Remove SESS_CERT entirely.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 21 Jun 2015 18:42:04 +0000 (19:42 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 22 Jun 2015 12:52:24 +0000 (13:52 +0100)
Reviewed-by: Richard Levitte <levitte@openssl.org>
ssl/s3_clnt.c
ssl/s3_lib.c
ssl/s3_srvr.c
ssl/ssl_cert.c
ssl/ssl_locl.h
ssl/ssl_sess.c

index 1302275..6b4c860 100644 (file)
@@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s)
     const unsigned char *q, *p;
     unsigned char *d;
     STACK_OF(X509) *sk = NULL;
-    SESS_CERT *sc;
     EVP_PKEY *pkey = NULL;
 
     n = s->method->ssl_get_message(s,
@@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s)
         goto f_err;
     }
 
-    sc = ssl_sess_cert_new();
-    if (sc == NULL)
-        goto err;
-
-    ssl_sess_cert_free(s->session->sess_cert);
-    s->session->sess_cert = sc;
-
     s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
@@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s)
          * problems later.
          */
         if (alg_k & SSL_kPSK) {
-            s->session->sess_cert = ssl_sess_cert_new();
             OPENSSL_free(s->ctx->psk_identity_hint);
             s->ctx->psk_identity_hint = NULL;
         }
@@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s)
     s->s3->peer_ecdh_tmp = NULL;
 #endif
 
-    if (s->session->sess_cert == NULL)
-        s->session->sess_cert = ssl_sess_cert_new();
-
     /* Total length of the parameters including the length prefix */
     param_len = 0;
 
@@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s)
             if (!pms)
                 goto memerr;
 
-            if (s->session->sess_cert == NULL) {
+            if (s->session->peer == NULL) {
                 /*
                  * We should always have a server certificate with SSL_kRSA.
                  */
@@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
         else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
             DH *dh_srvr, *dh_clnt;
-            SESS_CERT *scert = s->session->sess_cert;
-
-            if (scert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-
             if (s->s3->peer_dh_tmp != NULL)
                 dh_srvr = s->s3->peer_dh_tmp;
             else {
@@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s)
             EC_KEY *tkey;
             int ecdh_clnt_cert = 0;
             int field_size = 0;
-
-            if (s->session->sess_cert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-
             /*
              * Did we send out the client's ECDH share for use in premaster
              * computation as part of client certificate? If so, set
@@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
     int pkey_bits;
-    SESS_CERT *sc;
 #ifndef OPENSSL_NO_RSA
     RSA *rsa;
 #endif
@@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     /* we don't have a certificate */
     if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
         return (1);
-
-    sc = s->session->sess_cert;
-    if (sc == NULL) {
-        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
 #ifndef OPENSSL_NO_RSA
     rsa = s->s3->peer_rsa_tmp;
 #endif
@@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     return (1);
  f_err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
     return (0);
 }
 
index ad413aa..6febd4e 100644 (file)
@@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 
     case SSL_CTRL_GET_PEER_SIGNATURE_NID:
         if (SSL_USE_SIGALGS(s)) {
-            if (s->session && s->session->sess_cert) {
+            if (s->session) {
                 const EVP_MD *sig;
                 sig = s->s3->tmp.peer_md;
                 if (sig) {
@@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
             return 0;
 
     case SSL_CTRL_GET_SERVER_TMP_KEY:
-        if (s->server || !s->session || !s->session->sess_cert)
+        if (s->server || !s->session)
             return 0;
         else {
             EVP_PKEY *ptmp;
index e6aa1d3..b98beac 100644 (file)
@@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s)
     s->session->peer = sk_X509_shift(sk);
     s->session->verify_result = s->verify_result;
 
-    /*
-     * With the current implementation, sess_cert will always be NULL when we
-     * arrive here.
-     */
-    if (s->session->sess_cert == NULL) {
-        s->session->sess_cert = ssl_sess_cert_new();
-        if (s->session->sess_cert == NULL) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-            goto done;
-        }
-    }
     sk_X509_pop_free(s->session->peer_chain, X509_free);
     s->session->peer_chain = sk;
     /*
index 3bb2576..5e9b8ff 100644 (file)
@@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
     c->cert_cb_arg = arg;
 }
 
-SESS_CERT *ssl_sess_cert_new(void)
-{
-    SESS_CERT *ret;
-
-    ret = OPENSSL_malloc(sizeof(*ret));
-    if (ret == NULL) {
-        SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    memset(ret, 0, sizeof(*ret));
-    ret->references = 1;
-
-    return ret;
-}
-
-void ssl_sess_cert_free(SESS_CERT *sc)
-{
-    int i;
-
-    if (sc == NULL)
-        return;
-
-    i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
-    REF_PRINT("SESS_CERT", sc);
-#endif
-    if (i > 0)
-        return;
-#ifdef REF_CHECK
-    if (i < 0) {
-        fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
-        abort();                /* ok */
-    }
-#endif
-
-    /* i == 0 */
-    OPENSSL_free(sc);
-}
-
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
     X509 *x;
index f6668af..f1046c5 100644 (file)
@@ -624,8 +624,6 @@ struct ssl_session_st {
      * to disable session caching and tickets.
      */
     int not_resumable;
-    /* The cert is the certificate used to establish this connection */
-    struct sess_cert_st /* SESS_CERT */ *sess_cert;
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
@@ -1588,9 +1586,6 @@ typedef struct cert_st {
     int references;             /* >1 only if SSL_copy_session_id is used */
 } CERT;
 
-typedef struct sess_cert_st {
-    int references;             /* actually always 1 at the moment */
-} SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */
 struct tls_sigalgs_st {
     /* NID of hash algorithm */
@@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void);
 __owur CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
-__owur SESS_CERT *ssl_sess_cert_new(void);
-void ssl_sess_cert_free(SESS_CERT *sc);
 __owur int ssl_get_new_session(SSL *s, int session);
 __owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
                          const unsigned char *limit);
index 7ba86b6..03c6ac0 100644 (file)
@@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
 
     dest->references = 1;
 
-    if (src->sess_cert != NULL)
-        CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
-
     if (src->peer != NULL)
         CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
 
@@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
     OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
-    ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
     sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);