SSL: explicit session id length checking.

Session ids are not expected to be longer than 32 bytes, but this is theoretically possible with TLSv1.3, where session ids are essentially arbitrary and sent as session tickets. Since on 64-bit platforms we use fixed 32-byte buffer for session ids, added an explicit length check to make sure the buffer is large enough.
author: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:39 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2022-10-12 20:14:39 +0300
commit: 5c5c449ba0ba12708d2c9d121d46426eeaf911da (patch)
tree: 378b3885fc8804a434f37d49d87c7494c28e8c8a
parent: aeae4c78453c11adc609abe9c4f8d4117ba8963b (diff)
download: nginx-5c5c449ba0ba12708d2c9d121d46426eeaf911da.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index e2b0b3a26..c6d9af4cd 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3848,6 +3848,14 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
     p = buf;
     i2d_SSL_SESSION(sess, &p);
 
+    session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
+
+    /* do not cache sessions with too long session id */
+
+    if (session_id_length > 32) {
+        return 0;
+    }
+
     c = ngx_ssl_get_connection(ssl_conn);
 
     ssl_ctx = c->ssl->session_ctx;
@@ -3892,8 +3900,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
         }
     }
 
-    session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
-
 #if (NGX_PTR_SIZE == 8)
 
     id = sess_id->sess_id;
author	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:39 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2022-10-12 20:14:39 +0300
commit	5c5c449ba0ba12708d2c9d121d46426eeaf911da (patch)
tree	378b3885fc8804a434f37d49d87c7494c28e8c8a
parent	aeae4c78453c11adc609abe9c4f8d4117ba8963b (diff)
download	nginx-5c5c449ba0ba12708d2c9d121d46426eeaf911da.tar.gz