[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-cvs
Subject: cvs commit: openssl/ssl ssl.h ssl_lib.c ssl_sess.c
From: geoff () openssl ! org
Date: 2001-02-23 0:03:04
[Download RAW message or body]
geoff 23-Feb-2001 01:03:04
Modified: ssl ssl.h ssl_lib.c ssl_sess.c
Log:
Fix an oversight - when checking a potential session ID for conflicts with
an SSL_CTX's session cache, it is necessary to compare the ssl_version at
the same time (a conflict is defined, courtesy of SSL_SESSION_cmp(), as a
matching id/id_length pair and a matching ssl_version). However, the
SSL_SESSION that will result from the current negotiation does not
necessarily have the same ssl version as the "SSL_METHOD" in use by the
SSL_CTX - part of the work in a handshake is to agree on an ssl version!
This is fixed by having the check function accept an SSL pointer rather
than the SSL_CTX it belongs to.
[Thanks to Lutz for illuminating the full extent of my stupidity]
Revision Changes Path
1.100 +2 -2 openssl/ssl/ssl.h
1.89 +4 -4 openssl/ssl/ssl_lib.c
1.35 +2 -2 openssl/ssl/ssl_sess.c
Index: ssl.h
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- ssl.h 2001/02/22 13:19:50 1.99
+++ ssl.h 2001/02/23 00:02:54 1.100
@@ -391,7 +391,7 @@
* callbacks should themselves check if the id they generate is unique otherwise
* the SSL handshake will fail with an error - callbacks can do this using the
* 'ssl' value they're passed by;
- * SSL_CTX_has_matching_session_id(ssl->ctx, id, *id_len)
+ * SSL_has_matching_session_id(ssl, id, *id_len)
* The length value passed in is set at the maximum size the session ID can be.
* In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
* can alter this length to be less if desired, but under SSLv2 session IDs are
@@ -1054,7 +1054,7 @@
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
-int SSL_CTX_has_matching_session_id(const SSL_CTX *ctx, const unsigned char *id,
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
unsigned int id_len);
SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
Index: ssl_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl_lib.c,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- ssl_lib.c 2001/02/21 21:38:32 1.88
+++ ssl_lib.c 2001/02/23 00:02:55 1.89
@@ -299,16 +299,16 @@
return 1;
}
-int SSL_CTX_has_matching_session_id(const SSL_CTX *ctx, const unsigned char *id,
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
unsigned int id_len)
{
/* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
* we can "construct" a session to give us the desired check - ie. to
* find if there's a session in the hash table that would conflict with
* any new session built out of this id/id_len and the ssl_version in
- * use by this SSL_CTX. */
+ * use by this SSL. */
SSL_SESSION r, *p;
- r.ssl_version = ctx->method->version;
+ r.ssl_version = ssl->version;
r.session_id_length = id_len;
memcpy(r.session_id, id, id_len);
/* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
@@ -324,7 +324,7 @@
}
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- p = (SSL_SESSION *)lh_retrieve(ctx->sessions, &r);
+ p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
return (p != NULL);
}
Index: ssl_sess.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl_sess.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- ssl_sess.c 2001/02/21 18:06:20 1.34
+++ ssl_sess.c 2001/02/23 00:02:56 1.35
@@ -146,7 +146,7 @@
unsigned int retry = 0;
do
RAND_pseudo_bytes(id, *id_len);
- while(SSL_CTX_has_matching_session_id(ssl->ctx, id, *id_len) &&
+ while(SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS));
if(retry < MAX_SESS_ID_ATTEMPTS)
return 1;
@@ -240,7 +240,7 @@
else
ss->session_id_length = tmp;
/* Finally, check for a conflict */
- if(SSL_CTX_has_matching_session_id(s->ctx, ss->session_id,
+ if(SSL_has_matching_session_id(s, ss->session_id,
ss->session_id_length))
{
SSLerr(SSL_F_SSL_GET_NEW_SESSION,
______________________________________________________________________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List openssl-cvs@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic