mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use the correct session resumption mechanism

Browse Source 
Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
This commit is contained in:
Matt Caswell 2017-01-19 11:23:06 +00:00
parent 128ae27692
commit 081912943f
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/statem/extensions_clnt.c
View File

@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
return 1;
if (!s->new_session && s->session != NULL
&& s->session->ext.tick != NULL) {
&& s->session->ext.tick != NULL
&& s->session->ssl_version != TLS1_3_VERSION) {
ticklen = s->session->ext.ticklen;
} else if (s->session && s->ext.session_ticket != NULL
&& s->ext.session_ticket->data != NULL) {
@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
/*
* If this is a new session then we have nothing to resume so don't add
* this extension.
* If this is an incompatible or new session then we have nothing to resume
* so don't add this extension.
*/
if (s->session->ext.ticklen == 0)
if (s->session->ssl_version != TLS1_3_VERSION
|| s->session->ext.ticklen == 0)
return 1;
/*

2
ssl/t1_lib.c
View File

@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
int tls_use_ticket(SSL *s)
{
if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s))
if ((s->options & SSL_OP_NO_TICKET))
return 0;
return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}