174 lines
6.6 KiB
Diff
174 lines
6.6 KiB
Diff
From 722e734a9265530db1a41a4604d21c03b1ba1733 Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Tue, 5 Mar 2024 15:43:53 +0000
|
|
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
|
|
|
|
In TLSv1.3 we create a new session object for each ticket that we send.
|
|
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
|
|
use then the new session will be added to the session cache. However, if
|
|
early data is not in use (and therefore anti-replay protection is being
|
|
used), then multiple threads could be resuming from the same session
|
|
simultaneously. If this happens and a problem occurs on one of the threads,
|
|
then the original session object could be marked as not_resumable. When we
|
|
duplicate the session object this not_resumable status gets copied into the
|
|
new session object. The new session object is then added to the session
|
|
cache even though it is not_resumable.
|
|
|
|
Subsequently, another bug means that the session_id_length is set to 0 for
|
|
sessions that are marked as not_resumable - even though that session is
|
|
still in the cache. Once this happens the session can never be removed from
|
|
the cache. When that object gets to be the session cache tail object the
|
|
cache never shrinks again and grows indefinitely.
|
|
|
|
CVE-2024-2511
|
|
|
|
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/24044)
|
|
|
|
(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
|
|
Signed-off-by: Liu-Ermeng <liuermeng2@huawei.com>
|
|
---
|
|
include/openssl/sslerr.h | 4 ++--
|
|
ssl/ssl_err.c | 5 +++--
|
|
ssl/ssl_lib.c | 5 +++--
|
|
ssl/ssl_sess.c | 30 +++++++++++++++++++++++-------
|
|
ssl/statem/statem_srvr.c | 5 ++---
|
|
5 files changed, 33 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
|
|
index aa5f56a482..3e99ffc27f 100644
|
|
--- a/include/openssl/sslerr.h
|
|
+++ b/include/openssl/sslerr.h
|
|
@@ -1,6 +1,6 @@
|
|
/*
|
|
* Generated by util/mkerr.pl DO NOT EDIT
|
|
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
@@ -224,7 +224,7 @@ int ERR_load_SSL_strings(void);
|
|
# define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 546
|
|
# define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320
|
|
# define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321
|
|
-# define SSL_F_SSL_SESSION_DUP 348
|
|
+# define SSL_F_SSL_SESSION_DUP_INTERN 668
|
|
# define SSL_F_SSL_SESSION_NEW 189
|
|
# define SSL_F_SSL_SESSION_PRINT_FP 190
|
|
# define SSL_F_SSL_SESSION_SET1_ID 423
|
|
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
|
|
index 5a7c42a88c..c4144bb8b4 100644
|
|
--- a/ssl/ssl_err.c
|
|
+++ b/ssl/ssl_err.c
|
|
@@ -1,6 +1,6 @@
|
|
/*
|
|
* Generated by util/mkerr.pl DO NOT EDIT
|
|
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
@@ -325,7 +325,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
|
|
"SSL_renegotiate_abbreviated"},
|
|
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""},
|
|
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""},
|
|
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"},
|
|
+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP_INTERN, 0),
|
|
+ "ssl_session_dup_intern"},
|
|
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"},
|
|
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0),
|
|
"SSL_SESSION_print_fp"},
|
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
index 618549a2ca..2a44960fac 100644
|
|
--- a/ssl/ssl_lib.c
|
|
+++ b/ssl/ssl_lib.c
|
|
@@ -3541,9 +3541,10 @@ void ssl_update_cache(SSL *s, int mode)
|
|
|
|
/*
|
|
* If the session_id_length is 0, we are not supposed to cache it, and it
|
|
- * would be rather hard to do anyway :-)
|
|
+ * would be rather hard to do anyway :-). Also if the session has already
|
|
+ * been marked as not_resumable we should not cache it for later reuse.
|
|
*/
|
|
- if (s->session->session_id_length == 0)
|
|
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
|
|
return;
|
|
|
|
/*
|
|
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
|
|
index 1b4c85b60c..28affe0a26 100644
|
|
--- a/ssl/ssl_sess.c
|
|
+++ b/ssl/ssl_sess.c
|
|
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
|
|
return ss;
|
|
}
|
|
|
|
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
|
|
-{
|
|
- return ssl_session_dup(src, 1);
|
|
-}
|
|
-
|
|
/*
|
|
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
|
|
* ticket == 0 then no ticket information is duplicated, otherwise it is.
|
|
*/
|
|
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
+static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket)
|
|
{
|
|
SSL_SESSION *dest;
|
|
|
|
@@ -221,11 +216,32 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
|
|
return dest;
|
|
err:
|
|
- SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
|
|
+ SSLerr(SSL_F_SSL_SESSION_DUP_INTERN, ERR_R_MALLOC_FAILURE);
|
|
SSL_SESSION_free(dest);
|
|
return NULL;
|
|
}
|
|
|
|
+SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
|
|
+{
|
|
+ return ssl_session_dup_intern(src, 1);
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Used internally when duplicating a session which might be already shared.
|
|
+ * We will have resumed the original session. Subsequently we might have marked
|
|
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
|
|
+ * resume from.
|
|
+ */
|
|
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
|
+{
|
|
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
|
|
+
|
|
+ if (sess != NULL)
|
|
+ sess->not_resumable = 0;
|
|
+
|
|
+ return sess;
|
|
+}
|
|
+
|
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
|
|
{
|
|
if (len)
|
|
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
|
index 1b3b8002ee..d242e98024 100644
|
|
--- a/ssl/statem/statem_srvr.c
|
|
+++ b/ssl/statem/statem_srvr.c
|
|
@@ -2418,9 +2418,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
|
|
* so the following won't overwrite an ID that we're supposed
|
|
* to send back.
|
|
*/
|
|
- if (s->session->not_resumable ||
|
|
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
|
- && !s->hit))
|
|
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
|
+ && !s->hit)
|
|
s->session->session_id_length = 0;
|
|
|
|
if (usetls13) {
|
|
--
|
|
2.33.0
|
|
|