projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 128ae27)
Use the correct session resumption mechanism
authorMatt Caswell <matt@openssl.org>
Thu, 19 Jan 2017 11:23:06 +0000 (11:23 +0000)
committerMatt Caswell <matt@openssl.org>
Mon, 30 Jan 2017 10:18:21 +0000 (10:18 +0000)
Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

ssl/statem/extensions_clnt.c patch | blob | history
ssl/t1_lib.c patch | blob | history

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 1e6eddf37334f0b4f7c3b484a46279f0e481eeb0..c17901a954760a91ba06799ec5f6aaa24a9cbaec 100644 (file)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
         return 1;
 
     if (!s->new_session && s->session != NULL
-            && s->session->ext.tick != NULL) {
+            && s->session->ext.tick != NULL
+            && s->session->ssl_version != TLS1_3_VERSION) {
         ticklen = s->session->ext.ticklen;
     } else if (s->session && s->ext.session_ticket != NULL
                && s->ext.session_ticket->data != NULL) {
@@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
     s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
 
     /*
-     * If this is a new session then we have nothing to resume so don't add
-     * this extension.
+     * If this is an incompatible or new session then we have nothing to resume
+     * so don't add this extension.
      */
-    if (s->session->ext.ticklen == 0)
+    if (s->session->ssl_version != TLS1_3_VERSION
+            || s->session->ext.ticklen == 0)
         return 1;
 
     /*
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 046b665c07194abff46bbe40d54ce6383026af91..b0df32b406a0a025fa1bed5874f76991ad15d7df 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
 
 int tls_use_ticket(SSL *s)
 {
-    if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s))
+    if ((s->options & SSL_OP_NO_TICKET))
         return 0;
     return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
 }
Unnamed repository; edit this file 'description' to name the repository.