Hardening around not_resumable sessions

Make sure we can't inadvertently use a not_resumable session

Related to CVE-2024-2511

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)

(cherry picked from commit 21df7f04f6c4a560b4de56d10e1e58958c7e566d)

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 60ceacde4effec0972904b13f60373e874576956..eaa9595f8c2f2ecbcb064848d6f075fcea270362 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
                                              sess_id, sess_id_len, &copy);
 
         if (ret != NULL) {
+            if (ret->not_resumable) {
+                /* If its not resumable then ignore this session */
+                if (!copy)
+                    SSL_SESSION_free(ret);
+                return NULL;
+            }
             ssl_tsan_counter(s->session_ctx,
                              &s->session_ctx->stats.sess_cb_hit);