From 6aebaa11abb36a09f2b800c59b35ed59cff333b0 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 12 Feb 2020 14:50:52 +0100 Subject: ssl: Invalidate session on abrupt close during initial handshake --- lib/ssl/src/ssl_connection.erl | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) (limited to 'lib/ssl/src/ssl_connection.erl') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 955841a7a4..6630e417f9 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -53,7 +53,8 @@ %% Alert and close handling -export([handle_own_alert/4, handle_alert/3, handle_normal_shutdown/3, - handle_trusted_certs_db/1]). + handle_trusted_certs_db/1, + maybe_invalidate_session/6]). %% Data handling -export([read_application_data/2, internal_renegotiation/2]). @@ -325,6 +326,7 @@ dist_handshake_complete(ConnectionPid, DHandle) -> prf(ConnectionPid, Secret, Label, Seed, WantedLength) -> call(ConnectionPid, {prf, Secret, Label, Seed, WantedLength}). + %%==================================================================== %% Alert and close handling %%==================================================================== @@ -442,6 +444,13 @@ handle_alert(#alert{level = ?WARNING} = Alert, StateName, Alert#alert{role = opposite_role(Role)}), Connection:next_event(StateName, no_record, State). +maybe_invalidate_session(undefined,_, _, _, _, _) -> + ok; +maybe_invalidate_session({3, 4},_, _, _, _, _) -> + ok; +maybe_invalidate_session({3, N}, Type, Role, Host, Port, Session) when N < 4 -> + maybe_invalidate_session(Type, Role, Host, Port, Session). + %%==================================================================== %% Data handling %%==================================================================== @@ -1492,16 +1501,23 @@ handle_call(_,_,_,_,_) -> handle_info({ErrorTag, Socket, econnaborted}, StateName, #state{static_env = #static_env{role = Role, + host = Host, + port = Port, socket = Socket, transport_cb = Transport, error_tag = ErrorTag, trackers = Trackers, protocol_cb = Connection}, - start_or_recv_from = StartFrom - } = State) when StateName =/= connection -> + handshake_env = #handshake_env{renegotiation = Type}, + connection_env = #connection_env{negotiated_version = Version}, + session = Session, + start_or_recv_from = StartFrom + } = State) when StateName =/= connection -> + + maybe_invalidate_session(Version, Type, Role, Host, Port, Session), Pids = Connection:pids(State), alert_user(Pids, Transport, Trackers,Socket, - StartFrom, ?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), Role, StateName, Connection), + StartFrom, ?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), Role, StateName, Connection), {stop, {shutdown, normal}, State}; handle_info({ErrorTag, Socket, Reason}, StateName, #state{static_env = #static_env{ @@ -3009,6 +3025,11 @@ log_alert(Level, Role, ProtocolName, StateName, Alert) -> alert => Alert, alerter => peer}, Alert#alert.where). +maybe_invalidate_session({false, first}, server = Role, Host, Port, Session) -> + invalidate_session(Role, Host, Port, Session); +maybe_invalidate_session(_, _, _, _, _) -> + ok. + invalidate_session(client, Host, Port, Session) -> ssl_manager:invalidate_session(Host, Port, Session); invalidate_session(server, _, Port, Session) -> -- cgit v1.2.1