[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Jun 25 11:15:23 UTC 2018


The branch master has been updated
       via  c35e96691ff3415e68531076ff9f011703524c0a (commit)
      from  3445872e22735ff864d6b363d2d2b8acde740912 (commit)


- Log -----------------------------------------------------------------
commit c35e96691ff3415e68531076ff9f011703524c0a
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Jun 22 14:15:33 2018 +0100

    Don't change a session once its in the cache
    
    Sessions should be immutable once they are in the cache because they could
    be shared with other threads. If you change them then this can cause
    corruptions and races
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6561)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_srvr.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index c2976b7..df3f15a 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3796,10 +3796,11 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
             cb(s, SSL_CB_HANDSHAKE_START, 1);
         }
         /*
-         * If we already sent one NewSessionTicket then we need to take a copy
-         * of it and create a new session from it.
+         * If we already sent one NewSessionTicket, or we resumed then
+         * s->session may already be in a cache and so we must not modify it.
+         * Instead we need to take a copy of it and modify that.
          */
-        if (s->sent_tickets != 0) {
+        if (s->sent_tickets != 0 || s->hit) {
             SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);
 
             if (new_sess == NULL) {


More information about the openssl-commits mailing list