Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.

Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@

10 files changed, 101 insertions, 101 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 1ede113cbb..39a4682d10 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.223 2022/01/07 16:45:06 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.224 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2486,7 +2486,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
         SSL_CIPHER *c, *ret = NULL;
         int can_use_ecc;
         int i, ii, ok;
-        CERT *cert;
+        SSL_CERT *cert;
 
         /* Let's see which ciphers we can support */
         cert = s->cert;
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 62652f8406..9894648db8 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.39 2021/11/26 16:41:42 tb Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.40 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -334,7 +334,7 @@ ssl3_add_cert(CBB *cbb, X509 *x)
 }
 
 int
-ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk)
+ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk)
 {
         X509_STORE_CTX *xs_ctx = NULL;
         STACK_OF(X509) *chain;
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 173e217c8f..c735547393 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.91 2022/01/07 16:45:06 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.92 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -158,12 +158,12 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void)
         return ssl_x509_store_ctx_idx;
 }
 
-CERT *
+SSL_CERT *
 ssl_cert_new(void)
 {
-        CERT *ret;
+        SSL_CERT *ret;
 
-        ret = calloc(1, sizeof(CERT));
+        ret = calloc(1, sizeof(SSL_CERT));
         if (ret == NULL) {
                 SSLerrorx(ERR_R_MALLOC_FAILURE);
                 return (NULL);
@@ -173,13 +173,13 @@ ssl_cert_new(void)
         return (ret);
 }
 
-CERT *
-ssl_cert_dup(CERT *cert)
+SSL_CERT *
+ssl_cert_dup(SSL_CERT *cert)
 {
-        CERT *ret;
+        SSL_CERT *ret;
         int i;
 
-        ret = calloc(1, sizeof(CERT));
+        ret = calloc(1, sizeof(SSL_CERT));
         if (ret == NULL) {
                 SSLerrorx(ERR_R_MALLOC_FAILURE);
                 return (NULL);
@@ -269,7 +269,7 @@ ssl_cert_dup(CERT *cert)
 
 
 void
-ssl_cert_free(CERT *c)
+ssl_cert_free(SSL_CERT *c)
 {
         int i;
 
@@ -292,7 +292,7 @@ ssl_cert_free(CERT *c)
 }
 
 int
-ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
+ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain)
 {
         if (c->key == NULL)
                 return 0;
@@ -304,7 +304,7 @@ ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
 }
 
 int
-ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
+ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain)
 {
         STACK_OF(X509) *new_chain = NULL;
 
@@ -321,7 +321,7 @@ ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
 }
 
 int
-ssl_cert_add0_chain_cert(CERT *c, X509 *cert)
+ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert)
 {
         if (c->key == NULL)
                 return 0;
@@ -337,7 +337,7 @@ ssl_cert_add0_chain_cert(CERT *c, X509 *cert)
 }
 
 int
-ssl_cert_add1_chain_cert(CERT *c, X509 *cert)
+ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert)
 {
         if (!ssl_cert_add0_chain_cert(c, cert))
                 return 0;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 4fe7fb58dc..64b1806238 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.281 2022/01/07 16:45:06 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.282 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -912,7 +912,7 @@ SSL_get0_verified_chain(const SSL *s)
 int
 SSL_copy_session_id(SSL *t, const SSL *f)
 {
-        CERT    *tmp;
+        SSL_CERT *tmp;
 
         /* Do we need to do SSL locking? */
         if (!SSL_set_session(t, SSL_get_session(f)))
@@ -2187,10 +2187,10 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
 }
 
 void
-ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
+ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher)
 {
         unsigned long mask_a, mask_k;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
 
         if (c == NULL)
                 return;
@@ -2259,12 +2259,12 @@ ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
         return (1);
 }
 
-CERT_PKEY *
+SSL_CERT_PKEY *
 ssl_get_server_send_pkey(const SSL *s)
 {
-        unsigned long    alg_a;
-        CERT            *c;
-        int              i;
+        unsigned long alg_a;
+        SSL_CERT *c;
+        int i;
 
         c = s->cert;
         ssl_set_cert_masks(c, S3I(s)->hs.cipher);
@@ -2291,9 +2291,9 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
 {
         const struct ssl_sigalg *sigalg = NULL;
         EVP_PKEY *pkey = NULL;
-        unsigned long    alg_a;
-        CERT            *c;
-        int              idx = -1;
+        unsigned long alg_a;
+        SSL_CERT *c;
+        int idx = -1;
 
         alg_a = cipher->algorithm_auth;
         c = s->cert;
@@ -2322,7 +2322,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd,
 size_t
 ssl_dhe_params_auto_key_bits(SSL *s)
 {
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
         int key_bits;
 
         if (s->cert->dhe_params_auto == 2) {
@@ -2974,7 +2974,7 @@ SSL_get_SSL_CTX(const SSL *ssl)
 SSL_CTX *
 SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 {
-        CERT *new_cert;
+        SSL_CERT *new_cert;
 
         if (ctx == NULL)
                 ctx = ssl->initial_ctx;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5361704d70..e8c277ec60 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.376 2022/01/07 16:45:06 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.377 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -361,6 +361,34 @@ __BEGIN_HIDDEN_DECLS
 #define EXPLICIT_CHAR2_CURVE_TYPE  2
 #define NAMED_CURVE_TYPE           3
 
+typedef struct ssl_cert_pkey_st {
+        X509 *x509;
+        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
+} SSL_CERT_PKEY;
+
+typedef struct ssl_cert_st {
+        /* Current active set */
+        /* ALWAYS points to an element of the pkeys array
+         * Probably it would make more sense to store
+         * an index, not a pointer. */
+        SSL_CERT_PKEY *key;
+
+        SSL_CERT_PKEY pkeys[SSL_PKEY_NUM];
+
+        /* The following masks are for the key and auth
+         * algorithms that are supported by the certs below */
+        int valid;
+        unsigned long mask_k;
+        unsigned long mask_a;
+
+        DH *dhe_params;
+        DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize);
+        int dhe_params_auto;
+
+        int references; /* >1 only if SSL_copy_session_id is used */
+} SSL_CERT;
+
 struct ssl_comp_st {
         int id;
         const char *name;
@@ -498,12 +526,6 @@ struct ssl_session_st {
         uint16_t *tlsext_supportedgroups; /* peer's list */
 };
 
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        STACK_OF(X509) *chain;
-} CERT_PKEY;
-
 struct ssl_sigalg;
 
 typedef struct ssl_handshake_tls12_st {
@@ -533,7 +555,7 @@ typedef struct ssl_handshake_tls13_st {
         int hrr;
 
         /* Certificate selected for use (static pointer). */
-        const CERT_PKEY *cpk;
+        const SSL_CERT_PKEY *cpk;
 
         /* Version proposed by peer server. */
         uint16_t server_version;
@@ -785,7 +807,7 @@ typedef struct ssl_ctx_internal_st {
 
         STACK_OF(SSL_CIPHER) *cipher_list_tls13;
 
-        struct cert_st /* CERT */ *cert;
+        SSL_CERT *cert;
 
         /* Default values used when no per-SSL value is defined follow */
 
@@ -1058,7 +1080,7 @@ struct ssl_st {
         STACK_OF(SSL_CIPHER) *cipher_list;
 
         /* This is used to hold the server certificate used */
-        struct cert_st /* CERT */ *cert;
+        SSL_CERT *cert;
 
         /* the session_id_context is used to ensure sessions are only reused
          * in the appropriate context */
@@ -1200,38 +1222,16 @@ typedef struct ssl3_state_st {
         struct ssl3_state_internal_st *internal;
 } SSL3_STATE;
 
-typedef struct cert_st {
-        /* Current active set */
-        CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-                         * Probably it would make more sense to store
-                         * an index, not a pointer. */
-
-        /* The following masks are for the key and auth
-         * algorithms that are supported by the certs below */
-        int valid;
-        unsigned long mask_k;
-        unsigned long mask_a;
-
-        DH *dhe_params;
-        DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize);
-        int dhe_params_auto;
-
-        CERT_PKEY pkeys[SSL_PKEY_NUM];
-
-        int references; /* >1 only if SSL_copy_session_id is used */
-} CERT;
-
-
 typedef struct sess_cert_st {
         STACK_OF(X509) *cert_chain; /* as received from peer */
 
         /* The 'peer_...' members are used only by clients. */
         int peer_cert_type;
 
-        CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
-        CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
+        SSL_CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
+        SSL_CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
         /* Obviously we don't have the private keys of these,
-         * so maybe we shouldn't even use the CERT_PKEY type here. */
+         * so maybe we shouldn't even use the SSL_CERT_PKEY type here. */
 
         int references; /* actually always 1 at the moment */
 } SESS_CERT;
@@ -1293,13 +1293,13 @@ void ssl_info_callback(const SSL *s, int type, int value);
 void ssl_msg_callback(SSL *s, int is_write, int content_type,
     const void *msg_buf, size_t msg_len);
 
-CERT *ssl_cert_new(void);
-CERT *ssl_cert_dup(CERT *cert);
-void ssl_cert_free(CERT *c);
-int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
-int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
-int ssl_cert_add0_chain_cert(CERT *c, X509 *cert);
-int ssl_cert_add1_chain_cert(CERT *c, X509 *cert);
+SSL_CERT *ssl_cert_new(void);
+SSL_CERT *ssl_cert_dup(SSL_CERT *cert);
+void ssl_cert_free(SSL_CERT *c);
+int ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert);
+int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert);
 
 SESS_CERT *ssl_sess_cert_new(void);
 void ssl_sess_cert_free(SESS_CERT *sc);
@@ -1328,12 +1328,12 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
+SSL_CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd,
     const struct ssl_sigalg **sap);
 size_t ssl_dhe_params_auto_key_bits(SSL *s);
 int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
+void ssl_set_cert_masks(SSL_CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_has_ecc_ciphers(SSL *s);
 int ssl_verify_alarm_type(long type);
@@ -1365,7 +1365,7 @@ void ssl_force_want_read(SSL *s);
 int ssl3_dispatch_alert(SSL *s);
 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
 int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-int ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk);
+int ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
     STACK_OF(SSL_CIPHER) *srvr);
 int     ssl3_setup_buffers(SSL *s);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index e25b9387d7..6b1010e413 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.37 2021/11/29 18:36:27 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.38 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,11 +66,11 @@
 
 #include "ssl_locl.h"
 
-static int ssl_set_cert(CERT *c, X509 *x509);
-static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-static int use_certificate_chain_bio(BIO *in, CERT *cert,
+static int ssl_set_cert(SSL_CERT *c, X509 *x509);
+static int ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey);
+static int use_certificate_chain_bio(BIO *in, SSL_CERT *cert,
     pem_password_cb *passwd_cb, void *passwd_arg);
-static int use_certificate_chain_file(const char *file, CERT *cert,
+static int use_certificate_chain_file(const char *file, SSL_CERT *cert,
     pem_password_cb *passwd_cb, void *passwd_arg);
 
 int
@@ -167,7 +167,7 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
 }
 
 static int
-ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
+ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey)
 {
         int i;
 
@@ -343,7 +343,7 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
 }
 
 static int
-ssl_set_cert(CERT *c, X509 *x)
+ssl_set_cert(SSL_CERT *c, X509 *x)
 {
         EVP_PKEY *pkey;
         int i;
@@ -610,7 +610,7 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
  * sent to the peer in the Certificate message.
  */
 static int
-use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb,
+use_certificate_chain_bio(BIO *in, SSL_CERT *cert, pem_password_cb *passwd_cb,
     void *passwd_arg)
 {
         X509 *ca, *x = NULL;
@@ -653,7 +653,7 @@ use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb,
 }
 
 int
-use_certificate_chain_file(const char *file, CERT *cert,
+use_certificate_chain_file(const char *file, SSL_CERT *cert,
     pem_password_cb *passwd_cb, void *passwd_arg)
 {
         BIO *in;
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 9fad66b91a..6e74943803 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.132 2022/01/07 16:45:06 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.133 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2277,7 +2277,7 @@ int
 ssl3_send_server_certificate(SSL *s)
 {
         CBB cbb, server_cert;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
 
         /*
          * Server Certificate - RFC 5246, section 7.4.2.
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 78532054a0..be4bb3026c 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.184 2021/11/26 16:41:42 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.185 2022/01/08 12:43:44 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -569,7 +569,7 @@ tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
 int
 tls1_check_ec_server_key(SSL *s)
 {
-        CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
+        SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
         uint16_t curve_id;
         uint8_t comp_id;
         EC_KEY *eckey;
@@ -635,7 +635,7 @@ ssl_check_clienthello_tlsext_late(SSL *s)
         if ((s->tlsext_status_type != -1) &&
             s->ctx && s->ctx->internal->tlsext_status_cb) {
                 int r;
-                CERT_PKEY *certpkey;
+                SSL_CERT_PKEY *certpkey;
                 certpkey = ssl_get_server_send_pkey(s);
                 /* If no certificate can't return certificate status */
                 if (certpkey == NULL) {
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 8ba78cd02b..882bce8c1f 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.89 2022/01/05 17:10:02 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.90 2022/01/08 12:43:44 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -828,7 +828,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
 }
 
 static int
-tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
+tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
     int *ok, const struct ssl_sigalg **out_sigalg)
 {
         const struct ssl_sigalg *sigalg;
@@ -851,12 +851,12 @@ tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
 }
 
 static int
-tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
+tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
     const struct ssl_sigalg **out_sigalg)
 {
         SSL *s = ctx->ssl;
         const struct ssl_sigalg *sigalg;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
         int cert_ok;
 
         *out_cpk = NULL;
@@ -897,7 +897,7 @@ tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         CBB cert_request_context, cert_list;
         const struct ssl_sigalg *sigalg;
         STACK_OF(X509) *chain;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
         X509 *cert;
         int i, ret = 0;
 
@@ -948,7 +948,7 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
         EVP_MD_CTX *mdctx = NULL;
         EVP_PKEY_CTX *pctx;
         EVP_PKEY *pkey;
-        const CERT_PKEY *cpk;
+        const SSL_CERT_PKEY *cpk;
         CBB sig_cbb;
         int ret = 0;
 
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index c32ae22779..4edf3881c2 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.91 2022/01/07 15:46:30 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.92 2022/01/08 12:43:45 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -545,7 +545,7 @@ tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
 }
 
 static int
-tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
+tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
     int *ok, const struct ssl_sigalg **out_sigalg)
 {
         const struct ssl_sigalg *sigalg;
@@ -575,12 +575,12 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
 }
 
 static int
-tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
+tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
     const struct ssl_sigalg **out_sigalg)
 {
         SSL *s = ctx->ssl;
         const struct ssl_sigalg *sigalg;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
         int cert_ok;
 
         *out_cpk = NULL;
@@ -616,7 +616,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
         const struct ssl_sigalg *sigalg;
         X509_STORE_CTX *xsc = NULL;
         STACK_OF(X509) *chain;
-        CERT_PKEY *cpk;
+        SSL_CERT_PKEY *cpk;
         X509 *cert;
         int i, ret = 0;
 
@@ -697,7 +697,7 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
         EVP_MD_CTX *mdctx = NULL;
         EVP_PKEY_CTX *pctx;
         EVP_PKEY *pkey;
-        const CERT_PKEY *cpk;
+        const SSL_CERT_PKEY *cpk;
         CBB sig_cbb;
         int ret = 0;