Hardening around not_resumable sessions

Make sure we can't inadvertently use a not_resumable session Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24043)
author: Matt Caswell <matt@openssl.org> 2024-03-15 17:58:42 +0000
committer: Tomas Mraz <tomas@openssl.org> 2024-04-08 12:08:19 +0200
commit: 4d67109432646c113887b0aa8091fb0d1b3057e6 (patch)
tree: 5aa247b5ca8f1f7603553c5e0cec756a62cc480f
parent: b7acb6731a96b073d6150465bd090e2052a595c2 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1fa6d17c46..5d1ade9efa 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
                                              sess_id, sess_id_len, &copy);
 
         if (ret != NULL) {
+            if (ret->not_resumable) {
+                /* If its not resumable then ignore this session */
+                if (!copy)
+                    SSL_SESSION_free(ret);
+                return NULL;
+            }
             ssl_tsan_counter(s->session_ctx,
                              &s->session_ctx->stats.sess_cb_hit);
author	Matt Caswell <matt@openssl.org>	2024-03-15 17:58:42 +0000
committer	Tomas Mraz <tomas@openssl.org>	2024-04-08 12:08:19 +0200
commit	4d67109432646c113887b0aa8091fb0d1b3057e6 (patch)
tree	5aa247b5ca8f1f7603553c5e0cec756a62cc480f
parent	b7acb6731a96b073d6150465bd090e2052a595c2 (diff)