From 666c9986a0401a9cfad9c8f09ab8c89d04595e3e Mon Sep 17 00:00:00 2001 From: jsing Date: Tue, 11 Jan 2022 18:39:28 +0000 Subject: [PATCH] Rename 'peer' to 'peer_cert' in SSL_SESSION. The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@ --- lib/libssl/ssl_asn1.c | 12 ++++++------ lib/libssl/ssl_clnt.c | 6 +++--- lib/libssl/ssl_lib.c | 4 ++-- lib/libssl/ssl_locl.h | 4 ++-- lib/libssl/ssl_sess.c | 6 +++--- lib/libssl/ssl_srvr.c | 26 +++++++++++++------------- lib/libssl/tls13_client.c | 8 ++++---- lib/libssl/tls13_server.c | 8 ++++---- 8 files changed, 37 insertions(+), 37 deletions(-) diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index 2af6834d88f..70a50acc5c7 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.60 2021/10/23 08:13:02 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.61 2022/01/11 18:39:28 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -113,8 +113,8 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, } /* Peer certificate [3]. */ - if (s->peer != NULL) { - if ((len = i2d_X509(s->peer, &peer_cert_bytes)) <= 0) + if (s->peer_cert != NULL) { + if ((len = i2d_X509(s->peer_cert, &peer_cert_bytes)) <= 0) goto err; if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG)) goto err; @@ -332,8 +332,8 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) s->timeout = (long)timeout; /* Peer certificate [3]. */ - X509_free(s->peer); - s->peer = NULL; + X509_free(s->peer_cert); + s->peer_cert = NULL; if (!CBS_get_optional_asn1(&session, &peer_cert, &present, SSLASN1_PEER_CERT_TAG)) goto err; @@ -342,7 +342,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) if (data_len > LONG_MAX) goto err; peer_cert_bytes = CBS_data(&peer_cert); - if (d2i_X509(&s->peer, &peer_cert_bytes, + if (d2i_X509(&s->peer_cert, &peer_cert_bytes, (long)data_len) == NULL) goto err; } diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 981161290f6..8b5ccd480ab 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.135 2022/01/11 18:28:41 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.136 2022/01/11 18:39:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1187,8 +1187,8 @@ ssl3_get_server_certificate(SSL *s) s->session->peer_key = &s->session->peer_pkeys[i]; X509_up_ref(x); - X509_free(s->session->peer); - s->session->peer = x; + X509_free(s->session->peer_cert); + s->session->peer_cert = x; s->session->verify_result = s->verify_result; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index bfa312207db..a90490ff55b 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.284 2022/01/09 15:53:52 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.285 2022/01/11 18:39:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -870,7 +870,7 @@ SSL_get_peer_certificate(const SSL *s) if ((s == NULL) || (s->session == NULL)) r = NULL; else - r = s->session->peer; + r = s->session->peer_cert; if (r == NULL) return (r); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 0eca4e673d3..36823d64620 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.381 2022/01/11 18:28:41 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.382 2022/01/11 18:39:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -476,7 +476,7 @@ struct ssl_session_st { unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /* This is the cert for the other end. */ - X509 *peer; + X509 *peer_cert; /* when app_verify_callback accepts a session where the peer's certificate * is not ok, we must remember the error for session reuse: */ diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 8d0f0b928cb..a49076be745 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.107 2022/01/08 12:59:59 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.108 2022/01/11 18:39:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -766,7 +766,7 @@ SSL_SESSION_free(SSL_SESSION *ss) for (i = 0; i < SSL_PKEY_NUM; i++) X509_free(ss->peer_pkeys[i].x509); - X509_free(ss->peer); + X509_free(ss->peer_cert); sk_SSL_CIPHER_free(ss->ciphers); @@ -881,7 +881,7 @@ SSL_SESSION_get0_cipher(const SSL_SESSION *s) X509 * SSL_SESSION_get0_peer(SSL_SESSION *s) { - return s->peer; + return s->peer_cert; } int diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index dd622c28319..786362ea021 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.138 2022/01/11 18:28:41 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -453,7 +453,7 @@ ssl3_accept(SSL *s) * s3_clnt.c accepts this for SSL 3). */ if (!(s->verify_mode & SSL_VERIFY_PEER) || - ((s->session->peer != NULL) && + ((s->session->peer_cert != NULL) && (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || ((S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL) && !(s->verify_mode & @@ -550,7 +550,7 @@ ssl3_accept(SSL *s) } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; s->internal->init_num = 0; - if (!s->session->peer) + if (!s->session->peer_cert) break; /* * Freeze the transcript for use during client @@ -1807,7 +1807,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) * it is completely valid to use a client certificate for * authorization only. */ - if ((client_pubkey = X509_get0_pubkey(s->session->peer)) != NULL) { + if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) { if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0) ERR_clear_error(); } @@ -1906,7 +1906,7 @@ ssl3_get_cert_verify(SSL *s) const struct ssl_sigalg *sigalg = NULL; uint16_t sigalg_value = SIGALG_NONE; EVP_PKEY *pkey = NULL; - X509 *peer = NULL; + X509 *peer_cert = NULL; EVP_MD_CTX *mctx = NULL; int al, verify; const unsigned char *hdata; @@ -1928,15 +1928,15 @@ ssl3_get_cert_verify(SSL *s) CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); - if (s->session->peer != NULL) { - peer = s->session->peer; - pkey = X509_get_pubkey(peer); - type = X509_certificate_type(peer, pkey); + if (s->session->peer_cert != NULL) { + peer_cert = s->session->peer_cert; + pkey = X509_get_pubkey(peer_cert); + type = X509_certificate_type(peer_cert, pkey); } if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) { S3I(s)->hs.tls12.reuse_message = 1; - if (peer != NULL) { + if (peer_cert != NULL) { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); goto fatal_err; @@ -1945,7 +1945,7 @@ ssl3_get_cert_verify(SSL *s) goto end; } - if (peer == NULL) { + if (peer_cert == NULL) { SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED); al = SSL_AD_UNEXPECTED_MESSAGE; goto fatal_err; @@ -2240,8 +2240,8 @@ ssl3_get_client_certificate(SSL *s) } } - X509_free(s->session->peer); - s->session->peer = sk_X509_shift(sk); + X509_free(s->session->peer_cert); + s->session->peer_cert = sk_X509_shift(sk); /* * Inconsistency alert: cert_chain does *not* include the diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index d961f98bef4..3e168a0b548 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.91 2022/01/08 12:59:59 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -638,8 +638,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) s->session->peer_key = &s->session->peer_pkeys[cert_idx]; X509_up_ref(cert); - X509_free(s->session->peer); - s->session->peer = cert; + X509_free(s->session->peer_cert); + s->session->peer_cert = cert; s->session->verify_result = s->verify_result; @@ -694,7 +694,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; - if ((cert = ctx->ssl->session->peer) == NULL) + if ((cert = ctx->ssl->session->peer_cert) == NULL) goto err; if ((pkey = X509_get0_pubkey(cert)) == NULL) goto err; diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index e31ae380767..33300234303 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.93 2022/01/08 12:59:59 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.94 2022/01/11 18:39:28 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -931,8 +931,8 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) s->session->peer_key = &s->session->peer_pkeys[cert_idx]; X509_up_ref(cert); - X509_free(s->session->peer); - s->session->peer = cert; + X509_free(s->session->peer_cert); + s->session->peer_cert = cert; s->session->verify_result = s->verify_result; @@ -984,7 +984,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) goto err; - if ((cert = ctx->ssl->session->peer) == NULL) + if ((cert = ctx->ssl->session->peer_cert) == NULL) goto err; if ((pkey = X509_get0_pubkey(cert)) == NULL) goto err; -- 2.20.1