Commit e70656cf authored by Matt Caswell's avatar Matt Caswell
Browse files

Ensure SSL_set_session clears the old session from cache if it is bad 



SSL_clear() and SSL_free() will remove a session from the cache if it is
considered "bad". However SSL_set_session() does not do this for the session
it is replacing.

SSL_clear() clears an SSL object ready for reuse. It does not clear the
session though. This means that:

  SSL_clear(s)
  SSL_set_session(s, sess);

and
  SSL_set_session(s, sess);
  SSL_clear(s);

do not do the same thing, although logically you would expect that they
would.

The failure of SSL_set_session() to remove bad sessions from the cache
should be considered a bug, so this commit fixes it.

RT#597

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent b0292980

ssl/ssl_sess.c

+11 −19
Original line number Diff line number Diff line
@@ -774,28 +774,20 @@ int SSL_SESSION_up_ref(SSL_SESSION *ss) 


int SSL_set_session(SSL *s, SSL_SESSION *session)

{

    int ret = 0;

    if (session != NULL) {

    ssl_clear_bad_session(s);

    if (s->ctx->method != s->method) {

        if (!SSL_set_ssl_method(s, s->ctx->method))

                return (0);

            return 0;

    }



    if (session != NULL) {

        SSL_SESSION_up_ref(session);

        s->verify_result = session->verify_result;

    }

    SSL_SESSION_free(s->session);

    s->session = session;

        s->verify_result = s->session->verify_result;

        ret = 1;

    } else {

        SSL_SESSION_free(s->session);

        s->session = NULL;

        if (s->ctx->method != s->method) {

            if (!SSL_set_ssl_method(s, s->ctx->method))

                return (0);

        }

        ret = 1;

    }

    return (ret);



    return 1;

}



long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)