Remove SESS_CERT entirely.

Reviewed-by: N Richard Levitte <levitte@openssl.org>

Remove SESS_CERT entirely.
Reviewed-by: N Richard Levitte <levitte@openssl.org>
389ebcec · Dr. Stephen Henson · c34b0f99 · 389ebcec · 389ebcec · 389ebcec
6 changed file
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1243,7 +1243,6 @@ int ssl3_get_server_certificate(SSL *s)
    const unsigned char *q, *p;
    unsigned char *d;
    STACK_OF(X509) *sk = NULL;
-    SESS_CERT *sc;
    EVP_PKEY *pkey = NULL;

    n = s->method->ssl_get_message(s,
@@ -1322,13 +1321,6 @@ int ssl3_get_server_certificate(SSL *s)
        goto f_err;
    }

-    sc = ssl_sess_cert_new();
-    if (sc == NULL)
-        goto err;
-
-    ssl_sess_cert_free(s->session->sess_cert);
-    s->session->sess_cert = sc;
-
    s->session->peer_chain = sk;
    /*
     * Inconsistency alert: cert_chain does include the peer's certificate,
@@ -1446,7 +1438,6 @@ int ssl3_get_key_exchange(SSL *s)
         * problems later.
         */
        if (alg_k & SSL_kPSK) {
-            s->session->sess_cert = ssl_sess_cert_new();
            OPENSSL_free(s->ctx->psk_identity_hint);
            s->ctx->psk_identity_hint = NULL;
        }
@@ -1470,9 +1461,6 @@ int ssl3_get_key_exchange(SSL *s)
    s->s3->peer_ecdh_tmp = NULL;
 #endif

-    if (s->session->sess_cert == NULL)
-        s->session->sess_cert = ssl_sess_cert_new();
-
    /* Total length of the parameters including the length prefix */
    param_len = 0;

@@ -2397,7 +2385,7 @@ int ssl3_send_client_key_exchange(SSL *s)
            if (!pms)
                goto memerr;

-            if (s->session->sess_cert == NULL) {
+            if (s->session->peer == NULL) {
                /*
                 * We should always have a server certificate with SSL_kRSA.
                 */
@@ -2452,15 +2440,6 @@ int ssl3_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
        else if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
            DH *dh_srvr, *dh_clnt;
-            SESS_CERT *scert = s->session->sess_cert;
-
-            if (scert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-
            if (s->s3->peer_dh_tmp != NULL)
                dh_srvr = s->s3->peer_dh_tmp;
            else {
@@ -2543,14 +2522,6 @@ int ssl3_send_client_key_exchange(SSL *s)
            EC_KEY *tkey;
            int ecdh_clnt_cert = 0;
            int field_size = 0;
-
-            if (s->session->sess_cert == NULL) {
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                       SSL_R_UNEXPECTED_MESSAGE);
-                goto err;
-            }
-
            /*
             * Did we send out the client's ECDH share for use in premaster
             * computation as part of client certificate? If so, set
@@ -3280,7 +3251,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
    long alg_k, alg_a;
    EVP_PKEY *pkey = NULL;
    int pkey_bits;
-    SESS_CERT *sc;
 #ifndef OPENSSL_NO_RSA
    RSA *rsa;
 #endif
@@ -3295,12 +3265,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
    /* we don't have a certificate */
    if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
        return (1);
-
-    sc = s->session->sess_cert;
-    if (sc == NULL) {
-        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
 #ifndef OPENSSL_NO_RSA
    rsa = s->s3->peer_rsa_tmp;
 #endif
@@ -3437,7 +3401,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
    return (1);
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
    return (0);
 }


--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3327,7 +3327,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)

    case SSL_CTRL_GET_PEER_SIGNATURE_NID:
        if (SSL_USE_SIGALGS(s)) {
-            if (s->session && s->session->sess_cert) {
+            if (s->session) {
                const EVP_MD *sig;
                sig = s->s3->tmp.peer_md;
                if (sig) {
@@ -3342,7 +3342,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
            return 0;

    case SSL_CTRL_GET_SERVER_TMP_KEY:
-        if (s->server || !s->session || !s->session->sess_cert)
+        if (s->server || !s->session)
            return 0;
        else {
            EVP_PKEY *ptmp;

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3195,17 +3195,6 @@ int ssl3_get_client_certificate(SSL *s)
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

-    /*
-     * With the current implementation, sess_cert will always be NULL when we
-     * arrive here.
-     */
-    if (s->session->sess_cert == NULL) {
-        s->session->sess_cert = ssl_sess_cert_new();
-        if (s->session->sess_cert == NULL) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-            goto done;
-        }
-    }
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
    /*

--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -519,46 +519,6 @@ void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
    c->cert_cb_arg = arg;
 }

-SESS_CERT *ssl_sess_cert_new(void)
-{
-    SESS_CERT *ret;
-
-    ret = OPENSSL_malloc(sizeof(*ret));
-    if (ret == NULL) {
-        SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    memset(ret, 0, sizeof(*ret));
-    ret->references = 1;
-
-    return ret;
-}
-
-void ssl_sess_cert_free(SESS_CERT *sc)
-{
-    int i;
-
-    if (sc == NULL)
-        return;
-
-    i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
-    REF_PRINT("SESS_CERT", sc);
-#endif
-    if (i > 0)
-        return;
-#ifdef REF_CHECK
-    if (i < 0) {
-        fprintf(stderr, "ssl_sess_cert_free, bad reference count\n");
-        abort();                /* ok */
-    }
-#endif
-
-    /* i == 0 */
-    OPENSSL_free(sc);
-}
-
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
 {
    X509 *x;

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -624,8 +624,6 @@ struct ssl_session_st {
     * to disable session caching and tickets.
     */
    int not_resumable;
-    /* The cert is the certificate used to establish this connection */
-    struct sess_cert_st /* SESS_CERT */ *sess_cert;
    /* This is the cert and type for the other end. */
    X509 *peer;
    int peer_type;
@@ -1588,9 +1586,6 @@ typedef struct cert_st {
    int references;             /* >1 only if SSL_copy_session_id is used */
 } CERT;

-typedef struct sess_cert_st {
-    int references;             /* actually always 1 at the moment */
-} SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */
 struct tls_sigalgs_st {
    /* NID of hash algorithm */
@@ -1845,8 +1840,6 @@ __owur CERT *ssl_cert_new(void);
 __owur CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
-__owur SESS_CERT *ssl_sess_cert_new(void);
-void ssl_sess_cert_free(SESS_CERT *sc);
 __owur int ssl_get_new_session(SSL *s, int session);
 __owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
                         const unsigned char *limit);

--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -265,9 +265,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)

    dest->references = 1;

-    if (src->sess_cert != NULL)
-        CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
-
    if (src->peer != NULL)
        CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);

@@ -843,7 +840,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)

    OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
    OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
-    ssl_sess_cert_free(ss->sess_cert);
    X509_free(ss->peer);
    sk_X509_pop_free(ss->peer_chain, X509_free);
    sk_SSL_CIPHER_free(ss->ciphers);