mirror of
https://github.com/openssl/openssl.git
synced 2024-12-13 12:03:48 +08:00
Remove SESS_CERT entirely.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
parent
c34b0f9930
commit
389ebcecae
@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s)
|
||||
const unsigned char *q, *p;
|
||||
unsigned char *d;
|
||||
STACK_OF(X509) *sk = NULL;
|
||||
SESS_CERT *sc;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
|
||||
n = s->method->ssl_get_message(s,
|
||||
@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
sc = ssl_sess_cert_new();
|
||||
if (sc == NULL)
|
||||
goto err;
|
||||
|
||||
ssl_sess_cert_free(s->session->sess_cert);
|
||||
s->session->sess_cert = sc;
|
||||
|
||||
s->session->peer_chain = sk;
|
||||
/*
|
||||
* Inconsistency alert: cert_chain does include the peer's certificate,
|
||||
@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
* problems later.
|
||||
*/
|
||||
if (alg_k & SSL_kPSK) {
|
||||
s->session->sess_cert = ssl_sess_cert_new();
|
||||
OPENSSL_free(s->ctx->psk_identity_hint);
|
||||
s->ctx->psk_identity_hint = NULL;
|
||||
}
|
||||
@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
s->s3->peer_ecdh_tmp = NULL;
|
||||
#endif
|
||||
|
||||
if (s->session->sess_cert == NULL)
|
||||
s->session->sess_cert = ssl_sess_cert_new();
|
||||
|
||||
/* Total length of the parameters including the length prefix */
|
||||
param_len = 0;
|
||||
|
||||
@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
if (!pms)
|
||||
goto memerr;
|
||||
|
||||
if (s->session->sess_cert == NULL) {
|
||||
if (s->session->peer == NULL) {
|
||||
/*
|
||||
* We should always have a server certificate with SSL_kRSA.
|
||||
*/
|
||||
@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
#ifndef OPENSSL_NO_DH
|
||||
else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
|
||||
DH *dh_srvr, *dh_clnt;
|
||||
SESS_CERT *scert = s->session->sess_cert;
|
||||
|
||||
if (scert == NULL) {
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
|
||||
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
|
||||
SSL_R_UNEXPECTED_MESSAGE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (s->s3->peer_dh_tmp != NULL)
|
||||
dh_srvr = s->s3->peer_dh_tmp;
|
||||
else {
|
||||
@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
EC_KEY *tkey;
|
||||
int ecdh_clnt_cert = 0;
|
||||
int field_size = 0;
|
||||
|
||||
if (s->session->sess_cert == NULL) {
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
|
||||
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
|
||||
SSL_R_UNEXPECTED_MESSAGE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Did we send out the client's ECDH share for use in premaster
|
||||
* computation as part of client certificate? If so, set
|
||||
@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
|
||||
long alg_k, alg_a;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
int pkey_bits;
|
||||
SESS_CERT *sc;
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
RSA *rsa;
|
||||
#endif
|
||||
@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
|
||||
/* we don't have a certificate */
|
||||
if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
|
||||
return (1);
|
||||
|
||||
sc = s->session->sess_cert;
|
||||
if (sc == NULL) {
|
||||
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
rsa = s->s3->peer_rsa_tmp;
|
||||
#endif
|
||||
@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
|
||||
return (1);
|
||||
f_err:
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
||||
err:
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
|
||||
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
|
||||
if (SSL_USE_SIGALGS(s)) {
|
||||
if (s->session && s->session->sess_cert) {
|
||||
if (s->session) {
|
||||
const EVP_MD *sig;
|
||||
sig = s->s3->tmp.peer_md;
|
||||
if (sig) {
|
||||
@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
return 0;
|
||||
|
||||
case SSL_CTRL_GET_SERVER_TMP_KEY:
|
||||
if (s->server || !s->session || !s->session->sess_cert)
|
||||
if (s->server || !s->session)
|
||||
return 0;
|
||||
else {
|
||||
EVP_PKEY *ptmp;
|
||||
|
@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s)
|
||||
s->session->peer = sk_X509_shift(sk);
|
||||
s->session->verify_result = s->verify_result;
|
||||
|
||||
/*
|
||||
* With the current implementation, sess_cert will always be NULL when we
|
||||
* arrive here.
|
||||
*/
|
||||
if (s->session->sess_cert == NULL) {
|
||||
s->session->sess_cert = ssl_sess_cert_new();
|
||||
if (s->session->sess_cert == NULL) {
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
sk_X509_pop_free(s->session->peer_chain, X509_free);
|
||||
s->session->peer_chain = sk;
|
||||
/*
|
||||
|
@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
|
||||
c->cert_cb_arg = arg;
|
||||
}
|
||||
|
||||
SESS_CERT *ssl_sess_cert_new(void)
|
||||
{
|
||||
SESS_CERT *ret;
|
||||
|
||||
ret = OPENSSL_malloc(sizeof(*ret));
|
||||
if (ret == NULL) {
|
||||
SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
memset(ret, 0, sizeof(*ret));
|
||||
ret->references = 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void ssl_sess_cert_free(SESS_CERT *sc)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sc == NULL)
|
||||
return;
|
||||
|
||||
i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
|
||||
#ifdef REF_PRINT
|
||||
REF_PRINT("SESS_CERT", sc);
|
||||
#endif
|
||||
if (i > 0)
|
||||
return;
|
||||
#ifdef REF_CHECK
|
||||
if (i < 0) {
|
||||
fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
|
||||
abort(); /* ok */
|
||||
}
|
||||
#endif
|
||||
|
||||
/* i == 0 */
|
||||
OPENSSL_free(sc);
|
||||
}
|
||||
|
||||
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
|
||||
{
|
||||
X509 *x;
|
||||
|
@ -624,8 +624,6 @@ struct ssl_session_st {
|
||||
* to disable session caching and tickets.
|
||||
*/
|
||||
int not_resumable;
|
||||
/* The cert is the certificate used to establish this connection */
|
||||
struct sess_cert_st /* SESS_CERT */ *sess_cert;
|
||||
/* This is the cert and type for the other end. */
|
||||
X509 *peer;
|
||||
int peer_type;
|
||||
@ -1588,9 +1586,6 @@ typedef struct cert_st {
|
||||
int references; /* >1 only if SSL_copy_session_id is used */
|
||||
} CERT;
|
||||
|
||||
typedef struct sess_cert_st {
|
||||
int references; /* actually always 1 at the moment */
|
||||
} SESS_CERT;
|
||||
/* Structure containing decoded values of signature algorithms extension */
|
||||
struct tls_sigalgs_st {
|
||||
/* NID of hash algorithm */
|
||||
@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void);
|
||||
__owur CERT *ssl_cert_dup(CERT *cert);
|
||||
void ssl_cert_clear_certs(CERT *c);
|
||||
void ssl_cert_free(CERT *c);
|
||||
__owur SESS_CERT *ssl_sess_cert_new(void);
|
||||
void ssl_sess_cert_free(SESS_CERT *sc);
|
||||
__owur int ssl_get_new_session(SSL *s, int session);
|
||||
__owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
|
||||
const unsigned char *limit);
|
||||
|
@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
||||
|
||||
dest->references = 1;
|
||||
|
||||
if (src->sess_cert != NULL)
|
||||
CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
|
||||
|
||||
if (src->peer != NULL)
|
||||
CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
|
||||
|
||||
@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
|
||||
|
||||
OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
|
||||
OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
|
||||
ssl_sess_cert_free(ss->sess_cert);
|
||||
X509_free(ss->peer);
|
||||
sk_X509_pop_free(ss->peer_chain, X509_free);
|
||||
sk_SSL_CIPHER_free(ss->ciphers);
|
||||
|
Loading…
Reference in New Issue
Block a user