stricter session ID context matching

diff --git a/CHANGES b/CHANGES
index 7f0fc881cab955711cf50eb56936fecde4f92705..2081bf68c95e58182df396fe231df41dca7ade45 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
  OpenSSL CHANGES
  _______________
 
  OpenSSL CHANGES
  _______________
 

- Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]
+ Changes between 0.9.8f and 0.9.9  [xx XXX xxxx]

 
   *) Change ssl_cipher_apply_rule(), the internal function that does
      the work each time a ciphersuite string requests enabling
 
   *) Change ssl_cipher_apply_rule(), the internal function that does
      the work each time a ciphersuite string requests enabling


@@ -481,13 +481,26 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 

- Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
+ Changes between 0.9.8e and 0.9.8f  [xx XXX xxxx]
+
+  *) In the SSL/TLS server implementation, be strict about session ID
+     context matching (which matters if an application uses a single
+     external cache for different purposes).  Previously,
+     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
+     set.  This did ensure strict client verification, but meant that,
+     with applications using a single external cache for quite
+     different requirements, clients could circumvent ciphersuite
+     restrictions for a given session ID context by starting a session
+     in a different context.
+     [Bodo Moeller]

 
   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
      a ciphersuite string such as "DEFAULT:RSA" cannot enable
      authentication-only ciphersuites.
      [Bodo Moeller]
 
 
   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
      a ciphersuite string such as "DEFAULT:RSA" cannot enable
      authentication-only ciphersuites.
      [Bodo Moeller]
 

+ Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
+

   *) Since AES128 and AES256 (and similarly Camellia128 and
      Camellia256) share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
   *) Since AES128 and AES256 (and similarly Camellia128 and
      Camellia256) share a single mask bit in the logic of
      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a


@@ -1526,6 +1539,19 @@
      differing sizes.
      [Richard Levitte]
 
      differing sizes.
      [Richard Levitte]
 

+ Changes between 0.9.7m and 0.9.7n  [xx XXX xxxx]
+
+  *) In the SSL/TLS server implementation, be strict about session ID
+     context matching (which matters if an application uses a single
+     external cache for different purposes).  Previously,
+     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
+     set.  This did ensure strict client verification, but meant that,
+     with applications using a single external cache for quite
+     different requirements, clients could circumvent ciphersuite
+     restrictions for a given session ID context by starting a session
+     in a different context.
+     [Bodo Moeller]
+

  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 
   *) Cleanse PEM buffers before freeing them since they may contain 
  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 
   *) Cleanse PEM buffers before freeing them since they may contain 

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index e24d92d10cd6c99caba611fd8182875238efd32a..6aba804faad3e0445ca980ebdd3650006a6ca3fa 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -462,33 +462,35 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
 
        /* Now ret is non-NULL, and we own one of its reference counts. */
 
 
        /* Now ret is non-NULL, and we own one of its reference counts. */
 

-       if((s->verify_mode&SSL_VERIFY_PEER)
-          && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
-              || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
-           {
+       if (ret->sid_ctx_length != s->sid_ctx_length
+           || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
+               {

                /* We've found the session named by the client, but we don't
                 * want to use it in this context. */
                /* We've found the session named by the client, but we don't
                 * want to use it in this context. */

-               
-               if (s->sid_ctx_length == 0)
-                       {
-                       /* application should have used SSL[_CTX]_set_session_id_context
-                        * -- we could tolerate this and just pretend we never heard
-                        * of this session, but then applications could effectively
-                        * disable the session cache by accident without anyone noticing */

 
 

-                       SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-                       fatal = 1;
-                       goto err;
-                       }
-               else
-                       {

 #if 0 /* The client cannot always know when a session is not appropriate,
 #if 0 /* The client cannot always know when a session is not appropriate,

-          * so we shouldn't generate an error message. */
+       * so we shouldn't generate an error message. */

 
 

-                       SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+               SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

 #endif
 #endif

-                       goto err; /* treat like cache miss */
-                       }
+               goto err; /* treat like cache miss */
+               }
+       
+       if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
+               {
+               /* We can't be sure if this session is being used out of
+                * context, which is especially important for SSL_VERIFY_PEER.
+                * The application should have used SSL[_CTX]_set_session_id_context.
+                *
+                * For this error case, we generate an error instead of treating
+                * the event like a cache miss (otherwise it would be easy for
+                * applications to effectively disable the session cache by
+                * accident without anyone noticing).
+                */
+               
+               SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+               fatal = 1;
+               goto err;

                }
 
        if (ret->cipher == NULL)
                }
 
        if (ret->cipher == NULL)