mirror of https://github.com/openssl/openssl
Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit c342f4b8bd
)
This commit is contained in:
parent
daee101e39
commit
cc9ece9118
|
@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
|
|||
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
|
||||
|
||||
if (ret != NULL) {
|
||||
if (ret->not_resumable) {
|
||||
/* If its not resumable then ignore this session */
|
||||
if (!copy)
|
||||
SSL_SESSION_free(ret);
|
||||
return NULL;
|
||||
}
|
||||
ssl_tsan_counter(s->session_ctx,
|
||||
&s->session_ctx->stats.sess_cb_hit);
|
||||
|
||||
|
|
Loading…
Reference in New Issue