[openssl] OpenSSL_1_1_1-stable update

nic.tuv at gmail.com nic.tuv at gmail.com
Fri Jan 8 23:17:13 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  212d7118a788e332dae4123d40f65ea6e24044d2 (commit)
      from  37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 (commit)


- Log -----------------------------------------------------------------
commit 212d7118a788e332dae4123d40f65ea6e24044d2
Author: anupamam13 <anuavnd at gmail.com>
Date:   Mon Nov 2 17:50:11 2020 +0530

    Fix for negative return value from `SSL_CTX_sess_accept()`
    
    Fixes #13183
    
    From the original issue report, before this commit, on master and on
    1.1.1, the issue can be detected with the following steps:
    
    - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
      "Accept" count of default context gets incremented
    - After servername lookup, "Accept" count of default context gets
      decremented and that of SNI context is incremented
    - Server sends a "Hello Retry Request"
    - Client sends the second "Client Hello", now again "Accept" count of
      default context is decremented. Hence giving a negative value.
    
    This commit fixes it by adding a check on `s->hello_retry_request` in
    addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
    only on the first ClientHello.
    
    CLA: trivial
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13297)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index c785ab785d..e24b1b0e4d 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -966,7 +966,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
      * context, to avoid the confusing situation of having sess_accept_good
      * exceed sess_accept (zero) for the new context.
      */
-    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
+		    && s->hello_retry_request == SSL_HRR_NONE) {
         tsan_counter(&s->ctx->stats.sess_accept);
         tsan_decr(&s->session_ctx->stats.sess_accept);
     }

More information about the openssl-commits mailing list