generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

No actual change, but the cert_st member of struct ssl_session_st is now

Browse Source 
called sess_cert instead of just cert.  This is in preparation of further
changes: Probably often when s->session->sess_cert is used, we should
use s->cert instead; s->session->sess_cert should be a new structure
containing only the stuff that is for just one connection (e.g.
the peer's certificate, which the SSL client implementations currently
store in s->session->[sess_]cert, which is a very confusing thing to do).
Submitted by:
Reviewed by:
PR:
This commit is contained in:
Bodo Möller 1999-05-09 21:22:45 +00:00
parent ca8e5b9b8a
commit 9d5cceac6f
7 changed files with 55 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/s2_clnt.c
View File

@ -437,7 +437,7 @@ static int get_server_hello(SSL *s)
/* hmmm, can we have the problem of the other session with this /* hmmm, can we have the problem of the other session with this
* cert, Free's it before we increment the reference count. */ * cert, Free's it before we increment the reference count. */
CRYPTO_w_lock(CRYPTO_LOCK_X509); CRYPTO_w_lock(CRYPTO_LOCK_X509);
s->session->peer=s->session->cert->key->x509; s->session->peer=s->session->sess_cert->key->x509;
/* Shouldn't do this: already locked */ /* Shouldn't do this: already locked */
/*CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);*/ /*CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);*/
s->session->peer->references++; s->session->peer->references++;
@ -570,7 +570,7 @@ static int client_master_key(SSL *s)
memcpy(d,sess->master_key,(unsigned int)clear); memcpy(d,sess->master_key,(unsigned int)clear);
d+=clear; d+=clear;
enc=ssl_rsa_public_encrypt(sess->cert,enc, enc=ssl_rsa_public_encrypt(sess->sess_cert,enc,
&(sess->master_key[clear]),d, &(sess->master_key[clear]),d,
(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
if (enc <= 0) if (enc <= 0)
@ -733,7 +733,7 @@ static int client_certificate(SSL *s)
EVP_SignUpdate(&ctx,s->s2->key_material, EVP_SignUpdate(&ctx,s->s2->key_material,
(unsigned int)s->s2->key_material_length); (unsigned int)s->s2->key_material_length);
EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len); EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
n=i2d_X509(s->session->cert->key->x509,&p); n=i2d_X509(s->session->sess_cert->key->x509,&p);
EVP_SignUpdate(&ctx,buf,(unsigned int)n); EVP_SignUpdate(&ctx,buf,(unsigned int)n);
p=buf; p=buf;
@ -909,8 +909,8 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
} }
/* cert for session */ /* cert for session */
if (s->session->cert) ssl_cert_free(s->session->cert); if (s->session->sess_cert) ssl_cert_free(s->session->sess_cert);
s->session->cert=c; s->session->sess_cert=c;
/* c->cert_type=type; */ /* c->cert_type=type; */

20
ssl/s2_srvr.c
View File

@ -122,7 +122,7 @@ int ssl2_accept(SSL *s)
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
s->in_handshake++; s->in_handshake++;
if (((s->session == NULL) || (s->session->cert == NULL)) && if (((s->session == NULL) || (s->session->sess_cert == NULL)) &&
(s->cert == NULL)) (s->cert == NULL))
{ {
SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET); SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
@ -376,7 +376,7 @@ static int get_client_master_key(SSL *s)
memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
(unsigned int)keya); (unsigned int)keya);
if (s->session->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) if (s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
{ {
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
@ -603,24 +603,24 @@ static int server_hello(SSL *s)
if (!hit) if (!hit)
{ /* else add cert to session */ { /* else add cert to session */
CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
if (s->session->cert != NULL) if (s->session->sess_cert != NULL)
ssl_cert_free(s->session->cert); ssl_cert_free(s->session->sess_cert);
s->session->cert=s->cert; s->session->sess_cert=s->cert;
} }
else /* We have a session id-cache hit, if the else /* We have a session id-cache hit, if the
* session-id has no certificate listed against * session-id has no certificate listed against
* the 'cert' structure, grab the 'old' one * the 'cert' structure, grab the 'old' one
* listed against the SSL connection */ * listed against the SSL connection */
{ {
if (s->session->cert == NULL) if (s->session->sess_cert == NULL)
{ {
CRYPTO_add(&s->cert->references,1, CRYPTO_add(&s->cert->references,1,
CRYPTO_LOCK_SSL_CERT); CRYPTO_LOCK_SSL_CERT);
s->session->cert=s->cert; s->session->sess_cert=s->cert;
} }
} }
if (s->session->cert == NULL) if (s->session->sess_cert == NULL)
{ {
ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE); ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED); SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
@ -873,7 +873,7 @@ static int request_certificate(SSL *s)
(unsigned int)s->s2->key_material_length); (unsigned int)s->s2->key_material_length);
EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
i=i2d_X509(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); i=i2d_X509(s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
buf2=(unsigned char *)Malloc((unsigned int)i); buf2=(unsigned char *)Malloc((unsigned int)i);
if (buf2 == NULL) if (buf2 == NULL)
{ {
@ -881,7 +881,7 @@ static int request_certificate(SSL *s)
goto msg_end; goto msg_end;
} }
p2=buf2; p2=buf2;
i=i2d_X509(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); i=i2d_X509(s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
Free(buf2); Free(buf2);

47
ssl/s3_clnt.c
View File

@ -767,8 +767,8 @@ static int ssl3_get_server_certificate(SSL *s)
c=ssl_cert_new(); c=ssl_cert_new();
if (c == NULL) goto err; if (c == NULL) goto err;
if (s->session->cert) ssl_cert_free(s->session->cert); if (s->session->sess_cert) ssl_cert_free(s->session->sess_cert);
s->session->cert=c; s->session->sess_cert=c;
c->cert_chain=sk; c->cert_chain=sk;
x=sk_X509_value(sk,0); x=sk_X509_value(sk,0);
@ -854,26 +854,26 @@ static int ssl3_get_key_exchange(SSL *s)
param=p=(unsigned char *)s->init_buf->data; param=p=(unsigned char *)s->init_buf->data;
if (s->session->cert != NULL) if (s->session->sess_cert != NULL)
{ {
#ifndef NO_RSA #ifndef NO_RSA
if (s->session->cert->rsa_tmp != NULL) if (s->session->sess_cert->rsa_tmp != NULL)
{ {
RSA_free(s->session->cert->rsa_tmp); RSA_free(s->session->sess_cert->rsa_tmp);
s->session->cert->rsa_tmp=NULL; s->session->sess_cert->rsa_tmp=NULL;
} }
#endif #endif
#ifndef NO_DH #ifndef NO_DH
if (s->session->cert->dh_tmp) if (s->session->sess_cert->dh_tmp)
{ {
DH_free(s->session->cert->dh_tmp); DH_free(s->session->sess_cert->dh_tmp);
s->session->cert->dh_tmp=NULL; s->session->sess_cert->dh_tmp=NULL;
} }
#endif #endif
} }
else else
{ {
s->session->cert=ssl_cert_new(); s->session->sess_cert=ssl_cert_new();
} }
param_len=0; param_len=0;
@ -918,16 +918,15 @@ static int ssl3_get_key_exchange(SSL *s)
p+=i; p+=i;
n-=param_len; n-=param_len;
/* s->session->cert->rsa_tmp=rsa;*/
/* this should be because we are using an export cipher */ /* this should be because we are using an export cipher */
if (alg & SSL_aRSA) if (alg & SSL_aRSA)
pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); pkey=X509_get_pubkey(s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].x509);
else else
{ {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
goto err; goto err;
} }
s->session->cert->rsa_tmp=rsa; s->session->sess_cert->rsa_tmp=rsa;
} }
else else
#endif #endif
@ -987,16 +986,16 @@ static int ssl3_get_key_exchange(SSL *s)
#ifndef NO_RSA #ifndef NO_RSA
if (alg & SSL_aRSA) if (alg & SSL_aRSA)
pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); pkey=X509_get_pubkey(s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].x509);
else else
#endif #endif
#ifndef NO_DSA #ifndef NO_DSA
if (alg & SSL_aDSS) if (alg & SSL_aDSS)
pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_DSA_SIGN].x509); pkey=X509_get_pubkey(s->session->sess_cert->pkeys[SSL_PKEY_DSA_SIGN].x509);
#endif #endif
/* else anonymous DH, so no certificate or pkey. */ /* else anonymous DH, so no certificate or pkey. */
s->session->cert->dh_tmp=dh; s->session->sess_cert->dh_tmp=dh;
dh=NULL; dh=NULL;
} }
else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
@ -1312,11 +1311,11 @@ static int ssl3_send_client_key_exchange(SSL *s)
RSA *rsa; RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
if (s->session->cert->rsa_tmp != NULL) if (s->session->sess_cert->rsa_tmp != NULL)
rsa=s->session->cert->rsa_tmp; rsa=s->session->sess_cert->rsa_tmp;
else else
{ {
pkey=X509_get_pubkey(s->session->cert->pkeys[SSL_PKEY_RSA_ENC].x509); pkey=X509_get_pubkey(s->session->sess_cert->pkeys[SSL_PKEY_RSA_ENC].x509);
if ((pkey == NULL) || if ((pkey == NULL) ||
(pkey->type != EVP_PKEY_RSA) || (pkey->type != EVP_PKEY_RSA) ||
(pkey->pkey.rsa == NULL)) (pkey->pkey.rsa == NULL))
@ -1369,8 +1368,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
{ {
DH *dh_srvr,*dh_clnt; DH *dh_srvr,*dh_clnt;
if (s->session->cert->dh_tmp != NULL) if (s->session->sess_cert->dh_tmp != NULL)
dh_srvr=s->session->cert->dh_tmp; dh_srvr=s->session->sess_cert->dh_tmp;
else else
{ {
/* we get them from the cert */ /* we get them from the cert */
@ -1606,7 +1605,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
DH *dh; DH *dh;
#endif #endif
c=s->session->cert; c=s->session->sess_cert;
if (c == NULL) if (c == NULL)
{ {
@ -1621,10 +1620,10 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
return(1); return(1);
#ifndef NO_RSA #ifndef NO_RSA
rsa=s->session->cert->rsa_tmp; rsa=s->session->sess_cert->rsa_tmp;
#endif #endif
#ifndef NO_DH #ifndef NO_DH
dh=s->session->cert->dh_tmp; dh=s->session->sess_cert->dh_tmp;
#endif #endif
/* This is the passed certificate */ /* This is the passed certificate */

18
ssl/s3_srvr.c
View File

@ -129,7 +129,7 @@ int ssl3_accept(SSL *s)
#ifdef undef #ifdef undef
/* FIX THIS EAY EAY EAY */ /* FIX THIS EAY EAY EAY */
/* we don't actually need a cert, we just need a cert or a DH_tmp */ /* we don't actually need a cert, we just need a cert or a DH_tmp */
if (((s->session == NULL) || (s->session->cert == NULL)) && if (((s->session == NULL) || (s->session->sess_cert == NULL)) &&
(s->cert == NULL)) (s->cert == NULL))
{ {
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET); SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
@ -261,15 +261,15 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B: case SSL3_ST_SW_KEY_EXCH_B:
l=s->s3->tmp.new_cipher->algorithms; l=s->s3->tmp.new_cipher->algorithms;
if (s->session->cert == NULL) if (s->session->sess_cert == NULL)
{ {
if (s->cert != NULL) if (s->cert != NULL)
{ {
CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT); CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
s->session->cert=s->cert; s->session->sess_cert=s->cert;
} }
} }
ct=s->session->cert; ct=s->session->sess_cert;
/* clear this, it may get reset by /* clear this, it may get reset by
* send_server_key_exchange */ * send_server_key_exchange */
@ -898,7 +898,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
if (s->state == SSL3_ST_SW_KEY_EXCH_A) if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{ {
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
cert=s->session->cert; cert=s->session->sess_cert;
buf=s->init_buf; buf=s->init_buf;
@ -1207,9 +1207,9 @@ static int ssl3_get_client_key_exchange(SSL *s)
/* FIX THIS UP EAY EAY EAY EAY */ /* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp) if (s->s3->tmp.use_rsa_tmp)
{ {
if ((s->session->cert != NULL) && if ((s->session->sess_cert != NULL) &&
(s->session->cert->rsa_tmp != NULL)) (s->session->sess_cert->rsa_tmp != NULL))
rsa=s->session->cert->rsa_tmp; rsa=s->session->sess_cert->rsa_tmp;
else if ((s->cert != NULL) && else if ((s->cert != NULL) &&
(s->cert->rsa_tmp != NULL)) (s->cert->rsa_tmp != NULL))
rsa=s->cert->rsa_tmp; rsa=s->cert->rsa_tmp;
@ -1648,7 +1648,7 @@ static int ssl3_get_client_certificate(SSL *s)
X509_free(s->session->peer); X509_free(s->session->peer);
s->session->peer=sk_X509_shift(sk); s->session->peer=sk_X509_shift(sk);
s->session->cert->cert_chain=sk; s->session->sess_cert->cert_chain=sk;
sk=NULL; sk=NULL;

8
ssl/ssl.h
View File

@ -241,11 +241,13 @@ typedef struct ssl_session_st
int not_resumable; int not_resumable;
/* The cert is the certificate used to establish this connection */ /* The cert is the certificate used to establish this connection */
struct cert_st /* CERT */ *cert; struct cert_st /* CERT */ *sess_cert;
/* XXX should be struct sess_cert_st *sess_cert */ /* XXX should be struct sess_cert_st *sess_cert */
/* This is the cert for the other end. On servers, it will be /* This is the cert for the other end.
* the same as cert->x509 */ * On clients, it will be the same as sess_cert->key->x509
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509 *peer; X509 *peer;
int references; int references;

4
ssl/ssl_lib.c
View File

@ -510,10 +510,10 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
{ {
STACK_OF(X509) *r; STACK_OF(X509) *r;
if ((s == NULL) || (s->session == NULL) || (s->session->cert == NULL)) if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL))
r=NULL; r=NULL;
else else
r=s->session->cert->cert_chain; r=s->session->sess_cert->cert_chain;
return(r); return(r);
} }

2
ssl/ssl_sess.c
View File

@ -377,7 +377,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH); memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH); memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH); memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
if (ss->cert != NULL) ssl_cert_free(ss->cert); if (ss->sess_cert != NULL) ssl_cert_free(ss->sess_cert);
if (ss->peer != NULL) X509_free(ss->peer); if (ss->peer != NULL) X509_free(ss->peer);
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
memset(ss,0,sizeof(*ss)); memset(ss,0,sizeof(*ss));