From b68193edfb3424eb0f993aec6089c9e057aa5d4d Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 20 Jul 2024 04:04:23 +0000 Subject: Remove cipher from SSL_SESSION. For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@ --- src/lib/libssl/tls13_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/tls13_server.c') diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index f9cdbdd690..6bd2993cf3 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.107 2024/07/19 08:54:31 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.108 2024/07/20 04:04:23 jsing Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -383,7 +383,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) &shared_key_len)) goto err; - s->session->cipher = ctx->hs->cipher; + s->session->cipher_id = ctx->hs->cipher->id; if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) goto err; -- cgit v1.2.3-55-g6feb