The branch master has been updated
       via  e3743355e840dadff0b09582942b7a90db607894 (commit)
      from  7477c83e150ace0df91df92bc935ccaebddf8dd8 (commit)


- Log -----------------------------------------------------------------
commit e3743355e840dadff0b09582942b7a90db607894
Author: Benjamin Kaduk <bka...@akamai.com>
Date:   Wed Aug 9 08:14:24 2017 -0500

    Don't modify resumed session objects
    
    If s->hit is set, s->session corresponds to a session created on
    a previous connection, and is a data structure that is potentially
    shared across other SSL objects.  As such, there are thread-safety
    issues with modifying the structure without taking its lock (and
    of course all corresponding read accesses would also need to take
    the lock as well), which have been observed to cause double-frees.
    
    Regardless of thread-safety, the resumed session object is intended
    to reflect parameters of the connection that created the session,
    and modifying it to reflect the parameters from the current connection
    is confusing.  So, modifications to the session object during
    ClientHello processing should only be performed on new connections,
    i.e., those where s->hit is not set.
    
    The code mostly got this right, providing such checks when processing
    SNI and EC point formats, but the supported groups (formerly
    supported curves) extension was missing it, which is fixed by this commit.
    
    However, TLS 1.3 makes the suppported_groups extension mandatory
    (when using (EC)DHE, which is the normal case), checking for the group
    list in the key_share extension processing.  But, TLS 1.3 only [0] supports
    session tickets for session resumption, so the session object in question
    is the output of d2i_SSL_SESSION(), and will not be shared across SSL
    objects.  Thus, it is safe to modify s->session for TLS 1.3 connections.
    
    [0] A psk_find_session callback can also be used, but the restriction that
    each callback execution must produce a distinct SSL_SESSION structure
    can be documented when the psk_find_session callback documentation is
    completed.
    
    Reviewed-by: Andy Polyakov <ap...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4123)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions_srvr.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 9fe58a7..a3c2fbf 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -641,14 +641,16 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, 
unsigned int context,
         return 0;
     }
 
-    OPENSSL_free(s->session->ext.supportedgroups);
-    s->session->ext.supportedgroups = NULL;
-    s->session->ext.supportedgroups_len = 0;
-    if (!PACKET_memdup(&supported_groups_list,
-                       &s->session->ext.supportedgroups,
-                       &s->session->ext.supportedgroups_len)) {
-        *al = SSL_AD_INTERNAL_ERROR;
-        return 0;
+    if (!s->hit || SSL_IS_TLS13(s)) {
+        OPENSSL_free(s->session->ext.supportedgroups);
+        s->session->ext.supportedgroups = NULL;
+        s->session->ext.supportedgroups_len = 0;
+        if (!PACKET_memdup(&supported_groups_list,
+                           &s->session->ext.supportedgroups,
+                           &s->session->ext.supportedgroups_len)) {
+            *al = SSL_AD_INTERNAL_ERROR;
+            return 0;
+        }
     }
 
     return 1;
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to