Hardening around not_resumable sessions

Make sure we can't inadvertently use a not_resumable session Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#24044) (cherry picked from commit c342f4b)
bernd-edlinger · Apr 22, 2024 · af00b42 · af00b42
1 parent 87721d5
commit af00b42
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
@@ -454,6 +454,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
         ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
 
         if (ret != NULL) {
+            if (ret->not_resumable) {
+                /* If its not resumable then ignore this session */
+                if (!copy)
+                    SSL_SESSION_free(ret);
+                return NULL;
+            }
             tsan_counter(&s->session_ctx->stats.sess_cb_hit);
 
             /*