Commit 08191294 authored by Matt Caswell's avatar Matt Caswell
Browse files

Use the correct session resumption mechanism 



Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
parent 128ae276

ssl/statem/extensions_clnt.c

+6 −4
Original line number Diff line number Diff line
@@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x, 
        return 1;



    if (!s->new_session && s->session != NULL

            && s->session->ext.tick != NULL) {

            && s->session->ext.tick != NULL

            && s->session->ssl_version != TLS1_3_VERSION) {

        ticklen = s->session->ext.ticklen;

    } else if (s->session && s->ext.session_ticket != NULL

               && s->ext.session_ticket->data != NULL) {
@@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, 
    s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;



    /*

     * If this is a new session then we have nothing to resume so don't add

     * this extension.

     * If this is an incompatible or new session then we have nothing to resume

     * so don't add this extension.

     */

    if (s->session->ext.ticklen == 0)

    if (s->session->ssl_version != TLS1_3_VERSION

            || s->session->ext.ticklen == 0)

        return 1;



    /*

ssl/t1_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) 


int tls_use_ticket(SSL *s)

{

    if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s))

    if ((s->options & SSL_OP_NO_TICKET))

        return 0;

    return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);

}