[PATCH 04 of 11] SSL: explicit session id length checking
Sergey Kandaurov
pluknet at nginx.com
Mon Sep 26 10:13:10 UTC 2022
> On 17 Sep 2022, at 01:03, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Thu, Sep 15, 2022 at 09:40:32AM +0400, Sergey Kandaurov wrote:
>
>>> On 26 Aug 2022, at 07:01, Maxim Dounin <mdounin at mdounin.ru> wrote:
>>>
>>> # HG changeset patch
>>> # User Maxim Dounin <mdounin at mdounin.ru>
>>> # Date 1661481949 -10800
>>> # Fri Aug 26 05:45:49 2022 +0300
>>> # Node ID f4ae0f4ee928cf20346530e96f1431314ecd0171
>>> # Parent 86d827338fdd13ea899d618b0bcb2be23469cbac
>>> SSL: explicit session id length checking.
>>>
>>> Session ids are not expected to be longer than 32 bytes, but this is
>>> theoretically possible with TLSv1.3, where session ids are essentially
>>> arbitrary and sent as session tickets. Since on 64-bit platforms we
>>> use fixed 32-byte buffer for session ids, added an explicit length check
>>> to make sure the buffer is large enough.
>>>
>>
>> I don't follow how session ids could be "essentially arbitrary"
>> (except a library bug that justifies such safety belt).
>> For TLSv1.3, this callback is used to update session cache as part
>> of constructing NewSessionTicket. It's called after generating
>> dummy session ids, which, and regardless of protocol version, are
>> capped to SSL3_SSL_SESSION_ID_LENGTH (32).
>
> In TLSv1.2 and below, session id lengths are limited by the
> protocol. For example, in TLSv1.2:
>
> opaque SessionID<0..32>;
>
> In TLSv1.3 there is no such limitation, and any length can be used
> by the library (well, almost any, up to 2^16-1 bytes). While
> OpenSSL currently uses 32 bytes, there is no guarantee that at
> some point it won't switch to using, for example, 64 bytes.
So that's for a rather theoretical and unlikely reason.
I agree though, such explicit and cheap guarantee won't hurt.
>
>>> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
>>> --- a/src/event/ngx_event_openssl.c
>>> +++ b/src/event/ngx_event_openssl.c
>>> @@ -3842,6 +3842,14 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
>>> p = buf;
>>> i2d_SSL_SESSION(sess, &p);
>>>
>>> + session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
>>> +
>>> + /* do not cache sessions with too long session id */
>>> +
>>> + if (session_id_length > 32) {
>>> + return 0;
>>> + }
>>> +
>>
>> The check can be moved above the cpu expensive i2d_SSL_SESSION call.
>> Or rather move i2d_SSL_SESSION closer to corresponding ngx_memcpy().
>> (but see my reply on the next patch)
>
> There is no practical difference, as this check is not expected
> to catch anything.
>
Agree, with that in mind it won't make a difference.
>>> c = ngx_ssl_get_connection(ssl_conn);
>>>
>>> ssl_ctx = c->ssl->session_ctx;
>>> @@ -3886,8 +3894,6 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
>>> }
>>> }
>>>
>>> - session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
>>> -
>>> #if (NGX_PTR_SIZE == 8)
>>>
>>> id = sess_id->sess_id;
>>>
>
--
Sergey Kandaurov
More information about the nginx-devel
mailing list