When build as dynamic engines, the loading functions should be defined

[openssl.git] / ssl / ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index eda3cfd11631854399b85f41dbf3e13108b08080..851155e04e79a17e85393308d70804d89b089f47 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1409,13 +1409,24 @@ void SSL_CTX_free(SSL_CTX *a)
                abort(); /* ok */
                }
 #endif
-       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
 
+       /*
+        * Free internal session cache. However: the remove_cb() may reference
+        * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+        * after the sessions were flushed.
+        * As the ex_data handling routines might also touch the session cache,
+        * the most secure solution seems to be: empty (flush) the cache, then
+        * free ex_data, then finally free the cache.
+        * (See ticket [openssl.org #212].)
+        */
        if (a->sessions != NULL)
-               {
                SSL_CTX_flush_sessions(a,0);
+
+       CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+
+       if (a->sessions != NULL)
                lh_free(a->sessions);
-               }
+
        if (a->cert_store != NULL)
                X509_STORE_free(a->cert_store);
        if (a->cipher_list != NULL)
@@ -1792,7 +1803,7 @@ void ssl_update_cache(SSL *s,int mode)
 
        i=s->ctx->session_cache_mode;
        if ((i & mode) && (!s->hit)
-               && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+               && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
                    || SSL_CTX_add_session(s->ctx,s->session))
                && (s->ctx->new_session_cb != NULL))
                {