diff options
author | Matt Caswell <matt@openssl.org> | 2016-06-09 13:24:54 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-06-13 17:35:18 +0100 |
commit | e70656cf1c9e886344913444fe2f3a0b7d3721a9 (patch) | |
tree | 48cb145931df24367364b613b820b1bf9c95e458 /ssl/ssl_sess.c | |
parent | b02929802c1fc47daf268ec208ee113dcce3ed32 (diff) |
Ensure SSL_set_session clears the old session from cache if it is bad
SSL_clear() and SSL_free() will remove a session from the cache if it is
considered "bad". However SSL_set_session() does not do this for the session
it is replacing.
SSL_clear() clears an SSL object ready for reuse. It does not clear the
session though. This means that:
SSL_clear(s)
SSL_set_session(s, sess);
and
SSL_set_session(s, sess);
SSL_clear(s);
do not do the same thing, although logically you would expect that they
would.
The failure of SSL_set_session() to remove bad sessions from the cache
should be considered a bug, so this commit fixes it.
RT#597
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/ssl_sess.c')
-rw-r--r-- | ssl/ssl_sess.c | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9095363702..6e53d9b27a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -774,28 +774,20 @@ int SSL_SESSION_up_ref(SSL_SESSION *ss) int SSL_set_session(SSL *s, SSL_SESSION *session) { - int ret = 0; - if (session != NULL) { - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } + ssl_clear_bad_session(s); + if (s->ctx->method != s->method) { + if (!SSL_set_ssl_method(s, s->ctx->method)) + return 0; + } + if (session != NULL) { SSL_SESSION_up_ref(session); - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - ret = 1; - } else { - SSL_SESSION_free(s->session); - s->session = NULL; - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } - ret = 1; + s->verify_result = session->verify_result; } - return (ret); + SSL_SESSION_free(s->session); + s->session = session; + + return 1; } long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) |