Make sure to remove bad sessions in SSL_clear() (found by Yoram Zahavi).

author Lutz Jänicke <jaenicke@openssl.org>

Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)

committer Lutz Jänicke <jaenicke@openssl.org>

Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)
author Lutz Jänicke <jaenicke@openssl.org>
Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)
committer Lutz Jänicke <jaenicke@openssl.org>
Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)
diff --git a/CHANGES b/CHANGES

index 8f7374e263d2fe20330b1bb4a450add3d0327081..269a7740997a11adc0e8d086fcd5b57a49ad28af 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -43,6 +43,10 @@
           *) applies to 0.9.6a ... 0.9.6d and 0.9.7
           +) applies to 0.9.7 only
  
           *) applies to 0.9.6a ... 0.9.6d and 0.9.7
           +) applies to 0.9.7 only
  
+  *) Fix bug in SSL_clear(): bad sessions were not removed (found by
+     Yoram Zahavi <YoramZ@gilian.com>).
+     [Lutz Jaenicke]
+
    +) Add and OPENSSL_LOAD_CONF define which will cause
       OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
       This allows older applications to transparently support certain
    +) Add and OPENSSL_LOAD_CONF define which will cause
       OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
       This allows older applications to transparently support certain
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 1195171a577d7023afd8625ad2336d5a935b7497..2b60d7288feb7f0c2607ea6b68c9eeb947a5383e 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -136,7 +136,6 @@ OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
  
  int SSL_clear(SSL *s)
         {
  
  int SSL_clear(SSL *s)
         {
-       int state;
  
         if (s->method == NULL)
                 {
  
         if (s->method == NULL)
                 {
@@ -161,9 +160,14 @@ int SSL_clear(SSL *s)
                 }
  #endif
  
                 }
  #endif
  
-       state=s->state; /* Keep to check if we throw away the session-id */
         s->type=0;
  
         s->type=0;
  
+       if (ssl_clear_bad_session(s))
+               {
+               SSL_SESSION_free(s->session);
+               s->session=NULL;
+               }
+
         s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
  
         s->version=s->method->version;
         s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
  
         s->version=s->method->version;
@@ -182,12 +186,6 @@ int SSL_clear(SSL *s)
  
         ssl_clear_cipher_ctx(s);
  
  
         ssl_clear_cipher_ctx(s);
  
-       if (ssl_clear_bad_session(s))
-               {
-               SSL_SESSION_free(s->session);
-               s->session=NULL;
-               }
-
         s->first_packet=0;
  
  #if 1
         s->first_packet=0;
  
  #if 1
author	Lutz Jänicke <jaenicke@openssl.org>
	Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)
committer	Lutz Jänicke <jaenicke@openssl.org>
	Tue, 26 Feb 2002 21:40:09 +0000 (21:40 +0000)
CHANGES		patch \| blob \| history
ssl/ssl_lib.c		patch \| blob \| history