Remove SESS_CERT entirely.

Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-06-21 19:42:04 +01:00
parent c34b0f9930
commit 389ebcecae
6 changed files with 3 additions and 102 deletions

View File

@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s)
const unsigned char *q, *p;
unsigned char *d;
STACK_OF(X509) *sk = NULL;
SESS_CERT *sc;
EVP_PKEY *pkey = NULL;
n = s->method->ssl_get_message(s,
@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s)
goto f_err;
}
sc = ssl_sess_cert_new();
if (sc == NULL)
goto err;
ssl_sess_cert_free(s->session->sess_cert);
s->session->sess_cert = sc;
s->session->peer_chain = sk;
/*
* Inconsistency alert: cert_chain does include the peer's certificate,
@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s)
* problems later.
*/
if (alg_k & SSL_kPSK) {
s->session->sess_cert = ssl_sess_cert_new();
OPENSSL_free(s->ctx->psk_identity_hint);
s->ctx->psk_identity_hint = NULL;
}
@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s)
s->s3->peer_ecdh_tmp = NULL;
#endif
if (s->session->sess_cert == NULL)
s->session->sess_cert = ssl_sess_cert_new();
/* Total length of the parameters including the length prefix */
param_len = 0;
@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s)
if (!pms)
goto memerr;
if (s->session->sess_cert == NULL) {
if (s->session->peer == NULL) {
/*
* We should always have a server certificate with SSL_kRSA.
*/
@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s)
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
DH *dh_srvr, *dh_clnt;
SESS_CERT *scert = s->session->sess_cert;
if (scert == NULL) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
SSL_R_UNEXPECTED_MESSAGE);
goto err;
}
if (s->s3->peer_dh_tmp != NULL)
dh_srvr = s->s3->peer_dh_tmp;
else {
@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s)
EC_KEY *tkey;
int ecdh_clnt_cert = 0;
int field_size = 0;
if (s->session->sess_cert == NULL) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
SSL_R_UNEXPECTED_MESSAGE);
goto err;
}
/*
* Did we send out the client's ECDH share for use in premaster
* computation as part of client certificate? If so, set
@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int pkey_bits;
SESS_CERT *sc;
#ifndef OPENSSL_NO_RSA
RSA *rsa;
#endif
@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* we don't have a certificate */
if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
return (1);
sc = s->session->sess_cert;
if (sc == NULL) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifndef OPENSSL_NO_RSA
rsa = s->s3->peer_rsa_tmp;
#endif
@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
return (1);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
return (0);
}

View File

@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
if (SSL_USE_SIGALGS(s)) {
if (s->session && s->session->sess_cert) {
if (s->session) {
const EVP_MD *sig;
sig = s->s3->tmp.peer_md;
if (sig) {
@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return 0;
case SSL_CTRL_GET_SERVER_TMP_KEY:
if (s->server || !s->session || !s->session->sess_cert)
if (s->server || !s->session)
return 0;
else {
EVP_PKEY *ptmp;

View File

@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s)
s->session->peer = sk_X509_shift(sk);
s->session->verify_result = s->verify_result;
/*
* With the current implementation, sess_cert will always be NULL when we
* arrive here.
*/
if (s->session->sess_cert == NULL) {
s->session->sess_cert = ssl_sess_cert_new();
if (s->session->sess_cert == NULL) {
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto done;
}
}
sk_X509_pop_free(s->session->peer_chain, X509_free);
s->session->peer_chain = sk;
/*

View File

@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
c->cert_cb_arg = arg;
}
SESS_CERT *ssl_sess_cert_new(void)
{
SESS_CERT *ret;
ret = OPENSSL_malloc(sizeof(*ret));
if (ret == NULL) {
SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
memset(ret, 0, sizeof(*ret));
ret->references = 1;
return ret;
}
void ssl_sess_cert_free(SESS_CERT *sc)
{
int i;
if (sc == NULL)
return;
i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
#ifdef REF_PRINT
REF_PRINT("SESS_CERT", sc);
#endif
if (i > 0)
return;
#ifdef REF_CHECK
if (i < 0) {
fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
abort(); /* ok */
}
#endif
/* i == 0 */
OPENSSL_free(sc);
}
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
{
X509 *x;

View File

@ -624,8 +624,6 @@ struct ssl_session_st {
* to disable session caching and tickets.
*/
int not_resumable;
/* The cert is the certificate used to establish this connection */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
/* This is the cert and type for the other end. */
X509 *peer;
int peer_type;
@ -1588,9 +1586,6 @@ typedef struct cert_st {
int references; /* >1 only if SSL_copy_session_id is used */
} CERT;
typedef struct sess_cert_st {
int references; /* actually always 1 at the moment */
} SESS_CERT;
/* Structure containing decoded values of signature algorithms extension */
struct tls_sigalgs_st {
/* NID of hash algorithm */
@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void);
__owur CERT *ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c);
__owur SESS_CERT *ssl_sess_cert_new(void);
void ssl_sess_cert_free(SESS_CERT *sc);
__owur int ssl_get_new_session(SSL *s, int session);
__owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
const unsigned char *limit);

View File

@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->references = 1;
if (src->sess_cert != NULL)
CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
if (src->peer != NULL)
CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
ssl_sess_cert_free(ss->sess_cert);
X509_free(ss->peer);
sk_X509_pop_free(ss->peer_chain, X509_free);
sk_SSL_CIPHER_free(ss->ciphers);