From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 17 Oct 2007 11:27:25 +0000 (+0000)
Subject: Allow TLS tickets and session ID to both be present if lifetime hint is -1.
X-Git-Tag: OpenSSL_0_9_8h~132
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=7c717aafc6f65f855826a79c47398aa1e705e23e;p=oweals%2Fopenssl.git

Allow TLS tickets and session ID to both be present if lifetime hint is -1.
This never happens in normal SSL sessions but can be useful if the session
is being used as a "blob" to contain other data.
---

diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 8d9fb6d7d3..6e14f4d834 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -200,12 +200,13 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 a.tlsext_tick.type=V_ASN1_OCTET_STRING;
                 a.tlsext_tick.data=(unsigned char *)in->tlsext_tick;
 		/* If we have a ticket set session ID to empty because
-		 * it will be bogus. 
+		 * it will be bogus. If liftime hint is -1 treat as a special
+		 * case because the session is being used as a container
 		 */
-		if (in->tlsext_ticklen)
+		if (in->tlsext_ticklen && (in->tlsext_tick_lifetime_hint != -1))
 			a.session_id.length=0;
                 }
-	if (in->tlsext_tick_lifetime_hint != 0)
+	if (in->tlsext_tick_lifetime_hint > 0)
 		{
 		a.tlsext_tick_lifetime.length=LSIZE2;
 		a.tlsext_tick_lifetime.type=V_ASN1_INTEGER;
@@ -235,7 +236,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 		M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
 
 #ifndef OPENSSL_NO_TLSEXT
-	if (in->tlsext_tick_lifetime_hint)
+	if (in->tlsext_tick_lifetime_hint > 0)
       	 	M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
 	if (in->tlsext_tick)
         	M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
@@ -268,7 +269,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 #ifndef OPENSSL_NO_TLSEXT
 	if (in->tlsext_hostname)
         	M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING,6,v6);
-	if (in->tlsext_tick_lifetime_hint)
+	if (in->tlsext_tick_lifetime_hint > 0)
       	 	M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER,9,v9);
 	if (in->tlsext_tick)
         	M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
@@ -464,8 +465,10 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 		ret->tlsext_tick_lifetime_hint=ASN1_INTEGER_get(aip);
 		OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
 		}
+	else if (ret->tlsext_ticklen && ret->session_id_length)
+		ret->tlsext_tick_lifetime_hint = -1;
 	else
-		ret->tlsext_tick_lifetime_hint=0;
+		ret->tlsext_tick_lifetime_hint = 0;
  	os.length=0;
  	os.data=NULL;
   	M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,10);