From 389ebcecae2575188a4ff9566389ce694352be43 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 21 Jun 2015 19:42:04 +0100 Subject: [PATCH] Remove SESS_CERT entirely. Reviewed-by: Richard Levitte --- ssl/s3_clnt.c | 39 +-------------------------------------- ssl/s3_lib.c | 4 ++-- ssl/s3_srvr.c | 11 ----------- ssl/ssl_cert.c | 40 ---------------------------------------- ssl/ssl_locl.h | 7 ------- ssl/ssl_sess.c | 4 ---- 6 files changed, 3 insertions(+), 102 deletions(-) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 13022757c4..6b4c860350 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s) const unsigned char *q, *p; unsigned char *d; STACK_OF(X509) *sk = NULL; - SESS_CERT *sc; EVP_PKEY *pkey = NULL; n = s->method->ssl_get_message(s, @@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s) goto f_err; } - sc = ssl_sess_cert_new(); - if (sc == NULL) - goto err; - - ssl_sess_cert_free(s->session->sess_cert); - s->session->sess_cert = sc; - s->session->peer_chain = sk; /* * Inconsistency alert: cert_chain does include the peer's certificate, @@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s) * problems later. */ if (alg_k & SSL_kPSK) { - s->session->sess_cert = ssl_sess_cert_new(); OPENSSL_free(s->ctx->psk_identity_hint); s->ctx->psk_identity_hint = NULL; } @@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s) s->s3->peer_ecdh_tmp = NULL; #endif - if (s->session->sess_cert == NULL) - s->session->sess_cert = ssl_sess_cert_new(); - /* Total length of the parameters including the length prefix */ param_len = 0; @@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s) if (!pms) goto memerr; - if (s->session->sess_cert == NULL) { + if (s->session->peer == NULL) { /* * We should always have a server certificate with SSL_kRSA. */ @@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s) #ifndef OPENSSL_NO_DH else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) { DH *dh_srvr, *dh_clnt; - SESS_CERT *scert = s->session->sess_cert; - - if (scert == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_UNEXPECTED_MESSAGE); - goto err; - } - if (s->s3->peer_dh_tmp != NULL) dh_srvr = s->s3->peer_dh_tmp; else { @@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s) EC_KEY *tkey; int ecdh_clnt_cert = 0; int field_size = 0; - - if (s->session->sess_cert == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_UNEXPECTED_MESSAGE); - goto err; - } - /* * Did we send out the client's ECDH share for use in premaster * computation as part of client certificate? If so, set @@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) long alg_k, alg_a; EVP_PKEY *pkey = NULL; int pkey_bits; - SESS_CERT *sc; #ifndef OPENSSL_NO_RSA RSA *rsa; #endif @@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) /* we don't have a certificate */ if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK)) return (1); - - sc = s->session->sess_cert; - if (sc == NULL) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); - goto err; - } #ifndef OPENSSL_NO_RSA rsa = s->s3->peer_rsa_tmp; #endif @@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (1); f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - err: return (0); } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ad413aa702..6febd4e316 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_PEER_SIGNATURE_NID: if (SSL_USE_SIGALGS(s)) { - if (s->session && s->session->sess_cert) { + if (s->session) { const EVP_MD *sig; sig = s->s3->tmp.peer_md; if (sig) { @@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; case SSL_CTRL_GET_SERVER_TMP_KEY: - if (s->server || !s->session || !s->session->sess_cert) + if (s->server || !s->session) return 0; else { EVP_PKEY *ptmp; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index e6aa1d3892..b98beacf48 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s) s->session->peer = sk_X509_shift(sk); s->session->verify_result = s->verify_result; - /* - * With the current implementation, sess_cert will always be NULL when we - * arrive here. - */ - if (s->session->sess_cert == NULL) { - s->session->sess_cert = ssl_sess_cert_new(); - if (s->session->sess_cert == NULL) { - SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); - goto done; - } - } sk_X509_pop_free(s->session->peer_chain, X509_free); s->session->peer_chain = sk; /* diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 3bb2576f8a..5e9b8ffe7a 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg) c->cert_cb_arg = arg; } -SESS_CERT *ssl_sess_cert_new(void) -{ - SESS_CERT *ret; - - ret = OPENSSL_malloc(sizeof(*ret)); - if (ret == NULL) { - SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE); - return NULL; - } - - memset(ret, 0, sizeof(*ret)); - ret->references = 1; - - return ret; -} - -void ssl_sess_cert_free(SESS_CERT *sc) -{ - int i; - - if (sc == NULL) - return; - - i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT); -#ifdef REF_PRINT - REF_PRINT("SESS_CERT", sc); -#endif - if (i > 0) - return; -#ifdef REF_CHECK - if (i < 0) { - fprintf(stderr, "ssl_sess_cert_free, bad reference count\n"); - abort(); /* ok */ - } -#endif - - /* i == 0 */ - OPENSSL_free(sc); -} - int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) { X509 *x; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index f6668afb33..f1046c5ffe 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -624,8 +624,6 @@ struct ssl_session_st { * to disable session caching and tickets. */ int not_resumable; - /* The cert is the certificate used to establish this connection */ - struct sess_cert_st /* SESS_CERT */ *sess_cert; /* This is the cert and type for the other end. */ X509 *peer; int peer_type; @@ -1588,9 +1586,6 @@ typedef struct cert_st { int references; /* >1 only if SSL_copy_session_id is used */ } CERT; -typedef struct sess_cert_st { - int references; /* actually always 1 at the moment */ -} SESS_CERT; /* Structure containing decoded values of signature algorithms extension */ struct tls_sigalgs_st { /* NID of hash algorithm */ @@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void); __owur CERT *ssl_cert_dup(CERT *cert); void ssl_cert_clear_certs(CERT *c); void ssl_cert_free(CERT *c); -__owur SESS_CERT *ssl_sess_cert_new(void); -void ssl_sess_cert_free(SESS_CERT *sc); __owur int ssl_get_new_session(SSL *s, int session); __owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len, const unsigned char *limit); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 7ba86b6911..03c6ac087d 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->references = 1; - if (src->sess_cert != NULL) - CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); - if (src->peer != NULL) CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); @@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss) OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); - ssl_sess_cert_free(ss->sess_cert); X509_free(ss->peer); sk_X509_pop_free(ss->peer_chain, X509_free); sk_SSL_CIPHER_free(ss->ciphers); -- 2.40.0