From: anupamam13 Date: Mon, 2 Nov 2020 12:20:11 +0000 (+0530) Subject: Fix for negative return value from `SSL_CTX_sess_accept()` X-Git-Tag: openssl-3.0.0-alpha11~150 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42141197a107ef9cd297a7755fece569b84016b8;p=thirdparty%2Fopenssl.git Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) --- diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index a4e60d417c4..7b42016d59a 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); }