X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_sess.c;h=74ec2178a936a0cadcf62cb6e7ddbc6aababd022;hb=bb7cd4e3ebb9c1114b7fb6f6d0e4c280ef984889;hp=29e6cc16ce4be23e726bd00878b318843dd468db;hpb=8876bc054802b043a3ec95554b6c5873291770be;p=oweals%2Fopenssl.git

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 29e6cc16ce..74ec2178a9 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -67,19 +67,41 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 static int ssl_session_num=0;
 static STACK *ssl_session_meth=NULL;
 
+#if 1 /* traditional SSLeay behaviour */
 SSL_SESSION *SSL_get_session(SSL *ssl)
 	{
 	return(ssl->session);
 	}
+#else /* suggested change: increase reference counter so that a session
+       * can later be set in a new SSL object.
+       * Objections:
+       *   -- the modified function should have a new name (or old
+       *      applications, including s_client, leak memory);
+       *   -- the locking seems unnecessary given that SSL structures
+       *      usually cannot be safely shared between threads anyway. */
+SSL_SESSION *SSL_get_session(SSL *ssl)
+	{
+	SSL_SESSION *sess;
+	/* Need to lock this all up rather than just use CRYPTO_add so that
+	 * somebody doesn't free ssl->session between when we check it's
+	 * non-null and when we up the reference count. */
+	CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+	sess = ssl->session;
+	if(sess)
+		sess->references++;
+	CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+	return(sess);
+	}
+#endif
 
 int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
 	     int (*dup_func)(), void (*free_func)())
-        {
-        ssl_session_num++;
-        return(CRYPTO_get_ex_new_index(ssl_session_num-1,
+	{
+	ssl_session_num++;
+	return(CRYPTO_get_ex_new_index(ssl_session_num-1,
 		&ssl_session_meth,
-                argl,argp,new_func,dup_func,free_func));
-        }
+		argl,argp,new_func,dup_func,free_func));
+	}
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
 	{
@@ -103,6 +125,7 @@ SSL_SESSION *SSL_SESSION_new(void)
 		}
 	memset(ss,0,sizeof(SSL_SESSION));
 
+	ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
 	ss->references=1;
 	ss->timeout=60*5+4; /* 5 minute timeout by default */
 	ss->time=time(NULL);
@@ -168,6 +191,8 @@ int ssl_get_new_session(SSL *s, int session)
 			CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
 			if (r == NULL) break;
 			/* else - woops a session_id match */
+			/* XXX should also check external cache!
+			 * (But the probability of a collision is negligible, anyway...) */
 			}
 		}
 	else
@@ -179,6 +204,7 @@ int ssl_get_new_session(SSL *s, int session)
 	ss->sid_ctx_length=s->sid_ctx_length;
 	s->session=ss;
 	ss->ssl_version=s->version;
+	ss->verify_result = X509_V_OK;
 
 	return(1);
 	}
@@ -201,8 +227,9 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 		{
 		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
 		ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
-		/* don't allow other threads to steal it: */
-		CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
+		if (ret != NULL)
+		    /* don't allow other threads to steal it: */
+		    CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
 		CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
 		}
 
@@ -308,6 +335,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 	if (s->session != NULL)
 		SSL_SESSION_free(s->session);
 	s->session=ret;
+	s->verify_result = s->session->verify_result;
 	return(1);
 
  err: