From: Matt Caswell <matt@openssl.org>
Date: Tue, 26 Jun 2018 17:06:45 +0000 (+0100)
Subject: Restore behaviour from commit 36ff232cf that was incorrectly removed
X-Git-Tag: OpenSSL_1_1_1-pre9~203
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1f1563216d6827e1dc8212795344c82e0f5d5933;p=oweals%2Fopenssl.git

Restore behaviour from commit 36ff232cf that was incorrectly removed

In TLSv1.2 and below we should remove an old session from the client
session cache in the event that we receive a new session ticket from the
server.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6601)
---

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index ff353842f9..26be9cb6b8 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2591,6 +2591,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
      */
     if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
         SSL_SESSION *new_sess;
+
         /*
          * We reused an existing session, so we need to replace it with a new
          * one
@@ -2602,6 +2603,16 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
             goto err;
         }
 
+        if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
+                && !SSL_IS_TLS13(s)) {
+            /*
+             * In TLSv1.2 and below the arrival of a new tickets signals that
+             * any old ticket we were using is now out of date, so we remove the
+             * old session from the cache. We carry on if this fails
+             */
+            SSL_CTX_remove_session(s->session_ctx, s->session);
+        }
+
         SSL_SESSION_free(s->session);
         s->session = new_sess;
     }