Always ensure that session->cipher is set
If we have deserialized the SSL_SESSION then in some circumstances the
session->cipher value is NULL. We were patching up in some places but not
in others. We should just do it as part of loading the SSL_SESSION.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index ced6a51..568f41f 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -284,8 +284,10 @@
p = as->cipher->data;
id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1];
- ret->cipher = NULL;
ret->cipher_id = id;
+ ret->cipher = ssl3_get_cipher_by_id(id);
+ if (ret->cipher == NULL)
+ goto err;
if (!ssl_session_memcpy(ret->session_id, &ret->session_id_length,
as->session_id, SSL3_MAX_SSL_SESSION_ID_LENGTH))
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d4145ba..88b99cc 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2018,14 +2018,3 @@
return 1;
}
-
-const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id)
-{
- const SSL_CIPHER *cipher = ssl3_get_cipher_by_id(cipher_id);
- if (cipher == NULL) {
- /* Don't recognise this cipher */
- return NULL;
- }
-
- return ssl_md(cipher->algorithm2);
-}
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 64019fe..a59683b 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1956,7 +1956,6 @@
__owur int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
__owur const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl,
const unsigned char *ptr);
-__owur const EVP_MD *ssl_cipher_get_handshake_md(int cipher_id);
__owur int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
__owur int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain);
__owur int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index c28a5e1..77c917f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -91,6 +91,9 @@
{
SSL_SESSION *ss;
+ if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
+ return NULL;
+
ss = OPENSSL_zalloc(sizeof(*ss));
if (ss == NULL) {
SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
@@ -586,21 +589,6 @@
goto err;
}
- if (ret->cipher == NULL) {
- unsigned char buf[5], *p;
- unsigned long l;
-
- p = buf;
- l = ret->cipher_id;
- l2n(l, p);
- if ((ret->ssl_version >> 8) >= SSL3_VERSION_MAJOR)
- ret->cipher = ssl_get_cipher_by_char(s, &(buf[2]));
- else
- ret->cipher = ssl_get_cipher_by_char(s, &(buf[1]));
- if (ret->cipher == NULL)
- goto err;
- }
-
if (ret->timeout < (long)(time(NULL) - ret->time)) { /* timeout */
s->session_ctx->stats.sess_timeout++;
if (try_session_cache) {
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index c17901a..368f196 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -717,7 +717,11 @@
*/
agems += s->session->ext.tick_age_add;
- md = ssl_cipher_get_handshake_md(s->session->cipher_id);
+ if (s->session->cipher == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ md = ssl_md(s->session->cipher->algorithm2);
if (md == NULL) {
/* Don't recognise this cipher so we can't use the session. Ignore it */
return 1;
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 5a5d846..088dcbc 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -712,7 +712,7 @@
if (ret == TICKET_NO_DECRYPT)
continue;
- md = ssl_cipher_get_handshake_md(sess->cipher_id);
+ md = ssl_md(sess->cipher->algorithm2);
if (md == NULL) {
/*
* Don't recognise this cipher so we can't use the session.
