Remove SESS_CERT entirely.

Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 13022757c45412638450f3e7b86ce69fc7e92e2e..6b4c860350ff2573ce5a28d98c62c91734eaada3 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s)
     const unsigned char *q, *p;
     unsigned char *d;
     STACK_OF(X509) *sk = NULL;
     const unsigned char *q, *p;
     unsigned char *d;
     STACK_OF(X509) *sk = NULL;

-    SESS_CERT *sc;

     EVP_PKEY *pkey = NULL;
 
     n = s->method->ssl_get_message(s,
     EVP_PKEY *pkey = NULL;
 
     n = s->method->ssl_get_message(s,


@@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s)
         goto f_err;
     }
 
         goto f_err;
     }
 

-    sc = ssl_sess_cert_new();
-    if (sc == NULL)
-        goto err;
-
-    ssl_sess_cert_free(s->session->sess_cert);
-    s->session->sess_cert = sc;
-

     s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
     s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,


@@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s)
          * problems later.
          */
         if (alg_k & SSL_kPSK) {
          * problems later.
          */
         if (alg_k & SSL_kPSK) {

-            s->session->sess_cert = ssl_sess_cert_new();

             OPENSSL_free(s->ctx->psk_identity_hint);
             s->ctx->psk_identity_hint = NULL;
         }
             OPENSSL_free(s->ctx->psk_identity_hint);
             s->ctx->psk_identity_hint = NULL;
         }


@@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s)
     s->s3->peer_ecdh_tmp = NULL;
 #endif
 
     s->s3->peer_ecdh_tmp = NULL;
 #endif
 

-    if (s->session->sess_cert == NULL)
-        s->session->sess_cert = ssl_sess_cert_new();
-

     /* Total length of the parameters including the length prefix */
     param_len = 0;
 
     /* Total length of the parameters including the length prefix */
     param_len = 0;
 


@@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s)
             if (!pms)
                 goto memerr;
 
             if (!pms)
                 goto memerr;
 

-            if (s->session->sess_cert == NULL) {
+            if (s->session->peer == NULL) {

                 /*
                  * We should always have a server certificate with SSL_kRSA.
                  */
                 /*
                  * We should always have a server certificate with SSL_kRSA.
                  */


@@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
         else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
             DH *dh_srvr, *dh_clnt;
 #ifndef OPENSSL_NO_DH
         else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
             DH *dh_srvr, *dh_clnt;

-            SESS_CERT *scert = s->session->sess_cert;
-
-            if (scert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-

             if (s->s3->peer_dh_tmp != NULL)
                 dh_srvr = s->s3->peer_dh_tmp;
             else {
             if (s->s3->peer_dh_tmp != NULL)
                 dh_srvr = s->s3->peer_dh_tmp;
             else {


@@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s)
             EC_KEY *tkey;
             int ecdh_clnt_cert = 0;
             int field_size = 0;
             EC_KEY *tkey;
             int ecdh_clnt_cert = 0;
             int field_size = 0;

-
-            if (s->session->sess_cert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-

             /*
              * Did we send out the client's ECDH share for use in premaster
              * computation as part of client certificate? If so, set
             /*
              * Did we send out the client's ECDH share for use in premaster
              * computation as part of client certificate? If so, set


@@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
     int pkey_bits;
     long alg_k, alg_a;
     EVP_PKEY *pkey = NULL;
     int pkey_bits;

-    SESS_CERT *sc;

 #ifndef OPENSSL_NO_RSA
     RSA *rsa;
 #endif
 #ifndef OPENSSL_NO_RSA
     RSA *rsa;
 #endif


@@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     /* we don't have a certificate */
     if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
         return (1);
     /* we don't have a certificate */
     if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
         return (1);

-
-    sc = s->session->sess_cert;
-    if (sc == NULL) {
-        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }

 #ifndef OPENSSL_NO_RSA
     rsa = s->s3->peer_rsa_tmp;
 #endif
 #ifndef OPENSSL_NO_RSA
     rsa = s->s3->peer_rsa_tmp;
 #endif


@@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
     return (1);
  f_err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);
     return (1);
  f_err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);

- err:

     return (0);
 }
 
     return (0);
 }
 

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ad413aa702145327c2050e79818aaa7b4f3f72ea..6febd4e3169ee3dbb1534539a738a00d1d4d077e 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 
     case SSL_CTRL_GET_PEER_SIGNATURE_NID:
         if (SSL_USE_SIGALGS(s)) {
 
     case SSL_CTRL_GET_PEER_SIGNATURE_NID:
         if (SSL_USE_SIGALGS(s)) {

-            if (s->session && s->session->sess_cert) {
+            if (s->session) {

                 const EVP_MD *sig;
                 sig = s->s3->tmp.peer_md;
                 if (sig) {
                 const EVP_MD *sig;
                 sig = s->s3->tmp.peer_md;
                 if (sig) {


@@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
             return 0;
 
     case SSL_CTRL_GET_SERVER_TMP_KEY:
             return 0;
 
     case SSL_CTRL_GET_SERVER_TMP_KEY:

-        if (s->server || !s->session || !s->session->sess_cert)
+        if (s->server || !s->session)

             return 0;
         else {
             EVP_PKEY *ptmp;
             return 0;
         else {
             EVP_PKEY *ptmp;

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index e6aa1d3892de32c2db569dacc31b8a06da38b071..b98beacf483086e2d3e1a70949e71b84e42f54db 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s)
     s->session->peer = sk_X509_shift(sk);
     s->session->verify_result = s->verify_result;
 
     s->session->peer = sk_X509_shift(sk);
     s->session->verify_result = s->verify_result;
 

-    /*
-     * With the current implementation, sess_cert will always be NULL when we
-     * arrive here.
-     */
-    if (s->session->sess_cert == NULL) {
-        s->session->sess_cert = ssl_sess_cert_new();
-        if (s->session->sess_cert == NULL) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-            goto done;
-        }
-    }

     sk_X509_pop_free(s->session->peer_chain, X509_free);
     s->session->peer_chain = sk;
     /*
     sk_X509_pop_free(s->session->peer_chain, X509_free);
     s->session->peer_chain = sk;
     /*

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 3bb2576f8a648ed5c5a89517d45192c3d442bb23..5e9b8ffe7aaaad7d618b8b8d0d5a49eb4e0259bf 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
     c->cert_cb_arg = arg;
 }
 
     c->cert_cb_arg = arg;
 }
 

-SESS_CERT *ssl_sess_cert_new(void)
-{
-    SESS_CERT *ret;
-
-    ret = OPENSSL_malloc(sizeof(*ret));
-    if (ret == NULL) {
-        SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    memset(ret, 0, sizeof(*ret));
-    ret->references = 1;
-
-    return ret;
-}
-
-void ssl_sess_cert_free(SESS_CERT *sc)
-{
-    int i;
-
-    if (sc == NULL)
-        return;
-
-    i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
-    REF_PRINT("SESS_CERT", sc);
-#endif
-    if (i > 0)
-        return;
-#ifdef REF_CHECK
-    if (i < 0) {
-        fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
-        abort();                /* ok */
-    }
-#endif
-
-    /* i == 0 */
-    OPENSSL_free(sc);
-}
-

 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
     X509 *x;
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
     X509 *x;

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f6668afb33b59b5a3e211b27e794235abfb54bdd..f1046c5ffe93e3d75fcdc288efa0585909569c32 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -624,8 +624,6 @@ struct ssl_session_st {
      * to disable session caching and tickets.
      */
     int not_resumable;
      * to disable session caching and tickets.
      */
     int not_resumable;

-    /* The cert is the certificate used to establish this connection */
-    struct sess_cert_st /* SESS_CERT */ *sess_cert;

     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;


@@ -1588,9 +1586,6 @@ typedef struct cert_st {
     int references;             /* >1 only if SSL_copy_session_id is used */
 } CERT;
 
     int references;             /* >1 only if SSL_copy_session_id is used */
 } CERT;
 

-typedef struct sess_cert_st {
-    int references;             /* actually always 1 at the moment */
-} SESS_CERT;

 /* Structure containing decoded values of signature algorithms extension */
 struct tls_sigalgs_st {
     /* NID of hash algorithm */
 /* Structure containing decoded values of signature algorithms extension */
 struct tls_sigalgs_st {
     /* NID of hash algorithm */


@@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void);
 __owur CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 __owur CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);

-__owur SESS_CERT *ssl_sess_cert_new(void);
-void ssl_sess_cert_free(SESS_CERT *sc);

 __owur int ssl_get_new_session(SSL *s, int session);
 __owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
                          const unsigned char *limit);
 __owur int ssl_get_new_session(SSL *s, int session);
 __owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
                          const unsigned char *limit);

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 7ba86b691177dc8d8065fd18b69f0640f17fb470..03c6ac087d394a6e0ab93e8bd2e58a822c3d4939 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
 
     dest->references = 1;
 
 
     dest->references = 1;
 

-    if (src->sess_cert != NULL)
-        CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
-

     if (src->peer != NULL)
         CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
 
     if (src->peer != NULL)
         CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
 


@@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
 
     OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
 
     OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);

-    ssl_sess_cert_free(ss->sess_cert);

     X509_free(ss->peer);
     sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);
     X509_free(ss->peer);
     sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);