From 212d7118a788e332dae4123d40f65ea6e24044d2 Mon Sep 17 00:00:00 2001 From: anupamam13 Date: Mon, 2 Nov 2020 17:50:11 +0530 Subject: Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) --- ssl/statem/extensions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ssl') diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c785ab785d..e24b1b0e4d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -966,7 +966,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } -- cgit v1.2.3