Fix an oversight - when checking a potential session ID for conflicts with
an SSL_CTX's session cache, it is necessary to compare the ssl_version at the same time (a conflict is defined, courtesy of SSL_SESSION_cmp(), as a matching id/id_length pair and a matching ssl_version). However, the SSL_SESSION that will result from the current negotiation does not necessarily have the same ssl version as the "SSL_METHOD" in use by the SSL_CTX - part of the work in a handshake is to agree on an ssl version! This is fixed by having the check function accept an SSL pointer rather than the SSL_CTX it belongs to. [Thanks to Lutz for illuminating the full extent of my stupidity]
This commit is contained in:
Geoff Thorpe
@@ -146,7 +146,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
|
||||
unsigned int retry = 0;
|
||||
do
|
||||
RAND_pseudo_bytes(id, *id_len);
|
||||
while(SSL_CTX_has_matching_session_id(ssl->ctx, id, *id_len) &&
|
||||
while(SSL_has_matching_session_id(ssl, id, *id_len) &&
|
||||
(++retry < MAX_SESS_ID_ATTEMPTS));
|
||||
if(retry < MAX_SESS_ID_ATTEMPTS)
|
||||
return 1;
|
||||
@@ -240,7 +240,7 @@ int ssl_get_new_session(SSL *s, int session)
|
||||
else
|
||||
ss->session_id_length = tmp;
|
||||
/* Finally, check for a conflict */
|
||||
if(SSL_CTX_has_matching_session_id(s->ctx, ss->session_id,
|
||||
if(SSL_has_matching_session_id(s, ss->session_id,
|
||||
ss->session_id_length))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_GET_NEW_SESSION,
|
||||
|
||||
Reference in New Issue
Block a user