Fast session resumption segfault

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 20 22:15:21 CEST 2011


On 10/20/2011 07:18 PM, Phil Mayers wrote:

> Quite how we solve it I don't know... I'm going to (shudder) look at the
> OpenSSL source to see if it does any locking around session objects; I
> just don't see from the API how you can used the get/set_ex_data
> functions safely in a threaded environment!
>

Oh dear oh dear oh dear...

So - it turns out the session callbacks that we set with:

SSL_CTX_sess_set_{new,get,remove}_cb

...are not in fact called when you would think. In particular, the 
"remove" callback is NOT called when the session refcount==0. It is 
called when it's removed from the list of "will accept a resume". The 
actual session object refcount can go to zero at a later time, so 
freeing the "ex_data" in the "remove" callback is definitely the wrong 
thing to do.

It gets worse: OpenSSL does provide a way to register 
create/duplicate/delete callbacks for "ex_data" objects that will be 
called at the proper time; but the API is extremely verbose and AFAICT 
largely undocumented. But to remove the cached VPs, that's what we would 
need to do.

Sigh. It's like they were deliberately trying to make life difficult...



More information about the Freeradius-Devel mailing list