openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Hardening around not_resumable sessions 

Make sure we can't inadvertently use a not_resumable session

Related to CVE-2024-2511

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)

(cherry picked from commit c342f4b8bd)
This commit is contained in:
Matt Caswell 2024-03-15 17:58:42 +00:00 committed by Tomas Mraz
parent daee101e39
commit cc9ece9118
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/ssl_sess.c
View File

@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
if (ret != NULL) {
if (ret->not_resumable) {
/* If its not resumable then ignore this session */
if (!copy)
SSL_SESSION_free(ret);
return NULL;
}
ssl_tsan_counter(s->session_ctx,
&s->session_ctx->stats.sess_cb_hit);