Move peer_dh_tmp and peer_ecdh_tmp out of SESS_CERT.
Gets another field out of the SSL_SESSION.
Change-Id: I9a27255533f8e43e152808427466ec1306cfcc60
Reviewed-on: https://boringssl-review.googlesource.com/5756
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index e04412f..9c272a6 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -519,6 +519,12 @@
/* Client-only: in_false_start is one if there is a pending handshake in
* False Start. The client may write data at this point. */
char in_false_start;
+
+ /* peer_dh_tmp, on a client, is the server's DHE public key. */
+ DH *peer_dh_tmp;
+
+ /* peer_ecdh_tmp, on a client, is the server's ECDHE public key. */
+ EC_KEY *peer_ecdh_tmp;
} tmp;
/* Connection binding to prevent renegotiation attacks */
diff --git a/ssl/internal.h b/ssl/internal.h
index 8dc3068..fdcb31c 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -786,9 +786,6 @@
/* peer_cert, on a client, is the leaf certificate of the peer. */
X509 *peer_cert;
-
- DH *peer_dh_tmp;
- EC_KEY *peer_ecdh_tmp;
} SESS_CERT;
/* SSL_METHOD is a compatibility structure to support the legacy version-locked
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1ed1507..b81b914 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1109,12 +1109,7 @@
CBS_init(&server_key_exchange, s->init_msg, n);
server_key_exchange_orig = server_key_exchange;
- if (s->session->sess_cert != NULL) {
- DH_free(s->session->sess_cert->peer_dh_tmp);
- s->session->sess_cert->peer_dh_tmp = NULL;
- EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
- s->session->sess_cert->peer_ecdh_tmp = NULL;
- } else {
+ if (s->session->sess_cert == NULL) {
s->session->sess_cert = ssl_sess_cert_new();
if (s->session->sess_cert == NULL) {
return -1;
@@ -1191,7 +1186,8 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_DH_P_LENGTH);
goto err;
}
- s->session->sess_cert->peer_dh_tmp = dh;
+ DH_free(s->s3->tmp.peer_dh_tmp);
+ s->s3->tmp.peer_dh_tmp = dh;
dh = NULL;
} else if (alg_k & SSL_kECDHE) {
uint16_t curve_id;
@@ -1244,7 +1240,8 @@
goto f_err;
}
EC_KEY_set_public_key(ecdh, srvr_ecpoint);
- s->session->sess_cert->peer_ecdh_tmp = ecdh;
+ EC_KEY_free(s->s3->tmp.peer_ecdh_tmp);
+ s->s3->tmp.peer_ecdh_tmp = ecdh;
ecdh = NULL;
BN_CTX_free(bn_ctx);
bn_ctx = NULL;
@@ -1735,21 +1732,14 @@
}
} else if (alg_k & SSL_kDHE) {
DH *dh_srvr, *dh_clnt;
- SESS_CERT *scert = s->session->sess_cert;
int dh_len;
size_t pub_len;
- if (scert == NULL) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
- goto err;
- }
-
- if (scert->peer_dh_tmp == NULL) {
+ if (s->s3->tmp.peer_dh_tmp == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
- dh_srvr = scert->peer_dh_tmp;
+ dh_srvr = s->s3->tmp.peer_dh_tmp;
/* generate a new random key */
dh_clnt = DHparams_dup(dh_srvr);
@@ -1791,18 +1781,12 @@
EC_KEY *tkey;
int field_size = 0, ecdh_len;
- if (s->session->sess_cert == NULL) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
- goto err;
- }
-
- if (s->session->sess_cert->peer_ecdh_tmp == NULL) {
+ if (s->s3->tmp.peer_ecdh_tmp == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err;
}
- tkey = s->session->sess_cert->peer_ecdh_tmp;
+ tkey = s->s3->tmp.peer_ecdh_tmp;
srvr_group = EC_KEY_get0_group(tkey);
srvr_ecpoint = EC_KEY_get0_public_key(tkey);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 22e7990..64e31e5 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -233,6 +233,8 @@
OPENSSL_free(s->s3->tmp.certificate_types);
OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+ DH_free(s->s3->tmp.peer_dh_tmp);
+ EC_KEY_free(s->s3->tmp.peer_ecdh_tmp);
ssl3_free_handshake_buffer(s);
ssl3_free_handshake_hash(s);
OPENSSL_free(s->s3->alpn_selected);
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index b9be723..68a6dbe 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -327,14 +327,6 @@
if (sess_cert->peer_cert != NULL) {
ret->peer_cert = X509_up_ref(sess_cert->peer_cert);
}
- if (sess_cert->peer_dh_tmp != NULL) {
- ret->peer_dh_tmp = sess_cert->peer_dh_tmp;
- DH_up_ref(ret->peer_dh_tmp);
- }
- if (sess_cert->peer_ecdh_tmp != NULL) {
- ret->peer_ecdh_tmp = sess_cert->peer_ecdh_tmp;
- EC_KEY_up_ref(ret->peer_ecdh_tmp);
- }
return ret;
}
@@ -345,8 +337,6 @@
sk_X509_pop_free(sess_cert->cert_chain, X509_free);
X509_free(sess_cert->peer_cert);
- DH_free(sess_cert->peer_dh_tmp);
- EC_KEY_free(sess_cert->peer_ecdh_tmp);
OPENSSL_free(sess_cert);
}