Ensure SSL_set_session clears the old session from cache if it is bad
SSL_clear() and SSL_free() will remove a session from the cache if it is
considered "bad". However SSL_set_session() does not do this for the session
it is replacing.
SSL_clear() clears an SSL object ready for reuse. It does not clear the
session though. This means that:
SSL_clear(s)
SSL_set_session(s, sess);
and
SSL_set_session(s, sess);
SSL_clear(s);
do not do the same thing, although logically you would expect that they
would.
The failure of SSL_set_session() to remove bad sessions from the cache
should be considered a bug, so this commit fixes it.
RT#597
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9095363..6e53d9b 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -774,28 +774,20 @@
int SSL_set_session(SSL *s, SSL_SESSION *session)
{
- int ret = 0;
- if (session != NULL) {
- if (s->ctx->method != s->method) {
- if (!SSL_set_ssl_method(s, s->ctx->method))
- return (0);
- }
-
- SSL_SESSION_up_ref(session);
- SSL_SESSION_free(s->session);
- s->session = session;
- s->verify_result = s->session->verify_result;
- ret = 1;
- } else {
- SSL_SESSION_free(s->session);
- s->session = NULL;
- if (s->ctx->method != s->method) {
- if (!SSL_set_ssl_method(s, s->ctx->method))
- return (0);
- }
- ret = 1;
+ ssl_clear_bad_session(s);
+ if (s->ctx->method != s->method) {
+ if (!SSL_set_ssl_method(s, s->ctx->method))
+ return 0;
}
- return (ret);
+
+ if (session != NULL) {
+ SSL_SESSION_up_ref(session);
+ s->verify_result = session->verify_result;
+ }
+ SSL_SESSION_free(s->session);
+ s->session = session;
+
+ return 1;
}
long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
