From b57a09724d6cd8f3860aec74feaf8b865385df27 Mon Sep 17 00:00:00 2001
From: Andy Fiddaman <illumos@fiddaman.net>
Date: Tue, 4 Jun 2024 18:05:50 +0000
Subject: [PATCH 2/2] CVE-2024-2511

diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_lib.c a/ssl/ssl_lib.c
--- a~/ssl/ssl_lib.c	1970-01-01 00:00:00
+++ a/ssl/ssl_lib.c	1970-01-01 00:00:00
@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode)
 
     /*
      * If the session_id_length is 0, we are not supposed to cache it, and it
-     * would be rather hard to do anyway :-)
+     * would be rather hard to do anyway :-). Also if the session has already
+     * been marked as not_resumable we should not cache it for later reuse.
      */
-    if (s->session->session_id_length == 0)
+    if (s->session->session_id_length == 0 || s->session->not_resumable)
         return;
 
     /*
diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_sess.c a/ssl/ssl_sess.c
--- a~/ssl/ssl_sess.c	1970-01-01 00:00:00
+++ a/ssl/ssl_sess.c	1970-01-01 00:00:00
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
     return ss;
 }
 
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
-{
-    return ssl_session_dup(src, 1);
-}
-
 /*
  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
  * ticket == 0 then no ticket information is duplicated, otherwise it is.
  */
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket)
 {
     SSL_SESSION *dest;
 
@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION
     return NULL;
 }
 
+SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
+{
+    return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
+{
+    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+    if (sess != NULL)
+        sess->not_resumable = 0;
+
+    return sess;
+}
+
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 {
     if (len)
diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/statem/statem_srvr.c a/ssl/statem/statem_srvr.c
--- a~/ssl/statem/statem_srvr.c	1970-01-01 00:00:00
+++ a/ssl/statem/statem_srvr.c	1970-01-01 00:00:00
@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, W
      * so the following won't overwrite an ID that we're supposed
      * to send back.
      */
-    if (s->session->not_resumable ||
-        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-         && !s->hit))
+    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+            && !s->hit)
         s->session->session_id_length = 0;
 
     if (usetls13) {