Make sure to remove bad sessions in SSL_clear() (found by Yoram Zahavi).

diff --git a/CHANGES b/CHANGES
index 634d12a7255579e06332e91d002bee905003b19d..e850b502e28b7f29643fb2618905616a2841f42d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6c and 0.9.6d  [XX xxx XXXX]
 
+  *) Fix bug in SSL_clear(): bad sessions were not removed (found by
+     Yoram Zahavi <YoramZ@gilian.com>).
+     [Lutz Jaenicke]
+
   *) Add information about CygWin 1.3 and on, and preserve proper
      configuration for the versions before that.
      [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 24cec2afe51c1c1aceaa354d6de90acd3d6176bb..4a32d3d659a85d8d99120717ca34f19322e73eb7 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -85,7 +85,6 @@ OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
 
 int SSL_clear(SSL *s)
        {
-       int state;
 
        if (s->method == NULL)
                {
@@ -110,9 +109,14 @@ int SSL_clear(SSL *s)
                }
 #endif
 
-       state=s->state; /* Keep to check if we throw away the session-id */
        s->type=0;
 
+       if (ssl_clear_bad_session(s))
+               {
+               SSL_SESSION_free(s->session);
+               s->session=NULL;
+               }
+
        s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
 
        s->version=s->method->version;
@@ -131,12 +135,6 @@ int SSL_clear(SSL *s)
 
        ssl_clear_cipher_ctx(s);
 
-       if (ssl_clear_bad_session(s))
-               {
-               SSL_SESSION_free(s->session);
-               s->session=NULL;
-               }
-
        s->first_packet=0;
 
 #if 1