[openssl] master update
nic.tuv at gmail.com
nic.tuv at gmail.com
Fri Jan 8 23:15:27 UTC 2021
The branch master has been updated
via 42141197a107ef9cd297a7755fece569b84016b8 (commit)
from 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit)
- Log -----------------------------------------------------------------
commit 42141197a107ef9cd297a7755fece569b84016b8
Author: anupamam13 <anuavnd at gmail.com>
Date: Mon Nov 2 17:50:11 2020 +0530
Fix for negative return value from `SSL_CTX_sess_accept()`
Fixes #13183
From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:
- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
"Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
default context is decremented. Hence giving a negative value.
This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.
CLA: trivial
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13297)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/extensions.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index a4e60d417c..7b42016d59 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
* context, to avoid the confusing situation of having sess_accept_good
* exceed sess_accept (zero) for the new context.
*/
- if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
+ && s->hello_retry_request == SSL_HRR_NONE) {
tsan_counter(&s->ctx->stats.sess_accept);
tsan_decr(&s->session_ctx->stats.sess_accept);
}
More information about the openssl-commits
mailing list