From: Dr. Stephen Henson <steve@openssl.org>
Date: Sun, 21 Jun 2015 18:34:33 +0000 (+0100)
Subject: Move peer chain to SSL_SESSION structure.
X-Git-Tag: OpenSSL_1_1_0-pre1~969
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=c34b0f9930563f905412a00b6d8a7280c83eb811

Move peer chain to SSL_SESSION structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
---

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c36627c955..13022757c4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1329,7 +1329,7 @@ int ssl3_get_server_certificate(SSL *s)
     ssl_sess_cert_free(s->session->sess_cert);
     s->session->sess_cert = sc;
 
-    sc->cert_chain = sk;
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
      * which we don't include in s3_srvr.c
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 90a67d1105..e6aa1d3892 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3206,8 +3206,8 @@ int ssl3_get_client_certificate(SSL *s)
             goto done;
         }
     }
-    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-    s->session->sess_cert->cert_chain = sk;
+    sk_X509_pop_free(s->session->peer_chain, X509_free);
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in s3_clnt.c
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 6cb967772a..3bb2576f8a 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -556,7 +556,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
 #endif
 
     /* i == 0 */
-    sk_X509_pop_free(sc->cert_chain, X509_free);
     OPENSSL_free(sc);
 }
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5c814fde73..ceba30f83c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -834,11 +834,10 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
     STACK_OF(X509) *r;
 
-    if ((s == NULL) || (s->session == NULL)
-        || (s->session->sess_cert == NULL))
+    if ((s == NULL) || (s->session == NULL))
         r = NULL;
     else
-        r = s->session->sess_cert->cert_chain;
+        r = s->session->peer_chain;
 
     /*
      * If we are a client, cert_chain includes the peer's own certificate; if
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 97c0732ca3..f6668afb33 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -629,6 +629,8 @@ struct ssl_session_st {
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
+    /* Certificate chain of peer */
+    STACK_OF(X509) *peer_chain;
     /*
      * when app_verify_callback accepts a session where the peer's
      * certificate is not ok, we must remember the error for session reuse:
@@ -1587,7 +1589,6 @@ typedef struct cert_st {
 } CERT;
 
 typedef struct sess_cert_st {
-    STACK_OF(X509) *cert_chain; /* as received from peer */
     int references;             /* actually always 1 at the moment */
 } SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index c639e53894..7ba86b6911 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -845,6 +845,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
     ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
+    sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);
     OPENSSL_free(ss->tlsext_hostname);
     OPENSSL_free(ss->tlsext_tick);