Open avoget opened 11 months ago
PR to fix problem https://github.com/openssl/openssl/pull/22418
@mattcaswell can this ever happen?
i.e., is this a real bug fix?
As i understand the comment at line 1341: /*
Yeah, but there the s->hit is set and I believe the cipher will be set then.
May be it is a good idea to add this comment before this condition ? Relation of s->hit and s->session->cipher is not obvious.
@mattcaswell ping?
@mattcaswell can this ever happen?
I don't see how it could ever happen in reality. sslapitest
is "cheating" in that it is making modifications to an internal data structure. No real application should be doing this. Having an assert that s->session->cipher
is non NULL might not be a bad idea - but it doesn't look like a bug to me.
Hello Matt. Thank you ! I see.
Given that the consensus here is that this is not a bug, I'm marking this as inactive, to be closed at the end of the 3.4 development cycle. Please comment if there is a further issue
Hello.
OpenSSL 3.0 has UB in set_client_ciphersuite(SSL s, const unsigned char cipherchars) line #1356 in file openssl/ssl/statem/statem_clnt.c ... if (md == NULL || md != ssl_md(s->ctx, s->session->cipher->algorithm2)) { ... if s->session->cipher is NULL
To reproduce crash:
Regards.