From: Matt Caswell Date: Thu, 19 Jan 2017 11:23:06 +0000 (+0000) Subject: Use the correct session resumption mechanism X-Git-Tag: OpenSSL_1_1_1-pre1~2563 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=081912943f951a49420b1f7d89288bab47f67500;p=oweals%2Fopenssl.git Use the correct session resumption mechanism Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3 psk extension. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2259) --- diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 1e6eddf373..c17901a954 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x, return 1; if (!s->new_session && s->session != NULL - && s->session->ext.tick != NULL) { + && s->session->ext.tick != NULL + && s->session->ssl_version != TLS1_3_VERSION) { ticklen = s->session->ext.ticklen; } else if (s->session && s->ext.session_ticket != NULL && s->ext.session_ticket->data != NULL) { @@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; /* - * If this is a new session then we have nothing to resume so don't add - * this extension. + * If this is an incompatible or new session then we have nothing to resume + * so don't add this extension. */ - if (s->session->ext.ticklen == 0) + if (s->session->ssl_version != TLS1_3_VERSION + || s->session->ext.ticklen == 0) return 1; /* diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 046b665c07..b0df32b406 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) int tls_use_ticket(SSL *s) { - if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s)) + if ((s->options & SSL_OP_NO_TICKET)) return 0; return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); }