RE: SSL_clear code

Yoram Zahavi Wed, 27 Feb 2002 02:10:47 -0800

Hi Lutz,
I've just checked your last patch. I guess additional fix is required. 
setting :
s->shutdown=0;


should be done only after calling:
if (ssl_clear_bad_session(s))
                {
                SSL_SESSION_free(s->session);
                s->session=NULL;
                }

Otherwise, the SSL_SENT_SHUTDOWN flag is not taken into account when
checking out if session should be removed from cache.

Yoram.


-----Original Message-----
From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 11:40 PM
To: '[EMAIL PROTECTED]'
Subject: Re: SSL_clear code


On Wed, Feb 20, 2002 at 02:17:15PM +0200, Yoram Zahavi wrote:
> I'm using SSL_clear (0.9.6c) in order to reuse the SSL object.
SSL_clear()
> should make sure that the SSL Session will *not* be reused if
> SSL_SENT_SHUTDOWN is *not* set. 
> 
> Well, I faced some problems and I looked into the code:
> * SSL_clear sets SSL structure state with SSL_ST_BEFORE. (The previous
state
> is saved in tmp variable, but is never in use).
> * Later on it calls ssl_clear_bad_session, which suppose to check if
session
> can be reused.
> * According to ssl_clear_bad_session, session is considered "bad" if
>       - Function did not receive a NULL structure, and
>       - Structure was not assigned with SSL_SENT_SHUTDOWN, and
>       - Structure was *not* set with SSL_ST_BEFORE (but flag is set
> whenever SSL_clear is called ??) 
> 
> Taken from ssl_lib.c, SSL_clear() is doing:
>     s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT);
>       ......
>     if (ssl_clear_bad_session(s))
>               {
>               SSL_SESSION_free(s->session);
>               s->session=NULL;
>               }
> 
> Taken from ssl_sess.c, ssl_clear_bad_session(s) is doing:
>       if ((s->session != NULL) &&
>               !(s->shutdown & SSL_SENT_SHUTDOWN) &&
>               !(SSL_in_init(s) || SSL_in_before(s)))
>               {
>               SSL_CTX_remove_session(s->ctx,s->session);
>               return(1);
>               }
>       else
>               return(0);
>       }
> 
> Does it mean that the SSL session is never removed through SSL_clear, or
am
> I totally wrong ?

It seems to me, that your analysis is correct. I have checked in an
appropriate
patch.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

RE: SSL_clear code

Reply via email to