Fix race condition in NewSessionTicket

If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 27c76b9b8010b536687318739c6f631ce4194688) Conflicts: ssl/ssl.h ssl/ssl_err.c
author: Matt Caswell <matt@openssl.org> 2015-05-18 16:27:48 +0100
committer: Matt Caswell <matt@openssl.org> 2015-06-02 12:44:40 +0100
commit: 939b4960276b040fc0ed52232238fcc9e2e9ec21 (patch)
tree: cefe73e09d05363aa05e229b9ee40090fda12f93 /ssl/ssl_locl.h
parent: cce3e4adb78a8d3eeb6e0e4efe332fcc5d75f615 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index aff3b65d17..a7f3f8dad4 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -865,6 +865,7 @@ int ssl_set_peer_cert_type(SESS_CERT *c, int type);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
                          const unsigned char *limit);
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
 int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
 DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
author	Matt Caswell <matt@openssl.org>	2015-05-18 16:27:48 +0100
committer	Matt Caswell <matt@openssl.org>	2015-06-02 12:44:40 +0100
commit	939b4960276b040fc0ed52232238fcc9e2e9ec21 (patch)
tree	cefe73e09d05363aa05e229b9ee40090fda12f93 /ssl/ssl_locl.h
parent	cce3e4adb78a8d3eeb6e0e4efe332fcc5d75f615 (diff)