From 24774fefd674bb230c271ede1c825856bdd56d1f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 15 Jan 2019 11:01:58 +0000 Subject: [PATCH] Remove 'upstream' association with connection, now unused. --- src/gnutls/pubkey-pinning-internal.c | 7 ---- src/openssl/pubkey-pinning-internal.c | 56 --------------------------- src/pubkey-pinning.h | 4 -- src/stub.c | 4 -- 4 files changed, 71 deletions(-) diff --git a/src/gnutls/pubkey-pinning-internal.c b/src/gnutls/pubkey-pinning-internal.c index 61d94645..41033bf3 100644 --- a/src/gnutls/pubkey-pinning-internal.c +++ b/src/gnutls/pubkey-pinning-internal.c @@ -42,13 +42,6 @@ ** Interfaces from pubkey-pinning.h **/ -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream) -{ - return GETDNS_RETURN_GOOD; -} - getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_size) { struct base64_decode_ctx ctx; diff --git a/src/openssl/pubkey-pinning-internal.c b/src/openssl/pubkey-pinning-internal.c index fd8ad6fe..d18103de 100644 --- a/src/openssl/pubkey-pinning-internal.c +++ b/src/openssl/pubkey-pinning-internal.c @@ -58,10 +58,6 @@ #include "pubkey-pinning-internal.h" -#if OPENSSL_VERSION_NUMBER < 0x10100000 -#define X509_STORE_CTX_get0_untrusted(store) store->untrusted -#endif - /* we only support sha256 at the moment. adding support for another digest is more complex than just adding another entry here. in particular, you'll probably need a match for a particular cert @@ -91,56 +87,4 @@ getdns_return_t _getdns_decode_base64(const char* str, uint8_t* res, size_t res_ return ret; } -/* this should only happen once ever in the life of the library. it's - used to associate a getdns_context_t with an SSL_CTX, to be able to - do custom verification. - - see doc/HOWTO/proxy_certificates.txt as an example -*/ -static int -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) -_get_ssl_getdns_upstream_idx(void) -#else -_get_ssl_getdns_upstream_idx(X509_STORE *store) -#endif -{ - static volatile int idx = -1; - if (idx < 0) { -#if OPENSSL_VERSION_NUMBER < 0x10100000 - CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); -#else - X509_STORE_lock(store); -#endif - if (idx < 0) - idx = SSL_get_ex_new_index(0, "associated getdns upstream", - NULL,NULL,NULL); -#if OPENSSL_VERSION_NUMBER < 0x10100000 - CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); -#else - X509_STORE_unlock(store); -#endif - } - return idx; -} - -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream) -{ - if (!conn || !conn->ssl) - return GETDNS_RETURN_INVALID_PARAMETER; - -#if OPENSSL_VERSION_NUMBER < 0x10100000 - int uidx = _get_ssl_getdns_upstream_idx(); -#else - int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl))); -#endif - if (SSL_set_ex_data(conn->ssl, uidx, upstream)) - return GETDNS_RETURN_GOOD; - else - return GETDNS_RETURN_GENERIC_ERROR; - /* TODO: if we want more details about errors somehow, we - * might call ERR_get_error (see CRYPTO_set_ex_data(3ssl))*/ -} - /* pubkey-pinning.c */ diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h index c60a7eca..0e2347b2 100644 --- a/src/pubkey-pinning.h +++ b/src/pubkey-pinning.h @@ -52,9 +52,5 @@ _getdns_get_pubkey_pinset_list(const getdns_context *ctx, const sha256_pin_t *pinset_in, getdns_list **pinset_list); -getdns_return_t -_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn, - getdns_upstream *upstream); - #endif /* pubkey-pinning.h */ diff --git a/src/stub.c b/src/stub.c index 29929613..d9736288 100644 --- a/src/stub.c +++ b/src/stub.c @@ -843,10 +843,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) r = _getdns_tls_connection_set_cipher_list(tls, upstream->tls_cipher_list); } - /* make sure we'll be able to find the context again when we need it */ - if (!r) - r = _getdns_associate_upstream_with_connection(tls, upstream); - if (r) { _getdns_tls_connection_free(&upstream->upstreams->mf, tls); upstream->tls_auth_state = r;