Make sure that bad sessions are removed in SSL_clear() (found by

Yoram Zahavi). Submitted by: Reviewed by: PR:
2002-02-26 21:44:07 +00:00 · 2002-02-26 21:44:07 +00:00 · 3b79d2789d
commit 3b79d2789d
parent bb9dcc99cf
2 changed files with 10 additions and 8 deletions
--- a/4
+++ b/4
@ -13,6 +13,10 @@
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

+  *) Fix bug in SSL_clear(): bad sessions were not removed (found by
+     Yoram Zahavi <YoramZ@gilian.com>).
+     [Lutz Jaenicke]
+
  +) Add and OPENSSL_LOAD_CONF define which will cause
     OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
     This allows older applications to transparently support certain
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -136,7 +136,6 @@ OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={

 int SSL_clear(SSL *s)
 	{
-	int state;

 	if (s->method == NULL)
 		{
@ -161,9 +160,14 @@ int SSL_clear(SSL *s)
 		}
 #endif

-	state=s->state; /* Keep to check if we throw away the session-id */
 	s->type=0;

+	if (ssl_clear_bad_session(s))
+		{
+		SSL_SESSION_free(s->session);
+		s->session=NULL;
+		}
+
 	s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);

 	s->version=s->method->version;
@ -182,12 +186,6 @@ int SSL_clear(SSL *s)

 	ssl_clear_cipher_ctx(s);

-	if (ssl_clear_bad_session(s))
-		{
-		SSL_SESSION_free(s->session);
-		s->session=NULL;
-		}
-
 	s->first_packet=0;

 #if 1