Store verify_result with sessions to avoid potential security hole.

For the server side this was already done one year ago :-(

diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 47dd09c286f398922daf505534394f67b0f66395..28d6d652961684101c317392e42a75a8d29413f0 100644 (file)
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
                goto err;
                }
        ERR_clear_error(); /* but we keep s->verify_result */
+       s->session->verify_result = s->verify_result;
 
        /* server's cert for this session */
        sc=ssl_sess_cert_new();

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 62040f9f1d01ba340a3d184113539eb2dc396bf1..eec45cfa485d0d0a7ae6a4f06a3f3abf430d15b4 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s)
                X509_free(s->session->peer);
        CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
        s->session->peer=x;
+       s->session->verify_result = s->verify_result;
 
        x=NULL;
        ret=1;

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 416def8908e82ce213d6dbad5fc93ad1050d4769..7064262def86cd38857b8a7e2d185435ddf9d5f3 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
                if (s->session != NULL)
                        SSL_SESSION_free(s->session);
                s->session=session;
+               s->verify_result = s->session->verify_result;
                /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
                ret=1;
                }