[openssl] master update

nic.tuv at gmail.com nic.tuv at gmail.com
Fri Jan 8 23:15:27 UTC 2021

The branch master has been updated
       via  42141197a107ef9cd297a7755fece569b84016b8 (commit)
      from  732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit)

- Log -----------------------------------------------------------------
commit 42141197a107ef9cd297a7755fece569b84016b8
Author: anupamam13 <anuavnd at gmail.com>
Date:   Mon Nov 2 17:50:11 2020 +0530

    Fix for negative return value from `SSL_CTX_sess_accept()`
    Fixes #13183
    From the original issue report, before this commit, on master and on
    1.1.1, the issue can be detected with the following steps:
    - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
      "Accept" count of default context gets incremented
    - After servername lookup, "Accept" count of default context gets
      decremented and that of SNI context is incremented
    - Server sends a "Hello Retry Request"
    - Client sends the second "Client Hello", now again "Accept" count of
      default context is decremented. Hence giving a negative value.
    This commit fixes it by adding a check on `s->hello_retry_request` in
    addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
    only on the first ClientHello.
    CLA: trivial
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13297)


Summary of changes:
 ssl/statem/extensions.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index a4e60d417c..7b42016d59 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
      * context, to avoid the confusing situation of having sess_accept_good
      * exceed sess_accept (zero) for the new context.
-    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
+		    && s->hello_retry_request == SSL_HRR_NONE) {

More information about the openssl-commits mailing list