From: Emilia Kasper Date: Wed, 19 Nov 2014 15:28:11 +0000 (+0100) Subject: Remove ssl3_check_finished. X-Git-Tag: OpenSSL_1_0_1k~92 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=b8712b2b9a51d65127606fd25cb549d93406b7a0 Remove ssl3_check_finished. The client sends a session ID with the session ticket, and uses the returned ID to detect resumption, so we do not need to peek at handshake messages: s->hit tells us explicitly if we're resuming. An equivalent change was independently made in BoringSSL, see commit 407886f589cf2dbaed82db0a44173036c3bc3317. Reviewed-by: Matt Caswell (cherry picked from commit 980bc1ec6114f5511b20c2e6ca741e61a39b99d6) Conflicts: ssl/d1_clnt.c ssl/s3_clnt.c --- diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index fd6562c114..00e14b53c7 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -370,20 +370,6 @@ int dtls1_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT - ret=ssl3_check_finished(s); - if (ret <= 0) goto end; - if (ret == 2) - { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state=SSL3_ST_CR_SESSION_TICKET_A; - else - s->state=SSL3_ST_CR_FINISHED_A; - s->init_num=0; - break; - } -#endif /* Check if it is anon DH or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 3a3b2a3352..e3c9533ee6 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -313,20 +313,6 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: -#ifndef OPENSSL_NO_TLSEXT - ret=ssl3_check_finished(s); - if (ret <= 0) goto end; - if (ret == 2) - { - s->hit = 1; - if (s->tlsext_ticket_expected) - s->state=SSL3_ST_CR_SESSION_TICKET_A; - else - s->state=SSL3_ST_CR_FINISHED_A; - s->init_num=0; - break; - } -#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) && @@ -670,11 +656,7 @@ int ssl3_client_hello(SSL *s) SSL_SESSION *sess = s->session; if ((sess == NULL) || (sess->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT !sess->session_id_length || -#else - (!sess->session_id_length && !sess->tlsext_tick) || -#endif (sess->not_resumable)) { if (!ssl_get_new_session(s,0)) @@ -3482,40 +3464,9 @@ int ssl3_send_next_proto(SSL *s) } return ssl3_do_write(s, SSL3_RT_HANDSHAKE); -} + } #endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ -/* Check to see if handshake is full or resumed. Usually this is just a - * case of checking to see if a cache hit has occurred. In the case of - * session tickets we have to check the next message to be sure. - */ - -#ifndef OPENSSL_NO_TLSEXT -int ssl3_check_finished(SSL *s) - { - int ok; - long n; - /* If we have no ticket it cannot be a resumed session. */ - if (!s->session->tlsext_tick) - return 1; - /* this function is called when we really expect a Certificate - * message, so permit appropriate message length */ - n=s->method->ssl_get_message(s, - SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, - -1, - s->max_cert_list, - &ok); - if (!ok) return((int)n); - s->s3->tmp.reuse_message = 1; - if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) - || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) - return 2; - - return 1; - } -#endif - int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { int i = 0; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 98888d2df3..90c82f5b20 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1014,7 +1014,6 @@ int ssl3_get_key_exchange(SSL *s); int ssl3_get_server_certificate(SSL *s); int ssl3_check_cert_and_algorithm(SSL *s); #ifndef OPENSSL_NO_TLSEXT -int ssl3_check_finished(SSL *s); # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s); # endif