From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 15 Dec 2025 07:16:57 +0000 (+0100)
Subject: CLEANUP: ssl-sock: Remove useless tests on connection when resuming TLS session
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a25394b6c83a820f1fa2df7673819c0e44a0d8cd;p=thirdparty%2Fhaproxy.git

CLEANUP: ssl-sock: Remove useless tests on connection when resuming TLS session

In ssl_sock_srv_try_reuse_sess(), the connection is always defined, to TCP
and QUIC connections. No reason to test it. Because it is not so obvious for
the QUIC part, a BUG_ON() could be added here. For now, just remove useless
tests.

This patch should fix a Coverity report from #3213.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6f3c88d1d..aad4e56de 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5701,7 +5701,7 @@ int ssl_sock_srv_try_reuse_sess(struct ssl_sock_ctx *ctx, struct server *srv)
 		/* No connection or the sni of the cached SSL session does not
 		 * match the one of the new connection, don't reuse the SSL session
 		 */
-		if (!conn || srv->ssl_ctx.reused_sess[tid].sni_hash != conn->sni_hash)
+		if (srv->ssl_ctx.reused_sess[tid].sni_hash != conn->sni_hash)
 			goto out;
 
 		/* let's recreate a session from (ptr,size) and assign
@@ -5752,7 +5752,7 @@ int ssl_sock_srv_try_reuse_sess(struct ssl_sock_ctx *ctx, struct server *srv)
 			/* No connection or the sni of the cached SSL session does not
 			 * match the one of the new connection, don't reuse the SSL session
 			 */
-			if (!conn || srv->ssl_ctx.reused_sess[old_tid-1].sni_hash != conn->sni_hash) {
+			if (srv->ssl_ctx.reused_sess[old_tid-1].sni_hash != conn->sni_hash) {
 				HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.reused_sess[old_tid-1].sess_lock);
 				goto out;
 			}