Fix SSL handshake functions and SSL_clear() such that SSL_clear()

never resets s->method to s->ctx->method when called from within one of the SSL handshake functions.

Fix SSL handshake functions and SSL_clear() such that SSL_clear()
never resets s->method to s->ctx->method when called from within one of the SSL handshake functions.
979689aa · Bodo Möller · a3faebd1 · 979689aa · 979689aa · 979689aa
8 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,11 @@
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

+  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
+     never resets s->method to s->ctx->method when called from within
+     one of the SSL handshake functions.
+     [Bodo Moeller; problem pointed out by Niko Baric]
+
  +) Test for certificates which contain unsupported critical extensions.
     If such a certificate is found during a verify operation it is 
     rejected by default: this behaviour can be overridden by either

--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -113,8 +113,8 @@ int ssl23_connect(SSL *s)
 	else if (s->ctx->info_callback != NULL)
 		cb=s->ctx->info_callback;
 	
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 

 	for (;;)
 		{

--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -165,8 +165,8 @@ int ssl23_accept(SSL *s)
 	else if (s->ctx->info_callback != NULL)
 		cb=s->ctx->info_callback;
 	
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 

 	for (;;)
 		{

--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -118,8 +118,8 @@ int ssl2_connect(SSL *s)
 		cb=s->ctx->info_callback;

 	/* init things to blank */
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);

 	for (;;)
 		{

--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -119,8 +119,8 @@ int ssl2_accept(SSL *s)
 		cb=s->ctx->info_callback;

 	/* init things to blank */
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);

 	if (s->cert == NULL)
 		{

--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -119,8 +119,8 @@ int ssl3_connect(SSL *s)
 	else if (s->ctx->info_callback != NULL)
 		cb=s->ctx->info_callback;
 	
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 

 	for (;;)
 		{

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -180,8 +180,8 @@ int ssl3_accept(SSL *s)
 		cb=s->ctx->info_callback;

 	/* init things to blank */
-	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 	s->in_handshake++;
+	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);

 	if (s->cert == NULL)
 		{

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -193,7 +193,7 @@ int SSL_clear(SSL *s)
 #if 1
 	/* Check to see if we were changed into a different method, if
 	 * so, revert back if we are not doing session-id reuse. */
-	if ((s->session == NULL) && (s->method != s->ctx->method))
+	if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method))
 		{
 		s->method->ssl_free(s);
 		s->method=s->ctx->method;