Move peer chain to SSL_SESSION structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c36627c955f9565e369fe8dc0905070b43061931..13022757c45412638450f3e7b86ce69fc7e92e2e 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1329,7 +1329,7 @@ int ssl3_get_server_certificate(SSL *s)
     ssl_sess_cert_free(s->session->sess_cert);
     s->session->sess_cert = sc;
 
-    sc->cert_chain = sk;
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
      * which we don't include in s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 90a67d11057455c5c43916b51ce14795a54bfb87..e6aa1d3892de32c2db569dacc31b8a06da38b071 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3206,8 +3206,8 @@ int ssl3_get_client_certificate(SSL *s)
             goto done;
         }
     }
-    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-    s->session->sess_cert->cert_chain = sk;
+    sk_X509_pop_free(s->session->peer_chain, X509_free);
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in s3_clnt.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 6cb967772a4908fb71981073dfa982ff3bd77b8b..3bb2576f8a648ed5c5a89517d45192c3d442bb23 100644 (file)
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -556,7 +556,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
 #endif
 
     /* i == 0 */
-    sk_X509_pop_free(sc->cert_chain, X509_free);
     OPENSSL_free(sc);
 }
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5c814fde73c23516ed8f4e2eaf88473f14baf65f..ceba30f83c1e7b893f1cb119b78a51b6427f1c27 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -834,11 +834,10 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
     STACK_OF(X509) *r;
 
-    if ((s == NULL) || (s->session == NULL)
-        || (s->session->sess_cert == NULL))
+    if ((s == NULL) || (s->session == NULL))
         r = NULL;
     else
-        r = s->session->sess_cert->cert_chain;
+        r = s->session->peer_chain;
 
     /*
      * If we are a client, cert_chain includes the peer's own certificate; if

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 97c0732ca379170533e896337b36ea9ee7ce7b1d..f6668afb33b59b5a3e211b27e794235abfb54bdd 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -629,6 +629,8 @@ struct ssl_session_st {
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
+    /* Certificate chain of peer */
+    STACK_OF(X509) *peer_chain;
     /*
      * when app_verify_callback accepts a session where the peer's
      * certificate is not ok, we must remember the error for session reuse:
@@ -1587,7 +1589,6 @@ typedef struct cert_st {
 } CERT;
 
 typedef struct sess_cert_st {
-    STACK_OF(X509) *cert_chain; /* as received from peer */
     int references;             /* actually always 1 at the moment */
 } SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index c639e53894edecf74661aa63f1b8747b48743753..7ba86b691177dc8d8065fd18b69f0640f17fb470 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -845,6 +845,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
     ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
+    sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);
     OPENSSL_free(ss->tlsext_hostname);
     OPENSSL_free(ss->tlsext_tick);