On Thu, Feb 07, 2002 at 03:38:32PM +0200, Izhar Shoshani Levi wrote:
> I found a bug in ssl session cache, please check it.
> SSL_CTX_session_remove trying to find the session in the cache and delete it
> but when calling SSL_SESSION_list_remove, in case that r != NULL the wrong
> session is
> sent to the function, instead of sending r which is the one that is in the
> cache c is been sent.
I had a look into the problem in the meantime. The problem seems to arrive
from the following construct:
* One can pass a copy of a session to SSL_CTX_remove_session() that
is not in the internal session cache. Normally the operation would
simply fail.
* The session could have been created by copying a session, so that a
SSL_SESSION with the same contents is available inside the session
cache.
* lh_delete() will only check the hash value of the contents and will
thus react by removing the session that is inside the session cache.
Consequently, the bug report above is correct.
However, I would consider making a different change: if the (pointer to
an SSL_SESSION object) passed to SSL_CTX_remove_session() is not
a part of the session cache, the removal is not performed.
Thus:
if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+ if ((r = (SSL_SESSION *)lh_retrieve(ctx->sessions,c)) == c)
r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
if (r != NULL)
{
ret=1;
SSL_SESSION_list_remove(ctx,c);
}
Any other opinions on what is the correct solution?
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
