Google Git
Sign in
boringssl/boringssl.git/c0f763b0805a82e4e884bc50ecab904abe5620e7^!/./ssl/ssl_cert.c
commit
c0f763b0805a82e4e884bc50ecab904abe5620e7
[log]
author
David Benjamin <davidben@chromium.org>
Fri Mar 27 02:05:39 2015 -0400
committer
Adam Langley <agl@google.com>
Thu Apr 02 18:37:06 2015 +0000
tree
10e8c65061e746c6dcbe178a1478c69a563e55c0
parent
e631d9679edc6129088763c15160017da6b9235f [diff] [blame]
Simplify server-side ECDH curve selection.

There's multiple sets of APIs for selecting the curve. Fold away
SSL_OP_SINGLE_ECDH_USE as failing to set it is either a no-op or a bug. With
that gone, the consumer only needs to control the selection of a curve, with
key generation from then on being uniform. Also clean up the interaction
between the three API modes in s3_srvr.c; they were already mutually exclusive
due to tls1_check_ec_tmp_key.

This also removes all callers of EC_KEY_dup (and thus CRYPTO_dup_ex_data)
within the library.

Change-Id: I477b13bd9e77eb03d944ef631dd521639968dc8c
Reviewed-on: https://boringssl-review.googlesource.com/4200
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index fbe38ec..185c12b 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -212,13 +212,7 @@
   }
   ret->dh_tmp_cb = cert->dh_tmp_cb;
 
-  if (cert->ecdh_tmp) {
-    ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
-    if (ret->ecdh_tmp == NULL) {
-      OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB);
-      goto err;
-    }
-  }
+  ret->ecdh_nid = cert->ecdh_nid;
   ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
   ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
 
@@ -324,9 +318,6 @@
   if (c->dh_tmp) {
     DH_free(c->dh_tmp);
   }
-  if (c->ecdh_tmp) {
-    EC_KEY_free(c->ecdh_tmp);
-  }
 
   ssl_cert_clear_certs(c);
   if (c->peer_sigalgs) {