diff options
| author | jsing <> | 2024-07-20 04:04:23 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-20 04:04:23 +0000 |
| commit | b68193edfb3424eb0f993aec6089c9e057aa5d4d (patch) | |
| tree | b04719de2f91b0f8d7c9c7acb93cef76a89b9948 /src/lib/libssl/ssl_sess.c | |
| parent | cc7dc6e9b7012526aa3797842d226b3a275a7e70 (diff) | |
| download | openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.gz openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.tar.bz2 openbsd-b68193edfb3424eb0f993aec6089c9e057aa5d4d.zip | |
Remove cipher from SSL_SESSION.
For a long time SSL_SESSION has had both a cipher ID and a pointer to
an SSL_CIPHER (and not both are guaranteed to be populated). There is also
a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher
being used for this connection. Some code has been using the cipher from
SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE.
Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE
everywhere. If resuming from a session then we need to use the SSL_SESSION
cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that
we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE
cipher changes (this only occurs in a few places).
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl_sess.c')
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 11 |
1 files changed, 2 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 76f194ca78..c2bd1bf135 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.126 2024/07/19 08:54:31 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -287,7 +287,6 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) | |||
| 287 | copy->time = sess->time; | 287 | copy->time = sess->time; |
| 288 | copy->references = 1; | 288 | copy->references = 1; |
| 289 | 289 | ||
| 290 | copy->cipher = sess->cipher; | ||
| 291 | copy->cipher_id = sess->cipher_id; | 290 | copy->cipher_id = sess->cipher_id; |
| 292 | 291 | ||
| 293 | if (sess->tlsext_hostname != NULL) { | 292 | if (sess->tlsext_hostname != NULL) { |
| @@ -707,12 +706,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) | |||
| 707 | goto err; | 706 | goto err; |
| 708 | } | 707 | } |
| 709 | 708 | ||
| 710 | if (sess->cipher == NULL) { | ||
| 711 | sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id); | ||
| 712 | if (sess->cipher == NULL) | ||
| 713 | goto err; | ||
| 714 | } | ||
| 715 | |||
| 716 | if (sess->timeout < (time(NULL) - sess->time)) { | 709 | if (sess->timeout < (time(NULL) - sess->time)) { |
| 717 | s->session_ctx->stats.sess_timeout++; | 710 | s->session_ctx->stats.sess_timeout++; |
| 718 | if (!ticket_decrypted) { | 711 | if (!ticket_decrypted) { |
| @@ -991,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version); | |||
| 991 | const SSL_CIPHER * | 984 | const SSL_CIPHER * |
| 992 | SSL_SESSION_get0_cipher(const SSL_SESSION *s) | 985 | SSL_SESSION_get0_cipher(const SSL_SESSION *s) |
| 993 | { | 986 | { |
| 994 | return s->cipher; | 987 | return ssl3_get_cipher_by_id(s->cipher_id); |
| 995 | } | 988 | } |
| 996 | LSSL_ALIAS(SSL_SESSION_get0_cipher); | 989 | LSSL_ALIAS(SSL_SESSION_get0_cipher); |
| 997 | 990 | ||