stricter session ID context matching

 OpenSSL CHANGES

 _______________

 Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]

 Changes between 0.9.8f and 0.9.9  [xx XXX xxxx]

  *) Change ssl_cipher_apply_rule(), the internal function that does

     the work each time a ciphersuite string requests enabling

  *) Change 'Configure' script to enable Camellia by default.

     [NTT]

 Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]

 Changes between 0.9.8e and 0.9.8f  [xx XXX xxxx]

  *) In the SSL/TLS server implementation, be strict about session ID

     context matching (which matters if an application uses a single

     external cache for different purposes).  Previously,

     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was

     set.  This did ensure strict client verification, but meant that,

     with applications using a single external cache for quite

     different requirements, clients could circumvent ciphersuite

     restrictions for a given session ID context by starting a session

     in a different context.

     [Bodo Moeller]

  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that

     a ciphersuite string such as "DEFAULT:RSA" cannot enable

     authentication-only ciphersuites.

     [Bodo Moeller]

 Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]

  *) Since AES128 and AES256 (and similarly Camellia128 and

     Camellia256) share a single mask bit in the logic of

     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a

     differing sizes.

     [Richard Levitte]

 Changes between 0.9.7m and 0.9.7n  [xx XXX xxxx]

  *) In the SSL/TLS server implementation, be strict about session ID

     context matching (which matters if an application uses a single

     external cache for different purposes).  Previously,

     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was

     set.  This did ensure strict client verification, but meant that,

     with applications using a single external cache for quite

     different requirements, clients could circumvent ciphersuite

     restrictions for a given session ID context by starting a session

     in a different context.

     [Bodo Moeller]

 Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]

  *) Cleanse PEM buffers before freeing them since they may contain 

	/* Now ret is non-NULL, and we own one of its reference counts. */

	if((s->verify_mode&SSL_VERIFY_PEER)

	   && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length

	       || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))

	if (ret->sid_ctx_length != s->sid_ctx_length

	    || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))

		{

		/* We've found the session named by the client, but we don't

		 * want to use it in this context. */

		if (s->sid_ctx_length == 0)

			{

			/* application should have used SSL[_CTX]_set_session_id_context

			 * -- we could tolerate this and just pretend we never heard

			 * of this session, but then applications could effectively

			 * disable the session cache by accident without anyone noticing */

			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);

			fatal = 1;

			goto err;

			}

		else

			{

#if 0 /* The client cannot always know when a session is not appropriate,

       * so we shouldn't generate an error message. */

#endif

		goto err; /* treat like cache miss */

		}

	if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)

		{

		/* We can't be sure if this session is being used out of

		 * context, which is especially important for SSL_VERIFY_PEER.

		 * The application should have used SSL[_CTX]_set_session_id_context.

		 *

		 * For this error case, we generate an error instead of treating

		 * the event like a cache miss (otherwise it would be easy for

		 * applications to effectively disable the session cache by

		 * accident without anyone noticing).

		 */

		SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);

		fatal = 1;

		goto err;

		}

	if (ret->cipher == NULL)