From d7f3e799baf4d319f4158db8f17e88e2c668187a Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 19 Jul 2016 00:36:38 +1200
Subject: [PATCH] Revert changes in rev.14726

---
 src/CachePeer.cc                  |  4 +++
 src/CachePeer.h                   |  4 ++-
 src/adaptation/icap/ServiceRep.cc |  3 ++
 src/adaptation/icap/ServiceRep.h  |  4 ++-
 src/adaptation/icap/Xaction.cc    | 12 ++++++--
 src/client_side.cc                |  2 +-
 src/security/Session.cc           | 46 -------------------------------
 src/security/Session.h            | 18 ------------
 src/ssl/BlindPeerConnector.cc     | 13 ++++++---
 src/tests/stub_libsecurity.cc     |  7 -----
 10 files changed, 33 insertions(+), 80 deletions(-)

diff --git a/src/CachePeer.cc b/src/CachePeer.cc
index 964948ad5b..fac6a3e5ba 100644
--- a/src/CachePeer.cc
+++ b/src/CachePeer.cc
@@ -42,6 +42,7 @@ CachePeer::CachePeer() :
     domain(NULL),
 #if USE_OPENSSL
     sslContext(NULL),
+    sslSession(NULL),
 #endif
     front_end_https(0),
     connection_auth(2 /* auto */)
@@ -101,6 +102,9 @@ CachePeer::~CachePeer()
 #if USE_OPENSSL
     if (sslContext)
         SSL_CTX_free(sslContext);
+
+    if (sslSession)
+        SSL_SESSION_free(sslSession);
 #endif
 }
 
diff --git a/src/CachePeer.h b/src/CachePeer.h
index 67a6302ae3..848150df31 100644
--- a/src/CachePeer.h
+++ b/src/CachePeer.h
@@ -184,7 +184,9 @@ public:
     /// security settings for peer connection
     Security::PeerOptions secure;
     Security::ContextPtr sslContext;
-    Security::SessionStatePointer sslSession;
+#if USE_OPENSSL
+    SSL_SESSION *sslSession;
+#endif
 
     int front_end_https;
     int connection_auth;
diff --git a/src/adaptation/icap/ServiceRep.cc b/src/adaptation/icap/ServiceRep.cc
index 14996a7fa8..7aec5ca4f2 100644
--- a/src/adaptation/icap/ServiceRep.cc
+++ b/src/adaptation/icap/ServiceRep.cc
@@ -34,6 +34,9 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation::Icap, ServiceRep);
 Adaptation::Icap::ServiceRep::ServiceRep(const ServiceConfigPointer &svcCfg):
     AsyncJob("Adaptation::Icap::ServiceRep"), Adaptation::Service(svcCfg),
     sslContext(NULL),
+#if USE_OPENSSL
+    sslSession(NULL),
+#endif
     theOptions(NULL), theOptionsFetcher(0), theLastUpdate(0),
     theBusyConns(0),
     theAllWaiters(0),
diff --git a/src/adaptation/icap/ServiceRep.h b/src/adaptation/icap/ServiceRep.h
index 579bfbd574..39e9bf57b0 100644
--- a/src/adaptation/icap/ServiceRep.h
+++ b/src/adaptation/icap/ServiceRep.h
@@ -111,7 +111,9 @@ public: // treat these as private, they are for callbacks only
     virtual void noteAdaptationAnswer(const Answer &answer);
 
     Security::ContextPtr sslContext;
-    Security::SessionStatePointer sslSession;
+#if USE_OPENSSL
+    SSL_SESSION *sslSession;
+#endif
 
 private:
     // stores Prepare() callback info
diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc
index 05eb212eab..d91818065c 100644
--- a/src/adaptation/icap/Xaction.cc
+++ b/src/adaptation/icap/Xaction.cc
@@ -724,7 +724,9 @@ Ssl::IcapPeerConnector::initializeTls(Security::SessionPointer &serverSession)
     if (check)
         check->dst_peer_name = *host;
 
-    Security::GetSessionResumeData(serverSession, icapService->sslSession);
+    if (icapService->sslSession)
+        SSL_set_session(serverSession.get(), icapService->sslSession);
+
     return true;
 }
 
@@ -735,7 +737,13 @@ Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error)
         return;
 
     const int fd = serverConnection()->fd;
-    Security::GetSessionResumeData(fd_table[fd].ssl, icapService->sslSession);
+    auto ssl = fd_table[fd].ssl.get();
+    assert(ssl);
+    if (!SSL_session_reused(ssl)) {
+        if (icapService->sslSession)
+            SSL_SESSION_free(icapService->sslSession);
+        icapService->sslSession = SSL_get1_session(ssl);
+    }
 }
 
 void
diff --git a/src/client_side.cc b/src/client_side.cc
index 9b2329517c..2caf7687bd 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2653,7 +2653,7 @@ clientNegotiateSSL(int fd, void *data)
         return;
     }
 
-    if (Security::SessionIsResumed(fd_table[fd].ssl)) {
+    if (SSL_session_reused(ssl)) {
         debugs(83, 2, "clientNegotiateSSL: Session " << SSL_get_session(ssl) <<
                " reused on FD " << fd << " (" << fd_table[fd].ipaddr << ":" << (int)fd_table[fd].remote_port << ")");
     } else {
diff --git a/src/security/Session.cc b/src/security/Session.cc
index e9f1efeacd..38480c1438 100644
--- a/src/security/Session.cc
+++ b/src/security/Session.cc
@@ -16,52 +16,6 @@
 #define SSL_SESSION_ID_SIZE 32
 #define SSL_SESSION_MAX_SIZE 10*1024
 
-#if USE_GNUTLS
-void
-squid_datum_free(gnutls_datum_t *D) {
-    gnutls_free(D);
-}
-#endif
-
-bool
-Security::SessionIsResumed(const Security::SessionPointer &s)
-{
-    return
-#if USE_OPENSSL
-        SSL_session_reused(s.get()) == 1;
-#elif USE_GNUTLS
-        gnutls_session_is_resumed(s.get()) != 0;
-#else
-        false;
-#endif
-}
-
-void
-Security::GetSessionResumeData(const Security::SessionPointer &s, Security::SessionStatePointer &data)
-{
-    if (!SessionIsResumed(s)) {
-#if USE_OPENSSL
-        data.reset(SSL_get1_session(s.get()));
-#elif USE_GNUTLS
-        gnutls_datum_t *tmp = nullptr;
-        (void)gnutls_session_get_data2(s.get(), tmp);
-        data.reset(tmp);
-#endif
-    }
-}
-
-void
-Security::SetSessionResumeData(const Security::SessionPtr &s, const Security::SessionStatePointer &data)
-{
-    if (s) {
-#if USE_OPENSSL
-        (void)SSL_set_session(s, data.get());
-#elif USE_GNUTLS
-        (void)gnutls_session_set_data(s, data->data, data->size);
-#endif
-    }
-}
-
 static bool
 isTlsServer()
 {
diff --git a/src/security/Session.h b/src/security/Session.h
index fae3b4c247..de9c3b785d 100644
--- a/src/security/Session.h
+++ b/src/security/Session.h
@@ -32,8 +32,6 @@ typedef SSL* SessionPtr;
 CtoCpp1(SSL_free, SSL *);
 typedef LockingPointer<SSL, Security::SSL_free_cpp, CRYPTO_LOCK_SSL> SessionPointer;
 
-typedef std::unique_ptr<SSL_SESSION, std::function<decltype(SSL_SESSION_free)>> SessionStatePointer;
-
 #elif USE_GNUTLS
 typedef gnutls_session_t SessionPtr;
 // Locks can be implemented attaching locks counter to gnutls_session_t
@@ -42,30 +40,14 @@ typedef gnutls_session_t SessionPtr;
 CtoCpp1(gnutls_deinit, gnutls_session_t);
 typedef LockingPointer<struct gnutls_session_int, gnutls_deinit_cpp, -1> SessionPointer;
 
-/// wrapper function to avoid compile errors with gnutls_free() being a typedef.
-void squid_datum_free(gnutls_datum_t *D);
-typedef std::unique_ptr<gnutls_datum_t, std::function<decltype(squid_datum_free)>> SessionStatePointer;
-
 #else
 // use void* so we can check against NULL
 typedef void* SessionPtr;
 CtoCpp1(xfree, SessionPtr);
 typedef LockingPointer<void, xfree_cpp, -1> SessionPointer;
 
-typedef std::unique_ptr<int> SessionStatePointer;
-
 #endif
 
-/// whether the session is a resumed one
-bool SessionIsResumed(const Security::SessionPointer &);
-
-/// Retrieve the data needed to resume this session on a later connection
-void GetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &);
-
-/// Set the data for resuming a previous session.
-/// Needs to be done before using the SessionPointer for a handshake.
-void SetSessionResumeData(const Security::SessionPtr &, const Security::SessionStatePointer &);
-
 } // namespace Security
 
 #endif /* SQUID_SRC_SECURITY_SESSION_H */
diff --git a/src/ssl/BlindPeerConnector.cc b/src/ssl/BlindPeerConnector.cc
index 28734b64ba..1bc9f97629 100644
--- a/src/ssl/BlindPeerConnector.cc
+++ b/src/ssl/BlindPeerConnector.cc
@@ -45,7 +45,8 @@ Ssl::BlindPeerConnector::initializeTls(Security::SessionPointer &serverSession)
         SBuf *host = new SBuf(peer->secure.sslDomain);
         SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
 
-        Security::SetSessionResumeData(serverSession.get(), peer->sslSession);
+        if (peer->sslSession)
+            SSL_set_session(serverSession.get(), peer->sslSession);
     } else {
         SBuf *hostName = new SBuf(request->url.host());
         SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName);
@@ -68,9 +69,13 @@ Ssl::BlindPeerConnector::noteNegotiationDone(ErrorState *error)
         return;
     }
 
-    if (auto *peer = serverConnection()->getPeer()) {
-        const int fd = serverConnection()->fd;
-        Security::GetSessionResumeData(fd_table[fd].ssl, peer->sslSession);
+    const int fd = serverConnection()->fd;
+    Security::SessionPtr ssl = fd_table[fd].ssl.get();
+    if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) {
+        if (serverConnection()->getPeer()->sslSession)
+            SSL_SESSION_free(serverConnection()->getPeer()->sslSession);
+
+        serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl);
     }
 }
 
diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
index ba40c5591a..1875e2aee2 100644
--- a/src/tests/stub_libsecurity.cc
+++ b/src/tests/stub_libsecurity.cc
@@ -48,10 +48,3 @@ const char *Security::NegotiationHistory::printTlsVersion(AnyP::ProtocolVersion
 Security::HandshakeParser::HandshakeParser() STUB
 bool Security::HandshakeParser::parseHello(const SBuf &) STUB_RETVAL(false)
 
-#include "security/Session.h"
-namespace Security {
-bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false)
-void GetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB
-void SetSessionResumeData(const Security::SessionPtr &, const Security::SessionStatePointer &) STUB
-} // namespace Security
-
-- 
2.47.2