Move peer chain to SSL_SESSION structure.

Reviewed-by: Richard Levitte <[email protected]>
bnedu · Jun 22, 2015 · c34b0f9 · c34b0f9
1 parent 8df53b7
commit c34b0f9
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 8 deletions.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
@@ -1329,7 +1329,7 @@ int ssl3_get_server_certificate(SSL *s)
     ssl_sess_cert_free(s->session->sess_cert);
     s->session->sess_cert = sc;
 
-    sc->cert_chain = sk;
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does include the peer's certificate,
      * which we don't include in s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
@@ -3206,8 +3206,8 @@ int ssl3_get_client_certificate(SSL *s)
             goto done;
         }
     }
-    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-    s->session->sess_cert->cert_chain = sk;
+    sk_X509_pop_free(s->session->peer_chain, X509_free);
+    s->session->peer_chain = sk;
     /*
      * Inconsistency alert: cert_chain does *not* include the peer's own
      * certificate, while we do include it in s3_clnt.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
@@ -556,7 +556,6 @@ void ssl_sess_cert_free(SESS_CERT *sc)
 #endif
 
     /* i == 0 */
-    sk_X509_pop_free(sc->cert_chain, X509_free);
     OPENSSL_free(sc);
 }
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
@@ -834,11 +834,10 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
     STACK_OF(X509) *r;
 
-    if ((s == NULL) || (s->session == NULL)
-        || (s->session->sess_cert == NULL))
+    if ((s == NULL) || (s->session == NULL))
         r = NULL;
     else
-        r = s->session->sess_cert->cert_chain;
+        r = s->session->peer_chain;
 
     /*
      * If we are a client, cert_chain includes the peer's own certificate; if

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
@@ -629,6 +629,8 @@ struct ssl_session_st {
     /* This is the cert and type for the other end. */
     X509 *peer;
     int peer_type;
+    /* Certificate chain of peer */
+    STACK_OF(X509) *peer_chain;
     /*
      * when app_verify_callback accepts a session where the peer's
      * certificate is not ok, we must remember the error for session reuse:
@@ -1587,7 +1589,6 @@ typedef struct cert_st {
 } CERT;
 
 typedef struct sess_cert_st {
-    STACK_OF(X509) *cert_chain; /* as received from peer */
     int references;             /* actually always 1 at the moment */
 } SESS_CERT;
 /* Structure containing decoded values of signature algorithms extension */

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
@@ -845,6 +845,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
     OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
     ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
+    sk_X509_pop_free(ss->peer_chain, X509_free);
     sk_SSL_CIPHER_free(ss->ciphers);
     OPENSSL_free(ss->tlsext_hostname);
     OPENSSL_free(ss->tlsext_tick);
-Original file line number
+Diff line change
@@ Expand Up / @@ -556,7 +556,6 @@ void ssl_sess_cert_free(SESS_CERT *sc) @@
     #endif
         /* i == 0 */
-        sk_X509_pop_free(sc->cert_chain, X509_free);
         OPENSSL_free(sc);
     }
@@ Expand Down @@