]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: daee101)
Hardening around not_resumable sessions
authorMatt Caswell <matt@openssl.org>
Fri, 15 Mar 2024 17:58:42 +0000 (17:58 +0000)
committerTomas Mraz <tomas@openssl.org>
Mon, 8 Apr 2024 10:10:44 +0000 (12:10 +0200)
Make sure we can't inadvertently use a not_resumable session

Related to CVE-2024-2511

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)

(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96)

ssl/ssl_sess.c patch | blob | blame | history

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 75adbd9e52b40b6245573f25033b1fe8ce414204..d0b72b78801240843d8ccecbbb01aa94a7947c83 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
         ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
 
         if (ret != NULL) {
+            if (ret->not_resumable) {
+                /* If its not resumable then ignore this session */
+                if (!copy)
+                    SSL_SESSION_free(ret);
+                return NULL;
+            }
             ssl_tsan_counter(s->session_ctx,
                              &s->session_ctx->stats.sess_cb_hit);
 
Mirror of https://github.com/openssl/openssl.git