Remove 'upstream' association with connection, now unused.

2019-01-15 11:01:58 +00:00 · 2019-01-15 11:01:58 +00:00 · 24774fefd6
parent 9e4add2219
commit 24774fefd6
4 changed files with 0 additions and 71 deletions
--- a/src/gnutls/pubkey-pinning-internal.c
+++ b/src/gnutls/pubkey-pinning-internal.c
@ -42,13 +42,6 @@
 ** Interfaces from pubkey-pinning.h
 **/

-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream)
-{
-	return GETDNS_RETURN_GOOD;
-}
-
 getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size)
 {
 	struct base64_decode_ctx ctx;
--- a/src/openssl/pubkey-pinning-internal.c
+++ b/src/openssl/pubkey-pinning-internal.c
@ -58,10 +58,6 @@

 #include "pubkey-pinning-internal.h"

-#if OPENSSL_VERSION_NUMBER < 0x10100000 
-#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
-#endif
-
 /* we only support sha256 at the moment.  adding support for another
   digest is more complex than just adding another entry here. in
   particular, you'll probably need a match for a particular cert
@ -91,56 +87,4 @@ getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_
 	return ret;
 }

-/* this should only happen once ever in the life of the library. it's
-   used to associate a getdns_context_t with an SSL_CTX, to be able to
-   do custom verification.
-   
-   see doc/HOWTO/proxy_certificates.txt as an example
-*/
-static int
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-_get_ssl_getdns_upstream_idx(void)
-#else
-_get_ssl_getdns_upstream_idx(X509_STORE *store)
-#endif
-{
-	static volatile int idx = -1;
-	if (idx < 0) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-#else
-		X509_STORE_lock(store);
-#endif
-		if (idx < 0)
-			idx = SSL_get_ex_new_index(0, "associated getdns upstream",
-						   NULL,NULL,NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
-#else
-		X509_STORE_unlock(store);
-#endif
-	}
-	return idx;
-}
-
-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream)
-{
-	if (!conn || !conn->ssl)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-	
-#if OPENSSL_VERSION_NUMBER < 0x10100000
-	int uidx = _get_ssl_getdns_upstream_idx();
-#else
-	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl)));
-#endif
-	if (SSL_set_ex_data(conn->ssl, uidx, upstream))
-		return GETDNS_RETURN_GOOD;
-	else
-		return GETDNS_RETURN_GENERIC_ERROR;
-	/* TODO: if we want more details about errors somehow, we
-	 * might call ERR_get_error (see CRYPTO_set_ex_data(3ssl))*/
-}
-
 /* pubkey-pinning.c */
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@ -52,9 +52,5 @@ _getdns_get_pubkey_pinset_list(const getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list);

-getdns_return_t
-_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
-					   getdns_upstream *upstream);
-
 #endif
 /* pubkey-pinning.h */
--- a/src/stub.c
+++ b/src/stub.c
@ -843,10 +843,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			r = _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list);
 	}
 	
-	/* make sure we'll be able to find the context again when we need it */
-	if (!r)
-		r = _getdns_associate_upstream_with_connection(tls, upstream);
-
 	if (r) {
 		_getdns_tls_connection_free(&upstream->upstreams->mf, tls);
 		upstream->tls_auth_state = r;