Remove compress/expand fields from SSL_CONNECTION

They are no longer needed. The new record layer handles this. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19586)
2025-03-13 19:47:47 +08:00 · 2022-10-31 16:22:05 +00:00 · 2022-10-31 16:22:05 +00:00 · 6d814fd607
commit 6d814fd607
parent f471f60a8a
2 changed files with 27 additions and 39 deletions
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -541,11 +541,29 @@ static int ssl_check_allowed_versions(int min_version, int max_version)
 void OPENSSL_VPROC_FUNC(void) {}
 #endif

-
-static void clear_ciphers(SSL_CONNECTION *s)
+static int clear_record_layer(SSL_CONNECTION *s)
 {
-    /* clear the current cipher */
-    ssl_clear_cipher_ctx(s);
+    int ret;
+
+    /* We try and reset both record layers even if one fails */
+
+    ret = ssl_set_new_record_layer(s,
+                                   SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
+                                                             : TLS_ANY_VERSION,
+                                   OSSL_RECORD_DIRECTION_READ,
+                                   OSSL_RECORD_PROTECTION_LEVEL_NONE,
+                                   NULL, 0, NULL, 0, NULL,  0, NULL, 0,
+                                   NID_undef, NULL, NULL);
+
+    ret &= ssl_set_new_record_layer(s,
+                                    SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION
+                                                              : TLS_ANY_VERSION,
+                                    OSSL_RECORD_DIRECTION_WRITE,
+                                    OSSL_RECORD_PROTECTION_LEVEL_NONE,
+                                    NULL, 0, NULL, 0, NULL,  0, NULL, 0,
+                                    NID_undef, NULL, NULL);
+    /* SSLfatal already called in the event of failure */
+    return ret;
 }

 int SSL_clear(SSL *s)
@ -595,7 +613,6 @@ int ossl_ssl_connection_reset(SSL *s)

    BUF_MEM_free(sc->init_buf);
    sc->init_buf = NULL;
-    clear_ciphers(sc);
    sc->first_packet = 0;

    sc->key_update = SSL_KEY_UPDATE_NONE;
@ -639,24 +656,8 @@ int ossl_ssl_connection_reset(SSL *s)
    BIO_free(sc->rlayer.rrlnext);
    sc->rlayer.rrlnext = NULL;

-    if (!ssl_set_new_record_layer(sc,
-                                  SSL_CONNECTION_IS_DTLS(sc) ? DTLS_ANY_VERSION : TLS_ANY_VERSION,
-                                  OSSL_RECORD_DIRECTION_READ,
-                                  OSSL_RECORD_PROTECTION_LEVEL_NONE,
-                                  NULL, 0, NULL, 0, NULL,  0, NULL, 0,
-                                  NID_undef, NULL, NULL)) {
-        /* SSLfatal already called */
+    if (!clear_record_layer(sc))
        return 0;
-    }
-    if (!ssl_set_new_record_layer(sc,
-                                  SSL_CONNECTION_IS_DTLS(sc) ? DTLS_ANY_VERSION : TLS_ANY_VERSION,
-                                  OSSL_RECORD_DIRECTION_WRITE,
-                                  OSSL_RECORD_PROTECTION_LEVEL_NONE,
-                                  NULL, 0, NULL, 0, NULL,  0, NULL, 0,
-                                  NID_undef, NULL, NULL)) {
-        /* SSLfatal already called */
-        return 0;
-    }

    return 1;
 }
@ -1369,8 +1370,6 @@ void ossl_ssl_connection_free(SSL *ssl)
    SSL_SESSION_free(s->psksession);
    OPENSSL_free(s->psksession_id);

-    clear_ciphers(s);
-
    ssl_cert_free(s->cert);
    OPENSSL_free(s->shared_sigalgs);
    /* Free up if allocated */
@ -4485,7 +4484,8 @@ void SSL_set_accept_state(SSL *s)
    sc->shutdown = 0;
    ossl_statem_clear(sc);
    sc->handshake_func = s->method->ssl_accept;
-    clear_ciphers(sc);
+    /* Ignore return value. Its a void public API function */
+    clear_record_layer(sc);
 }

 void SSL_set_connect_state(SSL *s)
@ -4500,7 +4500,8 @@ void SSL_set_connect_state(SSL *s)
    sc->shutdown = 0;
    ossl_statem_clear(sc);
    sc->handshake_func = s->method->ssl_connect;
-    clear_ciphers(sc);
+    /* Ignore return value. Its a void public API function */
+    clear_record_layer(sc);
 }

 int ssl_undefined_function(SSL *s)
@ -4712,16 +4713,6 @@ SSL *SSL_dup(SSL *s)
    return NULL;
 }

-void ssl_clear_cipher_ctx(SSL_CONNECTION *s)
-{
-#ifndef OPENSSL_NO_COMP
-    COMP_CTX_free(s->expand);
-    s->expand = NULL;
-    COMP_CTX_free(s->compress);
-    s->compress = NULL;
-#endif
-}
-
 X509 *SSL_get_certificate(const SSL *s)
 {
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -1501,8 +1501,6 @@ struct ssl_connection_st {
    unsigned char early_exporter_master_secret[EVP_MAX_MD_SIZE];

    unsigned char read_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static read IV */
-    COMP_CTX *compress;         /* compression */
-    COMP_CTX *expand;           /* uncompress */
    unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */

    /* session info */
@ -2472,7 +2470,6 @@ __owur int ossl_ssl_connection_reset(SSL *ssl);

 __owur int ssl_read_internal(SSL *s, void *buf, size_t num, size_t *readbytes);
 __owur int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written);
-void ssl_clear_cipher_ctx(SSL_CONNECTION *s);
 int ssl_clear_bad_session(SSL_CONNECTION *s);
 __owur CERT *ssl_cert_new(void);
 __owur CERT *ssl_cert_dup(CERT *cert);