FPII-Remote code execution vulnerability in Conscrypt CVE-2016-3840 ANDROID-28751153
Change-Id: I1c4c406cfa14e71f4ae2ed4203d7c433dad3303a
diff --git a/src/main/java/org/conscrypt/NativeCrypto.java b/src/main/java/org/conscrypt/NativeCrypto.java
index b1cb522..79c6c21 100644
--- a/src/main/java/org/conscrypt/NativeCrypto.java
+++ b/src/main/java/org/conscrypt/NativeCrypto.java
@@ -1112,6 +1112,8 @@
public static native void SSL_set_session_creation_enabled(
long sslNativePointer, boolean creationEnabled) throws SSLException;
+ public static native boolean SSL_session_reused(long sslNativePointer);
+
public static native void SSL_set_tlsext_host_name(long sslNativePointer, String hostname)
throws SSLException;
public static native String SSL_get_servername(long sslNativePointer);
diff --git a/src/main/java/org/conscrypt/SSLParametersImpl.java b/src/main/java/org/conscrypt/SSLParametersImpl.java
index 580c2c5..2662476 100644
--- a/src/main/java/org/conscrypt/SSLParametersImpl.java
+++ b/src/main/java/org/conscrypt/SSLParametersImpl.java
@@ -605,8 +605,7 @@
final OpenSSLSessionImpl sessionToReuse, String hostname, int port,
boolean handshakeCompleted) throws IOException {
OpenSSLSessionImpl sslSession = null;
- byte[] sessionId = NativeCrypto.SSL_SESSION_session_id(sslSessionNativePointer);
- if (sessionToReuse != null && Arrays.equals(sessionToReuse.getId(), sessionId)) {
+ if (sessionToReuse != null && NativeCrypto.SSL_session_reused(sslNativePointer)) {
sslSession = sessionToReuse;
sslSession.lastAccessedTime = System.currentTimeMillis();
NativeCrypto.SSL_SESSION_free(sslSessionNativePointer);
diff --git a/src/main/native/org_conscrypt_NativeCrypto.cpp b/src/main/native/org_conscrypt_NativeCrypto.cpp
index c3cea65..a0d34d4 100644
--- a/src/main/native/org_conscrypt_NativeCrypto.cpp
+++ b/src/main/native/org_conscrypt_NativeCrypto.cpp
@@ -7926,6 +7926,18 @@
SSL_set_session_creation_enabled(ssl, creation_enabled);
}
+static jboolean NativeCrypto_SSL_session_reused(JNIEnv* env, jclass, jlong ssl_address) {
+ SSL* ssl = to_SSL(env, ssl_address, true);
+ JNI_TRACE("ssl=%p NativeCrypto_SSL_session_reused", ssl);
+ if (ssl == nullptr) {
+ return JNI_FALSE;
+ }
+
+ int reused = SSL_session_reused(ssl);
+ JNI_TRACE("ssl=%p NativeCrypto_SSL_session_reused => %d", ssl, reused);
+ return reused == 1 ? JNI_TRUE : JNI_FALSE;
+}
+
static void NativeCrypto_SSL_set_tlsext_host_name(JNIEnv* env, jclass,
jlong ssl_address, jstring hostname)
{
@@ -9770,6 +9782,7 @@
NATIVE_METHOD(NativeCrypto, SSL_set_verify, "(JI)V"),
NATIVE_METHOD(NativeCrypto, SSL_set_session, "(JJ)V"),
NATIVE_METHOD(NativeCrypto, SSL_set_session_creation_enabled, "(JZ)V"),
+ NATIVE_METHOD(NativeCrypto, SSL_session_reused, "(J)Z"),
NATIVE_METHOD(NativeCrypto, SSL_set_tlsext_host_name, "(JLjava/lang/String;)V"),
NATIVE_METHOD(NativeCrypto, SSL_get_servername, "(J)Ljava/lang/String;"),
NATIVE_METHOD(NativeCrypto, SSL_do_handshake, "(J" FILE_DESCRIPTOR SSL_CALLBACKS "IZ[B[B)J"),