From: Matt Caswell Date: Wed, 14 Mar 2018 17:51:18 +0000 (+0000) Subject: Only update the server session cache when the session is ready X-Git-Tag: OpenSSL_1_1_1-pre3~89 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=16ff13427f00753a76672317143753b83cea7982;p=oweals%2Fopenssl.git Only update the server session cache when the session is ready In TLSv1.3 the session is not ready until after the end of the handshake when we are constructing the NewSessionTicket. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5621) --- diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 82a711979d..a82079c2ee 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1043,7 +1043,12 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) ssl3_cleanup_key_block(s); if (s->server) { - ssl_update_cache(s, SSL_SESS_CACHE_SERVER); + /* + * In TLSv1.3 we update the cache as part of constructing the + * NewSessionTicket + */ + if (!SSL_IS_TLS13(s)) + ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ CRYPTO_atomic_add(&s->ctx->stats.sess_accept_good, 1, &discard, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 041089cf96..50be8253c5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3889,12 +3889,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; } - if (SSL_IS_TLS13(s) - && !tls_construct_extensions(s, pkt, - SSL_EXT_TLS1_3_NEW_SESSION_TICKET, - NULL, 0)) { - /* SSLfatal() already called */ - goto err; + if (SSL_IS_TLS13(s)) { + ssl_update_cache(s, SSL_SESS_CACHE_SERVER); + if (!tls_construct_extensions(s, pkt, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0)) { + /* SSLfatal() already called */ + goto err; + } } EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx);