Move peer chain to SSL_SESSION structure.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 21 Jun 2015 18:34:33 +0000 (19:34 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 22 Jun 2015 12:52:24 +0000 (13:52 +0100)
Reviewed-by: Richard Levitte <levitte@openssl.org>
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl_cert.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_sess.c

index c36627c..1302275 100644 (file)
@@ -1329,7 +1329,7 @@ int ssl3_get_server_certificate(SSL *s)
     ssl_sess_cert_free(s->session->sess_cert);
     s->session->sess_cert = sc;
 
-    sc->cert_chain = sk;
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
      * which we don't include in s3_srvr.c
index 90a67d1..e6aa1d3 100644 (file)
@@ -3206,8 +3206,8 @@ int ssl3_get_client_certificate(SSL *s)
             goto done;
         }
     }
-    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-    s->session->sess_cert->cert_chain = sk;
+    sk_X509_pop_free(s->session->peer_chain, X509_free);
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in s3_clnt.c
index 6cb9677..3bb2576 100644 (file)
@@ -556,7 +556,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
 #endif
 
     /* i == 0 */
-    sk_X509_pop_free(sc->cert_chain, X509_free);
     OPENSSL_free(sc);
 }
 
index 5c814fd..ceba30f 100644 (file)
@@ -834,11 +834,10 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
     STACK_OF(X509) *r;
 
-    if ((s == NULL) || (s->session == NULL)
-        || (s->session->sess_cert == NULL))
+    if ((s == NULL) || (s->session == NULL))
         r = NULL;
     else
-        r = s->session->sess_cert->cert_chain;
+        r = s->session->peer_chain;
 
     /*
      * If we are a client, cert_chain includes the peer's own certificate; if
index 97c0732..f6668af 100644 (file)
@@ -629,6 +629,8 @@ struct ssl_session_st {
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
+    /* Certificate chain of peer */
+    STACK_OF(X509) *peer_chain;
     /*
      * when app_verify_callback accepts a session where the peer's
      * certificate is not ok, we must remember the error for session reuse:
@@ -1587,7 +1589,6 @@ typedef struct cert_st {
 } CERT;
 
 typedef struct sess_cert_st {
-    STACK_OF(X509) *cert_chain; /* as received from peer */
     int references;             /* actually always 1 at the moment */
 } SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */
index c639e53..7ba86b6 100644 (file)
@@ -845,6 +845,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
     ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
+    sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);
     OPENSSL_free(ss->tlsext_hostname);
     OPENSSL_free(ss->tlsext_tick);