Changes between 0.9.6c and 0.9.6d [XX xxx XXXX]
+ *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
+ check whether we deal with a copy of a session and do not delete from
+ the cache in this case. Problem reported by "Izhar Shoshani Levi"
+ <izhar@checkpoint.com>.
+ [Lutz Jaenicke]
+
+ *) Do not store session data into the internal session cache, if it
+ is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
+ flag is set). Proposed by Aslam <aslam@funk.com>.
+ [Lutz Jaenicke]
+
*) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
value is 0.
[Richard Levitte]
* and it would be rather hard to do anyway :-) */
if (s->session->session_id_length == 0) return;
- if ((s->ctx->session_cache_mode & mode)
- && (!s->hit)
- && SSL_CTX_add_session(s->ctx,s->session)
+ i=s->ctx->session_cache_mode;
+ if ((i & mode) && (!s->hit)
+ && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+ || SSL_CTX_add_session(s->ctx,s->session))
&& (s->ctx->new_session_cb != NULL))
{
CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
}
/* auto flush every 255 connections */
- i=s->ctx->session_cache_mode;
if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
((i & mode) == mode))
{
if ((c != NULL) && (c->session_id_length != 0))
{
if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
- if (r != NULL)
+ if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
{
ret=1;
+ r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
SSL_SESSION_list_remove(ctx,c);
}
projects / oweals / openssl.git / commitdiff