Commit 150840b9 authored by Matt Caswell's avatar Matt Caswell
Browse files

Always duplicate the session on NewSessionTicket in TLSv1.3 



Because NST messages arrive post-handshake, the session may have already
gone into the cache. Once in the cache a session must be immutable -
otherwise you could get multi-thread issues.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3008)
parent 6ff71494

ssl/statem/statem_clnt.c

+9 −1
Original line number Diff line number Diff line
@@ -2438,7 +2438,15 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) 
    if (ticklen == 0)

        return MSG_PROCESS_CONTINUE_READING;



    if (s->session->session_id_length > 0) {

    /*

     * Sessions must be immutable once they go into the session cache. Otherwise

     * we can get multi-thread problems. Therefore we don't "update" sessions,

     * we replace them with a duplicate. In TLSv1.3 we need to do this every

     * time a NewSessionTicket arrives because those messages arrive

     * post-handshake and the session may have already gone into the session

     * cache.

     */

    if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {

        int i = s->session_ctx->session_cache_mode;

        SSL_SESSION *new_sess;

        /*