8 files changed, 37 insertions, 37 deletions
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 2af6834d88..70a50acc5c 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.60 2021/10/23 08:13:02 jsing Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.61 2022/01/11 18:39:28 jsing Exp $ */
 /*
 * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
 *
@@ -113,8 +113,8 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len,
        }
        /* Peer certificate [3]. */
-        if (s->peer != NULL) {
+        if (s->peer_cert != NULL) {
-                if ((len = i2d_X509(s->peer, &peer_cert_bytes)) <= 0)
+                if ((len = i2d_X509(s->peer_cert, &peer_cert_bytes)) <= 0)
                        goto err;
                if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG))
                        goto err;
@@ -332,8 +332,8 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
                s->timeout = (long)timeout;
        /* Peer certificate [3]. */
-        X509_free(s->peer);
+        X509_free(s->peer_cert);
-        s->peer = NULL;
+        s->peer_cert = NULL;
        if (!CBS_get_optional_asn1(&session, &peer_cert, &present,
            SSLASN1_PEER_CERT_TAG))
                goto err;
@@ -342,7 +342,7 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
                if (data_len > LONG_MAX)
                        goto err;
                peer_cert_bytes = CBS_data(&peer_cert);
-                if (d2i_X509(&s->peer, &peer_cert_bytes,
+                if (d2i_X509(&s->peer_cert, &peer_cert_bytes,
                    (long)data_len) == NULL)
                        goto err;
        }
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 981161290f..8b5ccd480a 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.135 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.136 2022/01/11 18:39:28 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1187,8 +1187,8 @@ ssl3_get_server_certificate(SSL *s)
        s->session->peer_key = &s->session->peer_pkeys[i];
        X509_up_ref(x);
-        X509_free(s->session->peer);
+        X509_free(s->session->peer_cert);
-        s->session->peer = x;
+        s->session->peer_cert = x;
        s->session->verify_result = s->verify_result;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index bfa312207d..a90490ff55 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.284 2022/01/09 15:53:52 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.285 2022/01/11 18:39:28 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -870,7 +870,7 @@ SSL_get_peer_certificate(const SSL *s)
        if ((s == NULL) || (s->session == NULL))
                r = NULL;
        else
-                r = s->session->peer;
+                r = s->session->peer_cert;
        if (r == NULL)
                return (r);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 0eca4e673d..36823d6462 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.381 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.382 2022/01/11 18:39:28 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -476,7 +476,7 @@ struct ssl_session_st {
        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
        /* This is the cert for the other end. */
-        X509 *peer;
+        X509 *peer_cert;
        /* when app_verify_callback accepts a session where the peer's certificate
         * is not ok, we must remember the error for session reuse: */
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 8d0f0b928c..a49076be74 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.107 2022/01/08 12:59:59 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.108 2022/01/11 18:39:28 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -766,7 +766,7 @@ SSL_SESSION_free(SSL_SESSION *ss)
        for (i = 0; i < SSL_PKEY_NUM; i++)
                X509_free(ss->peer_pkeys[i].x509);
-        X509_free(ss->peer);
+        X509_free(ss->peer_cert);
        sk_SSL_CIPHER_free(ss->ciphers);
@@ -881,7 +881,7 @@ SSL_SESSION_get0_cipher(const SSL_SESSION *s)
 X509 *
 SSL_SESSION_get0_peer(SSL_SESSION *s)
 {
-        return s->peer;
+        return s->peer_cert;
 }
 int
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index dd622c2831..786362ea02 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.138 2022/01/11 18:28:41 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -453,7 +453,7 @@ ssl3_accept(SSL *s)
                         *   s3_clnt.c accepts this for SSL 3).
                         */
                        if (!(s->verify_mode & SSL_VERIFY_PEER) ||
-                            ((s->session->peer != NULL) &&
+                            ((s->session->peer_cert != NULL) &&
                             (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
                            ((S3I(s)->hs.cipher->algorithm_auth &
                             SSL_aNULL) && !(s->verify_mode &
@@ -550,7 +550,7 @@ ssl3_accept(SSL *s)
                        } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
                                S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
                                s->internal->init_num = 0;
-                                if (!s->session->peer)
+                                if (!s->session->peer_cert)
                                        break;
                                /*
                                 * Freeze the transcript for use during client
@@ -1807,7 +1807,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
         * it is completely valid to use a client certificate for
         * authorization only.
         */
-        if ((client_pubkey = X509_get0_pubkey(s->session->peer)) != NULL) {
+        if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
                if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
                        ERR_clear_error();
        }
@@ -1906,7 +1906,7 @@ ssl3_get_cert_verify(SSL *s)
        const struct ssl_sigalg *sigalg = NULL;
        uint16_t sigalg_value = SIGALG_NONE;
        EVP_PKEY *pkey = NULL;
-        X509 *peer = NULL;
+        X509 *peer_cert = NULL;
        EVP_MD_CTX *mctx = NULL;
        int al, verify;
        const unsigned char *hdata;
@@ -1928,15 +1928,15 @@ ssl3_get_cert_verify(SSL *s)
        CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
-        if (s->session->peer != NULL) {
+        if (s->session->peer_cert != NULL) {
-                peer = s->session->peer;
+                peer_cert = s->session->peer_cert;
-                pkey = X509_get_pubkey(peer);
+                pkey = X509_get_pubkey(peer_cert);
-                type = X509_certificate_type(peer, pkey);
+                type = X509_certificate_type(peer_cert, pkey);
        }
        if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
                S3I(s)->hs.tls12.reuse_message = 1;
-                if (peer != NULL) {
+                if (peer_cert != NULL) {
                        al = SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
                        goto fatal_err;
@@ -1945,7 +1945,7 @@ ssl3_get_cert_verify(SSL *s)
                goto end;
        }
-        if (peer == NULL) {
+        if (peer_cert == NULL) {
                SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);
                al = SSL_AD_UNEXPECTED_MESSAGE;
                goto fatal_err;
@@ -2240,8 +2240,8 @@ ssl3_get_client_certificate(SSL *s)
                }
        }
-        X509_free(s->session->peer);
+        X509_free(s->session->peer_cert);
-        s->session->peer = sk_X509_shift(sk);
+        s->session->peer_cert = sk_X509_shift(sk);
        /*
         * Inconsistency alert: cert_chain does *not* include the
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index d961f98bef..3e168a0b54 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.91 2022/01/08 12:59:59 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -638,8 +638,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
        s->session->peer_key = &s->session->peer_pkeys[cert_idx];
        X509_up_ref(cert);
-        X509_free(s->session->peer);
+        X509_free(s->session->peer_cert);
-        s->session->peer = cert;
+        s->session->peer_cert = cert;
        s->session->verify_result = s->verify_result;
@@ -694,7 +694,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                goto err;
-        if ((cert = ctx->ssl->session->peer) == NULL)
+        if ((cert = ctx->ssl->session->peer_cert) == NULL)
                goto err;
        if ((pkey = X509_get0_pubkey(cert)) == NULL)
                goto err;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index e31ae38076..3330023430 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.93 2022/01/08 12:59:59 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.94 2022/01/11 18:39:28 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -931,8 +931,8 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
        s->session->peer_key = &s->session->peer_pkeys[cert_idx];
        X509_up_ref(cert);
-        X509_free(s->session->peer);
+        X509_free(s->session->peer_cert);
-        s->session->peer = cert;
+        s->session->peer_cert = cert;
        s->session->verify_result = s->verify_result;
@@ -984,7 +984,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
                goto err;
-        if ((cert = ctx->ssl->session->peer) == NULL)
+        if ((cert = ctx->ssl->session->peer_cert) == NULL)
                goto err;
        if ((pkey = X509_get0_pubkey(cert)) == NULL)
                goto err;

diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 2af6834d88..70a50acc5c 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_asn1.c,v 1.60 2021/10/23 08:13:02 jsing Exp $ */	1	/* $OpenBSD: ssl_asn1.c,v 1.61 2022/01/11 18:39:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -113,8 +113,8 @@ SSL_SESSION_encode(SSL_SESSION s, unsigned char out, size_t out_len,
113	}	113	}
114		114
115	/* Peer certificate [3]. */	115	/* Peer certificate [3]. */
116	if (s->peer != NULL) {	116	if (s->peer_cert != NULL) {
117	if ((len = i2d_X509(s->peer, &peer_cert_bytes)) <= 0)	117	if ((len = i2d_X509(s->peer_cert, &peer_cert_bytes)) <= 0)
118	goto err;	118	goto err;
119	if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG))	119	if (!CBB_add_asn1(&session, &peer_cert, SSLASN1_PEER_CERT_TAG))
120	goto err;	120	goto err;
@@ -332,8 +332,8 @@ d2i_SSL_SESSION(SSL_SESSION a, const unsigned char pp, long length)
332	s->timeout = (long)timeout;	332	s->timeout = (long)timeout;
333		333
334	/* Peer certificate [3]. */	334	/* Peer certificate [3]. */
335	X509_free(s->peer);	335	X509_free(s->peer_cert);
336	s->peer = NULL;	336	s->peer_cert = NULL;
337	if (!CBS_get_optional_asn1(&session, &peer_cert, &present,	337	if (!CBS_get_optional_asn1(&session, &peer_cert, &present,
338	SSLASN1_PEER_CERT_TAG))	338	SSLASN1_PEER_CERT_TAG))
339	goto err;	339	goto err;
@@ -342,7 +342,7 @@ d2i_SSL_SESSION(SSL_SESSION a, const unsigned char pp, long length)
342	if (data_len > LONG_MAX)	342	if (data_len > LONG_MAX)
343	goto err;	343	goto err;
344	peer_cert_bytes = CBS_data(&peer_cert);	344	peer_cert_bytes = CBS_data(&peer_cert);
345	if (d2i_X509(&s->peer, &peer_cert_bytes,	345	if (d2i_X509(&s->peer_cert, &peer_cert_bytes,
346	(long)data_len) == NULL)	346	(long)data_len) == NULL)
347	goto err;	347	goto err;
348	}	348	}


diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 981161290f..8b5ccd480a 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.135 2022/01/11 18:28:41 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.136 2022/01/11 18:39:28 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1187,8 +1187,8 @@ ssl3_get_server_certificate(SSL *s)
1187	s->session->peer_key = &s->session->peer_pkeys[i];	1187	s->session->peer_key = &s->session->peer_pkeys[i];
1188		1188
1189	X509_up_ref(x);	1189	X509_up_ref(x);
1190	X509_free(s->session->peer);	1190	X509_free(s->session->peer_cert);
1191	s->session->peer = x;	1191	s->session->peer_cert = x;
1192		1192
1193	s->session->verify_result = s->verify_result;	1193	s->session->verify_result = s->verify_result;
1194		1194


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index bfa312207d..a90490ff55 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.284 2022/01/09 15:53:52 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.285 2022/01/11 18:39:28 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -870,7 +870,7 @@ SSL_get_peer_certificate(const SSL *s)
870	if ((s == NULL) \|\| (s->session == NULL))	870	if ((s == NULL) \|\| (s->session == NULL))
871	r = NULL;	871	r = NULL;
872	else	872	else
873	r = s->session->peer;	873	r = s->session->peer_cert;
874		874
875	if (r == NULL)	875	if (r == NULL)
876	return (r);	876	return (r);


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 0eca4e673d..36823d6462 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.381 2022/01/11 18:28:41 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.382 2022/01/11 18:39:28 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -476,7 +476,7 @@ struct ssl_session_st {
476	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];	476	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
477		477
478	/* This is the cert for the other end. */	478	/* This is the cert for the other end. */
479	X509 *peer;	479	X509 *peer_cert;
480		480
481	/* when app_verify_callback accepts a session where the peer's certificate	481	/* when app_verify_callback accepts a session where the peer's certificate
482	* is not ok, we must remember the error for session reuse: */	482	* is not ok, we must remember the error for session reuse: */


diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 8d0f0b928c..a49076be74 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sess.c,v 1.107 2022/01/08 12:59:59 jsing Exp $ */	1	/* $OpenBSD: ssl_sess.c,v 1.108 2022/01/11 18:39:28 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -766,7 +766,7 @@ SSL_SESSION_free(SSL_SESSION *ss)
766	for (i = 0; i < SSL_PKEY_NUM; i++)	766	for (i = 0; i < SSL_PKEY_NUM; i++)
767	X509_free(ss->peer_pkeys[i].x509);	767	X509_free(ss->peer_pkeys[i].x509);
768		768
769	X509_free(ss->peer);	769	X509_free(ss->peer_cert);
770		770
771	sk_SSL_CIPHER_free(ss->ciphers);	771	sk_SSL_CIPHER_free(ss->ciphers);
772		772
@@ -881,7 +881,7 @@ SSL_SESSION_get0_cipher(const SSL_SESSION *s)
881	X509 *	881	X509 *
882	SSL_SESSION_get0_peer(SSL_SESSION *s)	882	SSL_SESSION_get0_peer(SSL_SESSION *s)
883	{	883	{
884	return s->peer;	884	return s->peer_cert;
885	}	885	}
886		886
887	int	887	int


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index dd622c2831..786362ea02 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.138 2022/01/11 18:28:41 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -453,7 +453,7 @@ ssl3_accept(SSL *s)
453	* s3_clnt.c accepts this for SSL 3).	453	* s3_clnt.c accepts this for SSL 3).
454	*/	454	*/
455	if (!(s->verify_mode & SSL_VERIFY_PEER) \|\|	455	if (!(s->verify_mode & SSL_VERIFY_PEER) \|\|
456	((s->session->peer != NULL) &&	456	((s->session->peer_cert != NULL) &&
457	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) \|\|	457	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) \|\|
458	((S3I(s)->hs.cipher->algorithm_auth &	458	((S3I(s)->hs.cipher->algorithm_auth &
459	SSL_aNULL) && !(s->verify_mode &	459	SSL_aNULL) && !(s->verify_mode &
@@ -550,7 +550,7 @@ ssl3_accept(SSL *s)
550	} else if (SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) {	550	} else if (SSL_USE_SIGALGS(s) \|\| (alg_k & SSL_kGOST)) {
551	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;	551	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
552	s->internal->init_num = 0;	552	s->internal->init_num = 0;
553	if (!s->session->peer)	553	if (!s->session->peer_cert)
554	break;	554	break;
555	/*	555	/*
556	* Freeze the transcript for use during client	556	* Freeze the transcript for use during client
@@ -1807,7 +1807,7 @@ ssl3_get_client_kex_gost(SSL s, CBS cbs)
1807	* it is completely valid to use a client certificate for	1807	* it is completely valid to use a client certificate for
1808	* authorization only.	1808	* authorization only.
1809	*/	1809	*/
1810	if ((client_pubkey = X509_get0_pubkey(s->session->peer)) != NULL) {	1810	if ((client_pubkey = X509_get0_pubkey(s->session->peer_cert)) != NULL) {
1811	if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)	1811	if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pubkey) <= 0)
1812	ERR_clear_error();	1812	ERR_clear_error();
1813	}	1813	}
@@ -1906,7 +1906,7 @@ ssl3_get_cert_verify(SSL *s)
1906	const struct ssl_sigalg *sigalg = NULL;	1906	const struct ssl_sigalg *sigalg = NULL;
1907	uint16_t sigalg_value = SIGALG_NONE;	1907	uint16_t sigalg_value = SIGALG_NONE;
1908	EVP_PKEY *pkey = NULL;	1908	EVP_PKEY *pkey = NULL;
1909	X509 *peer = NULL;	1909	X509 *peer_cert = NULL;
1910	EVP_MD_CTX *mctx = NULL;	1910	EVP_MD_CTX *mctx = NULL;
1911	int al, verify;	1911	int al, verify;
1912	const unsigned char *hdata;	1912	const unsigned char *hdata;
@@ -1928,15 +1928,15 @@ ssl3_get_cert_verify(SSL *s)
1928		1928
1929	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);	1929	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1930		1930
1931	if (s->session->peer != NULL) {	1931	if (s->session->peer_cert != NULL) {
1932	peer = s->session->peer;	1932	peer_cert = s->session->peer_cert;
1933	pkey = X509_get_pubkey(peer);	1933	pkey = X509_get_pubkey(peer_cert);
1934	type = X509_certificate_type(peer, pkey);	1934	type = X509_certificate_type(peer_cert, pkey);
1935	}	1935	}
1936		1936
1937	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {	1937	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1938	S3I(s)->hs.tls12.reuse_message = 1;	1938	S3I(s)->hs.tls12.reuse_message = 1;
1939	if (peer != NULL) {	1939	if (peer_cert != NULL) {
1940	al = SSL_AD_UNEXPECTED_MESSAGE;	1940	al = SSL_AD_UNEXPECTED_MESSAGE;
1941	SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);	1941	SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
1942	goto fatal_err;	1942	goto fatal_err;
@@ -1945,7 +1945,7 @@ ssl3_get_cert_verify(SSL *s)
1945	goto end;	1945	goto end;
1946	}	1946	}
1947		1947
1948	if (peer == NULL) {	1948	if (peer_cert == NULL) {
1949	SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);	1949	SSLerror(s, SSL_R_NO_CLIENT_CERT_RECEIVED);
1950	al = SSL_AD_UNEXPECTED_MESSAGE;	1950	al = SSL_AD_UNEXPECTED_MESSAGE;
1951	goto fatal_err;	1951	goto fatal_err;
@@ -2240,8 +2240,8 @@ ssl3_get_client_certificate(SSL *s)
2240	}	2240	}
2241	}	2241	}
2242		2242
2243	X509_free(s->session->peer);	2243	X509_free(s->session->peer_cert);
2244	s->session->peer = sk_X509_shift(sk);	2244	s->session->peer_cert = sk_X509_shift(sk);
2245		2245
2246	/*	2246	/*
2247	* Inconsistency alert: cert_chain does not include the	2247	* Inconsistency alert: cert_chain does not include the


diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index d961f98bef..3e168a0b54 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.91 2022/01/08 12:59:59 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -638,8 +638,8 @@ tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
638	s->session->peer_key = &s->session->peer_pkeys[cert_idx];	638	s->session->peer_key = &s->session->peer_pkeys[cert_idx];
639		639
640	X509_up_ref(cert);	640	X509_up_ref(cert);
641	X509_free(s->session->peer);	641	X509_free(s->session->peer_cert);
642	s->session->peer = cert;	642	s->session->peer_cert = cert;
643		643
644	s->session->verify_result = s->verify_result;	644	s->session->verify_result = s->verify_result;
645		645
@@ -694,7 +694,7 @@ tls13_server_certificate_verify_recv(struct tls13_ctx ctx, CBS cbs)
694	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))	694	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
695	goto err;	695	goto err;
696		696
697	if ((cert = ctx->ssl->session->peer) == NULL)	697	if ((cert = ctx->ssl->session->peer_cert) == NULL)
698	goto err;	698	goto err;
699	if ((pkey = X509_get0_pubkey(cert)) == NULL)	699	if ((pkey = X509_get0_pubkey(cert)) == NULL)
700	goto err;	700	goto err;


diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index e31ae38076..3330023430 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.93 2022/01/08 12:59:59 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.94 2022/01/11 18:39:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -931,8 +931,8 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
931	s->session->peer_key = &s->session->peer_pkeys[cert_idx];	931	s->session->peer_key = &s->session->peer_pkeys[cert_idx];
932		932
933	X509_up_ref(cert);	933	X509_up_ref(cert);
934	X509_free(s->session->peer);	934	X509_free(s->session->peer_cert);
935	s->session->peer = cert;	935	s->session->peer_cert = cert;
936		936
937	s->session->verify_result = s->verify_result;	937	s->session->verify_result = s->verify_result;
938		938
@@ -984,7 +984,7 @@ tls13_client_certificate_verify_recv(struct tls13_ctx ctx, CBS cbs)
984	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))	984	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
985	goto err;	985	goto err;
986		986
987	if ((cert = ctx->ssl->session->peer) == NULL)	987	if ((cert = ctx->ssl->session->peer_cert) == NULL)
988	goto err;	988	goto err;
989	if ((pkey = X509_get0_pubkey(cert)) == NULL)	989	if ((pkey = X509_get0_pubkey(cert)) == NULL)
990	goto err;	990	goto err;