Reorder cleanup sequence in SSL_CTX_free() to leave ex_data for remove_cb().

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b50fc463d1a4906159d0b7c0c65e517cda8bb247..1ddd3380acb15adace6865967bcaeb2c2f65beb8 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1409,13 +1409,24 @@ void SSL_CTX_free(SSL_CTX *a)
                abort(); /* ok */
                }
 #endif
-       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
 
+       /*
+        * Free internal session cache. However: the remove_cb() may reference
+        * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+        * after the sessions were flushed.
+        * As the ex_data handling routines might also touch the session cache,
+        * the most secure solution seems to be: empty (flush) the cache, then
+        * free ex_data, then finally free the cache.
+        * (See ticket [openssl.org #212].)
+        */
        if (a->sessions != NULL)
-               {
                SSL_CTX_flush_sessions(a,0);
+
+       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+
+       if (a->sessions != NULL)
                lh_free(a->sessions);
-               }
+
        if (a->cert_store != NULL)
                X509_STORE_free(a->cert_store);
        if (a->cipher_list != NULL)
@@ -1658,7 +1669,6 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                /* key usage, if present, must allow key agreement */
                if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
                        {
-                       printf("ECC cert not authorized for key agreement\n");
                        return 0;
                        }
                if (alg & SSL_aECDSA) 
@@ -1666,7 +1676,6 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                        /* signature alg must be ECDSA */
                        if (signature_nid != NID_ecdsa_with_SHA1)
                                {
-                               printf("ECC cert not signed w/ ECDSA\n");
                                return 0;
                                }
                        }
@@ -1677,7 +1686,6 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                            (signature_nid != NID_md4WithRSAEncryption) &&
                            (signature_nid != NID_md2WithRSAEncryption))
                                {
-                               printf("ECC cert not signed w/ RSA\n");
                                return 0;
                                }
                        }
@@ -1687,7 +1695,6 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                /* key usage, if present, must allow signing */
                if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
                        {
-                       printf("ECC cert not authorized for signature\n");
                        return 0;
                        }
                }