Fix regression with session cache use by clients
authorBenjamin Kaduk <bkaduk@akamai.com>
Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)
committerBenjamin Kaduk <kaduk@mit.edu>
Tue, 1 May 2018 16:32:54 +0000 (11:32 -0500)
commitbf87bf45f181fa130af27739f5c38aba88f88cfd
treee6c794fc945e6b920f6fb0190f45500a8aec43ac
parent14e55560cf9ee85f0b7816ba2b41ff1755b68e15
Fix regression with session cache use by clients

Commit d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context.  While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.

Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5967)

(cherry picked from commit c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d)
ssl/ssl_lib.c