From b68193edfb3424eb0f993aec6089c9e057aa5d4d Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 20 Jul 2024 04:04:23 +0000 Subject: Remove cipher from SSL_SESSION. For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@ --- src/lib/libssl/ssl_sess.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'src/lib/libssl/ssl_sess.c') diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 76f194ca78..c2bd1bf135 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.126 2024/07/19 08:54:31 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.127 2024/07/20 04:04:23 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -287,7 +287,6 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket) copy->time = sess->time; copy->references = 1; - copy->cipher = sess->cipher; copy->cipher_id = sess->cipher_id; if (sess->tlsext_hostname != NULL) { @@ -707,12 +706,6 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) goto err; } - if (sess->cipher == NULL) { - sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id); - if (sess->cipher == NULL) - goto err; - } - if (sess->timeout < (time(NULL) - sess->time)) { s->session_ctx->stats.sess_timeout++; if (!ticket_decrypted) { @@ -991,7 +984,7 @@ LSSL_ALIAS(SSL_SESSION_get_protocol_version); const SSL_CIPHER * SSL_SESSION_get0_cipher(const SSL_SESSION *s) { - return s->cipher; + return ssl3_get_cipher_by_id(s->cipher_id); } LSSL_ALIAS(SSL_SESSION_get0_cipher); -- cgit v1.2.3-55-g6feb