Remove cipher from SSL_SESSION.

For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@
author: jsing <> 2024-07-20 04:04:23 +0000
committer: jsing <> 2024-07-20 04:04:23 +0000
commit: b68193edfb3424eb0f993aec6089c9e057aa5d4d (patch)
tree: b04719de2f91b0f8d7c9c7acb93cef76a89b9948 /src/lib/libssl/ssl_asn1.c
parent: cc7dc6e9b7012526aa3797842d226b3a275a7e70 (diff)
download: openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.gz
openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.bz2
openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.zip
1 files changed, 3 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index f4552f1c94..ef34cbdb04 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_asn1.c,v 1.67 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_asn1.c,v 1.68 2024/07/20 04:04:23 jsing Exp $ */
 /*
 * Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
 *
@@ -70,10 +70,7 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len,
                goto err;
        /* Cipher suite ID. */
-        /* XXX - require cipher to be non-NULL or always/only use cipher_id. */
        cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK);
-        if (s->cipher != NULL)
-                cid = ssl3_cipher_get_value(s->cipher);
        if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING))
                goto err;
        if (!CBB_add_u16(&cipher_suite, cid))
@@ -196,7 +193,7 @@ SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len)
        if (ss == NULL)
                return 0;
-        if (ss->cipher == NULL && ss->cipher_id == 0)
+        if (ss->cipher_id == 0)
                return 0;
        return SSL_SESSION_encode(ss, out, out_len, 1);
@@ -212,7 +209,7 @@ i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp)
        if (ss == NULL)
                return 0;
-        if (ss->cipher == NULL && ss->cipher_id == 0)
+        if (ss->cipher_id == 0)
                return 0;
        if (!SSL_SESSION_encode(ss, &data, &data_len, 0))
@@ -287,9 +284,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
                goto err;
        if (CBS_len(&cipher_suite) != 0)
                goto err;
-        /* XXX - populate cipher instead? */
-        s->cipher = NULL;
        s->cipher_id = SSL3_CK_ID | cipher_value;
        /* Session ID. */
author	jsing <>	2024-07-20 04:04:23 +0000
committer	jsing <>	2024-07-20 04:04:23 +0000
commit	b68193edfb3424eb0f993aec6089c9e057aa5d4d (patch)
tree	b04719de2f91b0f8d7c9c7acb93cef76a89b9948 /src/lib/libssl/ssl_asn1.c
parent	cc7dc6e9b7012526aa3797842d226b3a275a7e70 (diff)
download	openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.gz openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.bz2 openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.zip