[nginx] SSL: explicit session id length checking.

Sergey Kandaurov pluknet at nginx.com
Thu Oct 13 10:57:05 UTC 2022


details:   https://hg.nginx.org/nginx/rev/ec1fa010c3a5
branches:  
changeset: 8077:ec1fa010c3a5
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Wed Oct 12 20:14:39 2022 +0300
description:
SSL: explicit session id length checking.

Session ids are not expected to be longer than 32 bytes, but this is
theoretically possible with TLSv1.3, where session ids are essentially
arbitrary and sent as session tickets.  Since on 64-bit platforms we
use fixed 32-byte buffer for session ids, added an explicit length check
to make sure the buffer is large enough.

diffstat:

 src/event/ngx_event_openssl.c |  10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diffs (27 lines):

diff -r fa4b4f38da4a -r ec1fa010c3a5 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Wed Oct 12 20:14:37 2022 +0300
+++ b/src/event/ngx_event_openssl.c	Wed Oct 12 20:14:39 2022 +0300
@@ -3848,6 +3848,14 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
     p = buf;
     i2d_SSL_SESSION(sess, &p);
 
+    session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
+
+    /* do not cache sessions with too long session id */
+
+    if (session_id_length > 32) {
+        return 0;
+    }
+
     c = ngx_ssl_get_connection(ssl_conn);
 
     ssl_ctx = c->ssl->session_ctx;
@@ -3892,8 +3900,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
         }
     }
 
-    session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
-
 #if (NGX_PTR_SIZE == 8)
 
     id = sess_id->sess_id;



More information about the nginx-devel mailing list