Google Git
Sign in
boringssl / boringssl / b1bdc5b3259679521f4b747a6b8e33bdf952716a^! / .
commitb1bdc5b3259679521f4b747a6b8e33bdf952716a[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Sat Aug 22 12:56:34 2015 -0400
committerAdam Langley <agl@google.com>Fri Aug 28 22:06:21 2015 +0000
treee50903a082c1c34e2aee777f9bb7247a0c941fcb
parent6505567172c132f1ffb12fa1bef0b11caa9c2c66 [diff]
Remove peer_cert from SESS_CERT.

It's completely redundant with the copy in the SSL_SESSION except it
isn't serialized.

Change-Id: I1d95a14cae064c599e4bab576df1dd156da4b81c
Reviewed-on: https://boringssl-review.googlesource.com/5757
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 50fe9bd..65fa4a5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1045,10 +1045,9 @@
    * probably not be retained across resumptions. */
   struct sess_cert_st /* SESS_CERT */ *sess_cert;
 
-  /* This is the cert for the other end. On clients, it will be the same as
-   * sess_cert->peer_key->x509 (the latter is not enough as sess_cert is not
-   * retained in the external representation of sessions, see ssl_asn1.c). */
+  /* peer is the peer's certificate. */
   X509 *peer;
+
   /* when app_verify_callback accepts a session where the peer's certificate is
    * not ok, we must remember the error for session reuse: */
   long verify_result; /* only for servers */

diff --git a/ssl/internal.h b/ssl/internal.h
index fdcb31c..7d9edd0 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -783,9 +783,6 @@
    * this does includes the server's leaf certificate, but, for a server, this
    * does NOT include the client's leaf. */
   STACK_OF(X509) *cert_chain;
-
-  /* peer_cert, on a client, is the leaf certificate of the peer. */
-  X509 *peer_cert;
 } SESS_CERT;
 
 /* SSL_METHOD is a compatibility structure to support the legacy version-locked

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b81b914..576a861 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -1032,9 +1032,6 @@
   sc->cert_chain = sk;
   sk = NULL;
 
-  X509_free(sc->peer_cert);
-  sc->peer_cert = X509_up_ref(leaf);
-
   X509_free(s->session->peer);
   s->session->peer = X509_up_ref(leaf);
 
@@ -1261,7 +1258,7 @@
 
   /* ServerKeyExchange should be signed by the server's public key. */
   if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
-    pkey = X509_get_pubkey(s->session->sess_cert->peer_cert);
+    pkey = X509_get_pubkey(s->session->peer);
     if (pkey == NULL) {
       goto err;
     }
@@ -1686,7 +1683,7 @@
         goto err;
       }
 
-      pkey = X509_get_pubkey(s->session->sess_cert->peer_cert);
+      pkey = X509_get_pubkey(s->session->peer);
       if (pkey == NULL ||
           pkey->type != EVP_PKEY_RSA ||
           pkey->pkey.rsa == NULL) {

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 68a6dbe..66ef342 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -324,9 +324,6 @@
       return NULL;
     }
   }
-  if (sess_cert->peer_cert != NULL) {
-    ret->peer_cert = X509_up_ref(sess_cert->peer_cert);
-  }
   return ret;
 }
 
@@ -336,8 +333,6 @@
   }
 
   sk_X509_pop_free(sess_cert->cert_chain, X509_free);
-  X509_free(sess_cert->peer_cert);
-
   OPENSSL_free(sess_cert);
 }