | |||
* key is opaque (in case of, say, a smartcard). */ | |||
if (!EVP_PKEY_is_opaque(pkey) && | |||
!X509_check_private_key(c->x509, pkey)) { | |||
X509_free(c->x509); | |||
c->x509 = NULL; | |||
!X509_check_private_key(x509_leaf, pkey)) { | |||
X509_free(c->x509_leaf); | |||
c->x509_leaf = NULL; | |||
return 0; | |||
} | |||
} | |||
@@ -248,9 +249,9 @@ static int ssl_set_cert(CERT *c, X509 *x) { | |||
EVP_PKEY_free(pkey); | |||
X509_free(c->x509); | |||
X509_free(c->x509_leaf); | |||
X509_up_ref(x); | |||
c->x509 = x; | |||
c->x509_leaf = x; | |||
return 1; | |||
} | |||
@@ -199,13 +199,13 @@ SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { | |||
goto err; | |||
} | |||
} | |||
if (session->peer != NULL) { | |||
X509_up_ref(session->peer); | |||
new_session->peer = session->peer; | |||
if (session->x509_peer != NULL) { | |||
X509_up_ref(session->x509_peer); | |||
new_session->x509_peer = session->x509_peer; | |||
} | |||
if (session->cert_chain != NULL) { | |||
new_session->cert_chain = X509_chain_up_ref(session->cert_chain); | |||
if (new_session->cert_chain == NULL) { | |||
if (session->x509_chain != NULL) { | |||
new_session->x509_chain = X509_chain_up_ref(session->x509_chain); | |||
if (new_session->x509_chain == NULL) { | |||
goto err; | |||
} | |||
} | |||
@@ -325,8 +325,8 @@ void SSL_SESSION_free(SSL_SESSION *session) { | |||
OPENSSL_cleanse(session->master_key, sizeof(session->master_key)); | |||
OPENSSL_cleanse(session->session_id, sizeof(session->session_id)); | |||
X509_free(session->peer); | |||
sk_X509_pop_free(session->cert_chain, X509_free); | |||
X509_free(session->x509_peer); | |||
sk_X509_pop_free(session->x509_chain, X509_free); | |||
OPENSSL_free(session->tlsext_hostname); | |||
OPENSSL_free(session->tlsext_tick); | |||
OPENSSL_free(session->tlsext_signed_cert_timestamp_list); | |||
@@ -357,7 +357,7 @@ long SSL_SESSION_get_time(const SSL_SESSION *session) { | |||
} | |||
X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { | |||
return session->peer; | |||
return session->x509_peer; | |||
} | |||
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out, | |||
@@ -214,13 +214,13 @@ int tls13_process_certificate(SSL *ssl, int allow_anonymous) { | |||
goto err; | |||
} | |||
X509_free(ssl->s3->new_session->peer); | |||
X509_free(ssl->s3->new_session->x509_peer); | |||
X509 *leaf = sk_X509_value(chain, 0); | |||
X509_up_ref(leaf); | |||
ssl->s3->new_session->peer = leaf; | |||
ssl->s3->new_session->x509_peer = leaf; | |||
sk_X509_pop_free(ssl->s3->new_session->cert_chain, X509_free); | |||
ssl->s3->new_session->cert_chain = chain; | |||
sk_X509_pop_free(ssl->s3->new_session->x509_chain, X509_free); | |||
ssl->s3->new_session->x509_chain = chain; | |||
chain = NULL; | |||
ret = 1; | |||
@@ -232,7 +232,7 @@ err: | |||
int tls13_process_certificate_verify(SSL *ssl) { | |||
int ret = 0; | |||
X509 *peer = ssl->s3->new_session->peer; | |||
X509 *peer = ssl->s3->new_session->x509_peer; | |||
EVP_PKEY *pkey = NULL; | |||
uint8_t *msg = NULL; | |||
size_t msg_len; | |||
@@ -542,8 +542,8 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, | |||
/* For historical reasons, the server's copy of the chain does not include the | |||
* leaf while the client's does. */ | |||
if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) { | |||
X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain)); | |||
if (sk_X509_num(ssl->s3->new_session->x509_chain) > 0) { | |||
X509_free(sk_X509_shift(ssl->s3->new_session->x509_chain)); | |||
} | |||
hs->state = state_process_client_certificate_verify; | |||
@@ -552,7 +552,7 @@ static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, | |||
static enum ssl_hs_wait_t do_process_client_certificate_verify( | |||
SSL *ssl, SSL_HANDSHAKE *hs) { | |||
if (ssl->s3->new_session->peer == NULL) { | |||
if (ssl->s3->new_session->x509_peer == NULL) { | |||
/* Skip this state. */ | |||
hs->state = state_process_channel_id; | |||
return ssl_hs_ok; | |||