From: Bodo Möller Date: Wed, 21 Mar 2007 14:33:16 +0000 (+0000) Subject: stricter session ID context matching X-Git-Tag: OpenSSL_0_9_8k^2~934 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0f32c841a678d3a3cfb544243f9f672b22ed2dc3;p=oweals%2Fopenssl.git stricter session ID context matching --- diff --git a/CHANGES b/CHANGES index 7f0fc881ca..2081bf68c9 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8e and 0.9.9 [xx XXX xxxx] + Changes between 0.9.8f and 0.9.9 [xx XXX xxxx] *) Change ssl_cipher_apply_rule(), the internal function that does the work each time a ciphersuite string requests enabling @@ -481,13 +481,26 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] - Changes between 0.9.8d and 0.9.8e [23 Feb 2007] + Changes between 0.9.8e and 0.9.8f [xx XXX xxxx] + + *) In the SSL/TLS server implementation, be strict about session ID + context matching (which matters if an application uses a single + external cache for different purposes). Previously, + out-of-context reuse was forbidden only if SSL_VERIFY_PEER was + set. This did ensure strict client verification, but meant that, + with applications using a single external cache for quite + different requirements, clients could circumvent ciphersuite + restrictions for a given session ID context by starting a session + in a different context. + [Bodo Moeller] *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. [Bodo Moeller] + Changes between 0.9.8d and 0.9.8e [23 Feb 2007] + *) Since AES128 and AES256 (and similarly Camellia128 and Camellia256) share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a @@ -1526,6 +1539,19 @@ differing sizes. [Richard Levitte] + Changes between 0.9.7m and 0.9.7n [xx XXX xxxx] + + *) In the SSL/TLS server implementation, be strict about session ID + context matching (which matters if an application uses a single + external cache for different purposes). Previously, + out-of-context reuse was forbidden only if SSL_VERIFY_PEER was + set. This did ensure strict client verification, but meant that, + with applications using a single external cache for quite + different requirements, clients could circumvent ciphersuite + restrictions for a given session ID context by starting a session + in a different context. + [Bodo Moeller] + Changes between 0.9.7l and 0.9.7m [23 Feb 2007] *) Cleanse PEM buffers before freeing them since they may contain diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index e24d92d10c..6aba804faa 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -462,33 +462,35 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) /* Now ret is non-NULL, and we own one of its reference counts. */ - if((s->verify_mode&SSL_VERIFY_PEER) - && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length - || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))) - { + if (ret->sid_ctx_length != s->sid_ctx_length + || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) + { /* We've found the session named by the client, but we don't * want to use it in this context. */ - - if (s->sid_ctx_length == 0) - { - /* application should have used SSL[_CTX]_set_session_id_context - * -- we could tolerate this and just pretend we never heard - * of this session, but then applications could effectively - * disable the session cache by accident without anyone noticing */ - SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); - fatal = 1; - goto err; - } - else - { #if 0 /* The client cannot always know when a session is not appropriate, - * so we shouldn't generate an error message. */ + * so we shouldn't generate an error message. */ - SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); #endif - goto err; /* treat like cache miss */ - } + goto err; /* treat like cache miss */ + } + + if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) + { + /* We can't be sure if this session is being used out of + * context, which is especially important for SSL_VERIFY_PEER. + * The application should have used SSL[_CTX]_set_session_id_context. + * + * For this error case, we generate an error instead of treating + * the event like a cache miss (otherwise it would be easy for + * applications to effectively disable the session cache by + * accident without anyone noticing). + */ + + SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED); + fatal = 1; + goto err; } if (ret->cipher == NULL)