Update from stable branch.

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 44c7c143fe7e9c75e40633de41bbbb7410051d6b..72853a2e728fd593762665fc96f31d33236fbbf9 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
        if (s->s3->tmp.key_block == NULL)
                {
+               if (s->session == NULL) 
+                       {
+                       /* might happen if dtls1_read_bytes() calls this */
+                       SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                       return (0);
+                       }
+
                s->session->cipher=s->s3->tmp.new_cipher;
                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                }

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 6360521fd58eada4f940879e82cc7ccbc9ee9a23..ff8a128d3c2d76df900faf9fd07af47df4e201b4 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1709,6 +1709,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CONNECT                              132
 #define SSL_F_SSL3_CTRL                                         213
 #define SSL_F_SSL3_CTX_CTRL                             133
+#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                279
 #define SSL_F_SSL3_ENC                                  134
 #define SSL_F_SSL3_GENERATE_KEY_BLOCK                   238
 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST              135

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 2937ca58337fcf8ebcd188a01eea9d4f068a1825..24a994fe01bfafdee288e7c0cec4722cf5deec04 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),    "SSL3_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CTX_CTRL),        "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),   "SSL3_DO_CHANGE_CIPHER_SPEC"},
 {ERR_FUNC(SSL_F_SSL3_ENC),     "SSL3_ENC"},
 {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),      "SSL3_GENERATE_KEY_BLOCK"},
 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 35f04afa4a72dc5ffc152b57adb7371ace33cfe3..9ce726996d9ddccd2851a14974ef41bfbabf8678 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
        /* Point after session ID in client hello */
        const unsigned char *p = session_id + len;
        unsigned short i;
+
+       /* If tickets disabled behave as if no ticket present
+        * to permit stateful resumption.
+        */
+       if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+               return 1;
+
        if ((s->version <= SSL3_VERSION) || !limit)
                return 1;
        if (p >= limit)
@@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                        return 1;
                if (type == TLSEXT_TYPE_session_ticket)
                        {
-                       /* If tickets disabled indicate cache miss which will
-                        * trigger a full handshake
-                        */
-                       if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-                               return 0;
-                       /* If zero length not client will accept a ticket
+                       /* If zero length note client will accept a ticket
                         * and indicate cache miss to trigger full handshake
                         */
                        if (size == 0)