From: Lutz Jänicke <jaenicke@openssl.org>
Date: Sun, 10 Feb 2002 12:52:57 +0000 (+0000)
Subject: Backport from 0.9.7:
X-Git-Tag: OpenSSL_0_9_6d-beta1~64
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=76dca45720f236e6df65decefad3505bc85e1c99;p=oweals%2Fopenssl.git

Backport from 0.9.7:
Make removal from internal session cache more robust and do not store
into internal session cache when it won't be looked up anyway.
---

diff --git a/CHANGES b/CHANGES
index 2c6d772d14..f52b4da859 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,17 @@
 
  Changes between 0.9.6c and 0.9.6d  [XX xxx XXXX]
 
+  *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
+     check whether we deal with a copy of a session and do not delete from
+     the cache in this case. Problem reported by "Izhar Shoshani Levi"
+     <izhar@checkpoint.com>.
+     [Lutz Jaenicke]
+
+  *) Do not store session data into the internal session cache, if it
+     is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
+     flag is set). Proposed by Aslam <aslam@funk.com>.
+     [Lutz Jaenicke]
+
   *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
      value is 0.
      [Richard Levitte]
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2006a5a1eb..24cec2afe5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1472,9 +1472,10 @@ void ssl_update_cache(SSL *s,int mode)
 	 * and it would be rather hard to do anyway :-) */
 	if (s->session->session_id_length == 0) return;
 
-	if ((s->ctx->session_cache_mode & mode)
-		&& (!s->hit)
-		&& SSL_CTX_add_session(s->ctx,s->session)
+	i=s->ctx->session_cache_mode;
+	if ((i & mode) && (!s->hit)
+		&& ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+		    || SSL_CTX_add_session(s->ctx,s->session))
 		&& (s->ctx->new_session_cb != NULL))
 		{
 		CRYPTO_add(&s->session->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -1483,7 +1484,6 @@ void ssl_update_cache(SSL *s,int mode)
 		}
 
 	/* auto flush every 255 connections */
-	i=s->ctx->session_cache_mode;
 	if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
 		((i & mode) == mode))
 		{
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 7064262def..8476f41707 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -423,10 +423,10 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
 	if ((c != NULL) && (c->session_id_length != 0))
 		{
 		if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-		r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
-		if (r != NULL)
+		if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
 			{
 			ret=1;
+			r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
 			SSL_SESSION_list_remove(ctx,c);
 			}