diff options
author | Matt Caswell <matt@openssl.org> | 2024-03-15 17:58:42 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-04-08 12:08:19 +0200 |
commit | 4d67109432646c113887b0aa8091fb0d1b3057e6 (patch) | |
tree | 5aa247b5ca8f1f7603553c5e0cec756a62cc480f | |
parent | b7acb6731a96b073d6150465bd090e2052a595c2 (diff) |
Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24043)
-rw-r--r-- | ssl/ssl_sess.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 1fa6d17c46..5d1ade9efa 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, sess_id, sess_id_len, ©); if (ret != NULL) { + if (ret->not_resumable) { + /* If its not resumable then ignore this session */ + if (!copy) + SSL_SESSION_free(ret); + return NULL; + } ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_cb_hit); |