diff options
author | anupamam13 <anuavnd@gmail.com> | 2020-11-02 17:50:11 +0530 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2021-01-09 00:55:02 +0200 |
commit | 42141197a107ef9cd297a7755fece569b84016b8 (patch) | |
tree | 6ed92b967fa6e32702e3644a393d7fbade01bb4f | |
parent | 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (diff) | |
download | openssl-42141197a107ef9cd297a7755fece569b84016b8.tar.gz |
Fix for negative return value from `SSL_CTX_sess_accept()`
Fixes #13183
From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:
- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
"Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
default context is decremented. Hence giving a negative value.
This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13297)
-rw-r--r-- | ssl/statem/extensions.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index a4e60d417c..7b42016d59 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } |