From: Matt Caswell Date: Thu, 9 Jun 2016 12:24:54 +0000 (+0100) Subject: Ensure SSL_set_session clears the old session from cache if it is bad X-Git-Tag: OpenSSL_1_1_0-pre6~474 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=e70656cf1c9e886344913444fe2f3a0b7d3721a9 Ensure SSL_set_session clears the old session from cache if it is bad SSL_clear() and SSL_free() will remove a session from the cache if it is considered "bad". However SSL_set_session() does not do this for the session it is replacing. SSL_clear() clears an SSL object ready for reuse. It does not clear the session though. This means that: SSL_clear(s) SSL_set_session(s, sess); and SSL_set_session(s, sess); SSL_clear(s); do not do the same thing, although logically you would expect that they would. The failure of SSL_set_session() to remove bad sessions from the cache should be considered a bug, so this commit fixes it. RT#597 Reviewed-by: Rich Salz --- diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9095363702..6e53d9b27a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -774,28 +774,20 @@ int SSL_SESSION_up_ref(SSL_SESSION *ss) int SSL_set_session(SSL *s, SSL_SESSION *session) { - int ret = 0; - if (session != NULL) { - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } + ssl_clear_bad_session(s); + if (s->ctx->method != s->method) { + if (!SSL_set_ssl_method(s, s->ctx->method)) + return 0; + } + if (session != NULL) { SSL_SESSION_up_ref(session); - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - ret = 1; - } else { - SSL_SESSION_free(s->session); - s->session = NULL; - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } - ret = 1; + s->verify_result = session->verify_result; } - return (ret); + SSL_SESSION_free(s->session); + s->session = session; + + return 1; } long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)