From e70656cf1c9e886344913444fe2f3a0b7d3721a9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 9 Jun 2016 13:24:54 +0100 Subject: [PATCH] Ensure SSL_set_session clears the old session from cache if it is bad SSL_clear() and SSL_free() will remove a session from the cache if it is considered "bad". However SSL_set_session() does not do this for the session it is replacing. SSL_clear() clears an SSL object ready for reuse. It does not clear the session though. This means that: SSL_clear(s) SSL_set_session(s, sess); and SSL_set_session(s, sess); SSL_clear(s); do not do the same thing, although logically you would expect that they would. The failure of SSL_set_session() to remove bad sessions from the cache should be considered a bug, so this commit fixes it. RT#597 Reviewed-by: Rich Salz --- ssl/ssl_sess.c | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9095363702..6e53d9b27a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -774,28 +774,20 @@ int SSL_SESSION_up_ref(SSL_SESSION *ss) int SSL_set_session(SSL *s, SSL_SESSION *session) { - int ret = 0; - if (session != NULL) { - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } + ssl_clear_bad_session(s); + if (s->ctx->method != s->method) { + if (!SSL_set_ssl_method(s, s->ctx->method)) + return 0; + } + if (session != NULL) { SSL_SESSION_up_ref(session); - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - ret = 1; - } else { - SSL_SESSION_free(s->session); - s->session = NULL; - if (s->ctx->method != s->method) { - if (!SSL_set_ssl_method(s, s->ctx->method)) - return (0); - } - ret = 1; + s->verify_result = session->verify_result; } - return (ret); + SSL_SESSION_free(s->session); + s->session = session; + + return 1; } long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) -- 2.34.1