Remove SSL_get_shared_ciphers.
This removes the need to track the client cipher list in the SSL_SESSION. It
also eliminates a field in SSL_SESSION that wasn't serialized by
i2d_SSL_SESSION. It's only used to implement SSL_get_shared_ciphers which is
only used by debug code.
Moreover, it doesn't work anyway. The SSLv2 logic pruned that field to the
common ciphers, but the SSLv3+ logic just stores the client list as-is. I found
no internal callers that were actually compiled (if need be we can stub in
something that always returns the empty string or so).
Change-Id: I55ad45964fb4037fd623f7591bc574b2983c0698
Reviewed-on: https://boringssl-review.googlesource.com/1866
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index de75b92..a689921 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -434,8 +434,6 @@
* needs to be used to load
* the 'cipher' structure */
- STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
-
CRYPTO_EX_DATA ex_data; /* application specific data */
/* These are used to make removal of session-ids more
@@ -545,10 +543,7 @@
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
* TLS only.) "Released" buffers are put onto a free-list in the context or
- * just freed (depending on the context's setting for freelist_max_len). Also
- * frees up RAM by releasing the list of client ciphersuites as soon as
- * possible (SSL3 and TLS only). This stops SSL_get_shared_ciphers from
- * working. */
+ * just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
/* Send the current time in the Random fields of the ClientHello and
@@ -1924,7 +1919,6 @@
OPENSSL_EXPORT int SSL_get_rfd(const SSL *s);
OPENSSL_EXPORT int SSL_get_wfd(const SSL *s);
OPENSSL_EXPORT const char * SSL_get_cipher_list(const SSL *s,int n);
-OPENSSL_EXPORT char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
OPENSSL_EXPORT int SSL_get_read_ahead(const SSL * s);
OPENSSL_EXPORT int SSL_pending(const SSL *s);
#ifndef OPENSSL_NO_SOCK
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4b814f3..149d9e7 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1074,13 +1074,10 @@
ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
{
s->hit=1;
- s->session->ciphers=ciphers;
s->session->verify_result=X509_V_OK;
- ciphers=NULL;
-
/* check if some cipher was preferred by call back */
- pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
if (pref_cipher == NULL)
{
al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1096,26 +1093,21 @@
if (s->cipher_list_by_id)
sk_SSL_CIPHER_free(s->cipher_list_by_id);
- s->cipher_list = ssl_cipher_preference_list_from_ciphers(s->session->ciphers);
- s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list = ssl_cipher_preference_list_from_ciphers(ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(ciphers);
}
}
- /* Given s->session->ciphers and SSL_get_ciphers, we must
- * pick a cipher */
+ /* Given ciphers and SSL_get_ciphers, we must pick a cipher */
if (!s->hit)
{
- if (s->session->ciphers != NULL)
- sk_SSL_CIPHER_free(s->session->ciphers);
- s->session->ciphers=ciphers;
if (ciphers == NULL)
{
al=SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_NO_CIPHERS_PASSED);
goto f_err;
}
- ciphers=NULL;
/* Let cert callback update server certificates if required */
if (s->cert->cert_cb)
{
@@ -1129,12 +1121,11 @@
if (rv < 0)
{
s->rwstate=SSL_X509_LOOKUP;
- return -1;
+ goto err;
}
s->rwstate = SSL_NOTHING;
}
- c=ssl3_choose_cipher(s,s->session->ciphers,
- ssl_get_cipher_preferences(s));
+ c=ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
if (c == NULL)
{
@@ -1203,15 +1194,6 @@
s->session->original_handshake_hash_len == 0)
s->s3->tlsext_channel_id_valid = 0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
- {
- /* Free s->session->ciphers in order to release memory. This
- * breaks SSL_get_shared_ciphers(), but many servers will
- * prefer the memory savings. */
- sk_SSL_CIPHER_free(s->session->ciphers);
- s->session->ciphers = NULL;
- }
-
buf=(unsigned char *)s->init_buf->data;
/* Do the message type and length last */
d=p= ssl_handshake_start(s);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 952fd78..f7818ed 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1454,46 +1454,6 @@
return 1;
}
-/* works well for SSLv2, not so good for SSLv3 */
-char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
- {
- char *p;
- STACK_OF(SSL_CIPHER) *sk;
- const SSL_CIPHER *c;
- size_t i;
-
- if ((s->session == NULL) || (s->session->ciphers == NULL) ||
- (len < 2))
- return(NULL);
-
- p=buf;
- sk=s->session->ciphers;
-
- if (sk_SSL_CIPHER_num(sk) == 0)
- return NULL;
-
- for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
- {
- int n;
-
- c=sk_SSL_CIPHER_value(sk,i);
- n=strlen(c->name);
- if (n+1 > len)
- {
- if (p != buf)
- --p;
- *p='\0';
- return buf;
- }
- strcpy(p,c->name);
- p+=n;
- *(p++)=':';
- len-=n+1;
- }
- p[-1]='\0';
- return(buf);
- }
-
int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p)
{
size_t i;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 7fd1724..c8de778 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -707,7 +707,6 @@
OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
if (ss->peer != NULL) X509_free(ss->peer);
- if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
if (ss->tlsext_hostname != NULL) OPENSSL_free(ss->tlsext_hostname);
if (ss->tlsext_tick != NULL) OPENSSL_free(ss->tlsext_tick);
ss->tlsext_ecpointformatlist_length = 0;
