Remove ssl_cert_inst()

It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>

Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>
2c382349 · Kurt Roeckx · 9fbbdd73 · 2c382349 · 2c382349 · 2c382349
6 changed file
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3252,22 +3252,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 {
    int ret = 0;

-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
-    if (
-# ifndef OPENSSL_NO_RSA
-           cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-# endif
-# ifndef OPENSSL_NO_DSA
-           cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB ||
-# endif
-           0) {
-        if (!ssl_cert_inst(&s->cert)) {
-            SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
-            return (0);
-        }
-    }
-#endif
-
    switch (cmd) {
    case SSL_CTRL_GET_SESSION_REUSED:
        ret = s->hit;
@@ -3705,22 +3689,6 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
 {
    int ret = 0;

-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
-    if (
-# ifndef OPENSSL_NO_RSA
-           cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-# endif
-# ifndef OPENSSL_NO_DSA
-           cmd == SSL_CTRL_SET_TMP_DH_CB ||
-# endif
-           0) {
-        if (!ssl_cert_inst(&s->cert)) {
-            SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
-            return (0);
-        }
-    }
-#endif
-
    switch (cmd) {
 #ifndef OPENSSL_NO_RSA
    case SSL_CTRL_SET_TMP_RSA_CB:

--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -484,31 +484,6 @@ void ssl_cert_free(CERT *c)
    OPENSSL_free(c);
 }

-int ssl_cert_inst(CERT **o)
-{
-    /*
-     * Create a CERT if there isn't already one (which cannot really happen,
-     * as it is initially created in SSL_CTX_new; but the earlier code
-     * usually allows for that one being non-existant, so we follow that
-     * behaviour, as it might turn out that there actually is a reason for it
-     * -- but I'm not sure that *all* of the existing code could cope with
-     * s->cert being NULL, otherwise we could do without the initialization
-     * in SSL_CTX_new).
-     */
-
-    if (o == NULL) {
-        SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
-        return (0);
-    }
-    if (*o == NULL) {
-        if ((*o = ssl_cert_new()) == NULL) {
-            SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
-            return (0);
-        }
-    }
-    return (1);
-}
-
 int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
    int i, r;

--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -202,7 +202,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
    {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "ssl_bytes_to_cipher_list"},
    {ERR_FUNC(SSL_F_SSL_CERT_ADD0_CHAIN_CERT), "ssl_cert_add0_chain_cert"},
    {ERR_FUNC(SSL_F_SSL_CERT_DUP), "ssl_cert_dup"},
-    {ERR_FUNC(SSL_F_SSL_CERT_INST), "ssl_cert_inst"},
    {ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE), "SSL_CERT_INSTANTIATE"},
    {ERR_FUNC(SSL_F_SSL_CERT_NEW), "ssl_cert_new"},
    {ERR_FUNC(SSL_F_SSL_CERT_SET0_CHAIN), "ssl_cert_set0_chain"},

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -288,22 +288,18 @@ SSL *SSL_new(SSL_CTX *ctx)
    s->mode = ctx->mode;
    s->max_cert_list = ctx->max_cert_list;

-    if (ctx->cert != NULL) {
-        /*
-         * Earlier library versions used to copy the pointer to the CERT, not
-         * its contents; only when setting new parameters for the per-SSL
-         * copy, ssl_cert_new would be called (and the direct reference to
-         * the per-SSL_CTX settings would be lost, but those still were
-         * indirectly accessed for various purposes, and for that reason they
-         * used to be known as s->ctx->default_cert). Now we don't look at the
-         * SSL_CTX's CERT after having duplicated it once.
-         */
-
-        s->cert = ssl_cert_dup(ctx->cert);
-        if (s->cert == NULL)
-            goto err;
-    } else
-        s->cert = NULL;         /* Cannot really happen (see SSL_CTX_new) */
+    /*
+     * Earlier library versions used to copy the pointer to the CERT, not
+     * its contents; only when setting new parameters for the per-SSL
+     * copy, ssl_cert_new would be called (and the direct reference to
+     * the per-SSL_CTX settings would be lost, but those still were
+     * indirectly accessed for various purposes, and for that reason they
+     * used to be known as s->ctx->default_cert). Now we don't look at the
+     * SSL_CTX's CERT after having duplicated it once.
+     */
+    s->cert = ssl_cert_dup(ctx->cert);
+    if (s->cert == NULL)
+        goto err;

    s->read_ahead = ctx->read_ahead;
    s->msg_callback = ctx->msg_callback;

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2053,7 +2053,6 @@ int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_set_default_md(CERT *cert);
-int ssl_cert_inst(CERT **o);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 SESS_CERT *ssl_sess_cert_new(void);

--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -79,10 +79,6 @@ int SSL_use_certificate(SSL *ssl, X509 *x)
        return 0;
    }

-    if (!ssl_cert_inst(&ssl->cert)) {
-        SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    return (ssl_set_cert(ssl->cert, x));
 }

@@ -157,10 +153,6 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
        SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
        return (0);
    }
-    if (!ssl_cert_inst(&ssl->cert)) {
-        SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    if ((pkey = EVP_PKEY_new()) == NULL) {
        SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
        return (0);
@@ -302,10 +294,6 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
        SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
        return (0);
    }
-    if (!ssl_cert_inst(&ssl->cert)) {
-        SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    ret = ssl_set_pkey(ssl->cert, pkey);
    return (ret);
 }
@@ -383,10 +371,6 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
        return 0;
    }
-    if (!ssl_cert_inst(&ctx->cert)) {
-        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    return (ssl_set_cert(ctx->cert, x));
 }

@@ -519,10 +503,6 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
        SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
        return (0);
    }
-    if (!ssl_cert_inst(&ctx->cert)) {
-        SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    if ((pkey = EVP_PKEY_new()) == NULL) {
        SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
        return (0);
@@ -603,10 +583,6 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
        SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
        return (0);
    }
-    if (!ssl_cert_inst(&ctx->cert)) {
-        SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
-        return (0);
-    }
    return (ssl_set_pkey(ctx->cert, pkey));
 }

@@ -900,10 +876,6 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
        SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, SSL_R_INVALID_SERVERINFO_DATA);
        return 0;
    }
-    if (!ssl_cert_inst(&ctx->cert)) {
-        SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
    if (ctx->cert->key == NULL) {
        SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO, ERR_R_INTERNAL_ERROR);
        return 0;