Move some fields from tmp to hs.
This releases memory associated with them after the handshake. Note this
changes the behavior of |SSL_get0_certificate_types| and
|SSL_get_client_CA_list| slightly. Both functions now return NULL
outside of the handshake. But they were already documented to return
something undefined when not called at the CertificateRequest.
A survey of callers finds none that would care. (Note
SSL_get_client_CA_list is used both as a getter for the corresponding
server config setter and to report client handshake properties. Only the
latter is affected.) It's also pretty difficult to imagine why a caller
would wish to query this stuff at any other time, and there are clear
benefits to dropping the CA list after the handshake (some servers send
ABSURDLY large lists).
Change-Id: I3ac3b601ff0cfa601881ce77ae33d99bb5327004
Reviewed-on: https://boringssl-review.googlesource.com/11521
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2aca268..3dbfb5e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -706,10 +706,6 @@
*
* https://tools.ietf.org/html/rfc6066#section-3. */
-static void ext_sni_init(SSL *ssl) {
- ssl->s3->tmp.should_ack_sni = 0;
-}
-
static int ext_sni_add_clienthello(SSL *ssl, CBB *out) {
if (ssl->tlsext_hostname == NULL) {
return 1;
@@ -797,7 +793,7 @@
return 0;
}
- ssl->s3->tmp.should_ack_sni = 1;
+ ssl->s3->hs->should_ack_sni = 1;
}
return 1;
@@ -805,7 +801,7 @@
static int ext_sni_add_serverhello(SSL *ssl, CBB *out) {
if (ssl->session != NULL ||
- !ssl->s3->tmp.should_ack_sni ||
+ !ssl->s3->hs->should_ack_sni ||
ssl->s3->new_session->tlsext_hostname == NULL) {
return 1;
}
@@ -1211,7 +1207,6 @@
* https://tools.ietf.org/html/rfc6066#section-8 */
static void ext_ocsp_init(SSL *ssl) {
- ssl->s3->tmp.certificate_status_expected = 0;
ssl->tlsext_status_type = -1;
}
@@ -1251,7 +1246,7 @@
* status_request here does not make sense, but OpenSSL does so and the
* specification does not say anything. Tolerate it but ignore it. */
- ssl->s3->tmp.certificate_status_expected = 1;
+ ssl->s3->hs->certificate_status_expected = 1;
return 1;
}
@@ -1292,13 +1287,13 @@
/* We cannot decide whether OCSP stapling will occur yet because the correct
* SSL_CTX might not have been selected. */
- ssl->s3->tmp.ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
+ ssl->s3->hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
return 1;
}
static int ext_ocsp_add_serverhello(SSL *ssl, CBB *out) {
- if (!ssl->s3->tmp.ocsp_stapling_requested ||
+ if (!ssl->s3->hs->ocsp_stapling_requested ||
ssl->ctx->ocsp_response_length == 0 ||
ssl->s3->session_reused ||
(ssl3_protocol_version(ssl) < TLS1_3_VERSION &&
@@ -1312,7 +1307,7 @@
return 1;
}
- ssl->s3->tmp.certificate_status_expected = 1;
+ ssl->s3->hs->certificate_status_expected = 1;
return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
CBB_add_u16(out, 0 /* length */);
@@ -2482,7 +2477,7 @@
},
{
TLSEXT_TYPE_server_name,
- ext_sni_init,
+ NULL,
ext_sni_add_clienthello,
ext_sni_parse_serverhello,
ext_sni_parse_clienthello,
@@ -2979,7 +2974,7 @@
return 1;
case SSL_TLSEXT_ERR_NOACK:
- ssl->s3->tmp.should_ack_sni = 0;
+ ssl->s3->hs->should_ack_sni = 0;
return 1;
default:
