commit 680ca961f993ac0c7f191dcf289c442cf96c4d2c
author David Benjamin <davidben@chromium.org> Thu Jun 18 12:37:23 2015 -0400
committer Adam Langley <agl@google.com> Thu Jun 18 17:53:57 2015 +0000
tree 5f2017c8941c67f2d3daba1c1a83894267232a72
parent d65bb78c6c350066cbd2f8d3f860848a6cd14895

Preserve session->sess_cert on ticket renewal.

Turns out the safer/simpler method still wasn't quite right. :-)
session->sess_cert isn't serialized and deserialized, which is poor. Duplicate
it manually for now. Leave a TODO to get rid of that field altogether as it's
not especially helpful. The certificate-related fields should be in the
session. The others probably have no reason to be preserved on resumptions at
all.

Test by making bssl_shim.cc assert the peer cert chain is there or not as
expected.

BUG=501220

Change-Id: I44034167629720d6e2b7b0b938d58bcab3ab0abe
Reviewed-on: https://boringssl-review.googlesource.com/5170
Reviewed-by: Adam Langley <agl@google.com>

ssl/ssl_cert.c

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index f27685d..85aa079 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -119,11 +119,13 @@
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/buf.h>
+#include <openssl/ec_key.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/pem.h>
+#include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "../crypto/dh/internal.h"
@@ -413,17 +415,44 @@
   return ret;
 }
 
-void ssl_sess_cert_free(SESS_CERT *sc) {
-  if (sc == NULL) {
+SESS_CERT *ssl_sess_cert_dup(const SESS_CERT *sess_cert) {
+  SESS_CERT *ret = ssl_sess_cert_new();
+  if (ret == NULL) {
+    return NULL;
+  }
+
+  if (sess_cert->cert_chain != NULL) {
+    ret->cert_chain = X509_chain_up_ref(sess_cert->cert_chain);
+    if (ret->cert_chain == NULL) {
+      ssl_sess_cert_free(ret);
+      return NULL;
+    }
+  }
+  if (sess_cert->peer_cert != NULL) {
+    ret->peer_cert = X509_up_ref(sess_cert->peer_cert);
+  }
+  if (sess_cert->peer_dh_tmp != NULL) {
+    ret->peer_dh_tmp = sess_cert->peer_dh_tmp;
+    DH_up_ref(ret->peer_dh_tmp);
+  }
+  if (sess_cert->peer_ecdh_tmp != NULL) {
+    ret->peer_ecdh_tmp = sess_cert->peer_ecdh_tmp;
+    EC_KEY_up_ref(ret->peer_ecdh_tmp);
+  }
+  return ret;
+}
+
+void ssl_sess_cert_free(SESS_CERT *sess_cert) {
+  if (sess_cert == NULL) {
     return;
   }
 
-  sk_X509_pop_free(sc->cert_chain, X509_free);
-  X509_free(sc->peer_cert);
-  DH_free(sc->peer_dh_tmp);
-  EC_KEY_free(sc->peer_ecdh_tmp);
+  sk_X509_pop_free(sess_cert->cert_chain, X509_free);
+  X509_free(sess_cert->peer_cert);
+  DH_free(sess_cert->peer_dh_tmp);
+  EC_KEY_free(sess_cert->peer_ecdh_tmp);
 
-  OPENSSL_free(sc);
+  OPENSSL_free(sess_cert);
 }
 
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {