提交 08191294 编写于 作者: M Matt Caswell

Use the correct session resumption mechanism

Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
上级 128ae276
...@@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x, ...@@ -191,7 +191,8 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
return 1; return 1;
if (!s->new_session && s->session != NULL if (!s->new_session && s->session != NULL
&& s->session->ext.tick != NULL) { && s->session->ext.tick != NULL
&& s->session->ssl_version != TLS1_3_VERSION) {
ticklen = s->session->ext.ticklen; ticklen = s->session->ext.ticklen;
} else if (s->session && s->ext.session_ticket != NULL } else if (s->session && s->ext.session_ticket != NULL
&& s->ext.session_ticket->data != NULL) { && s->ext.session_ticket->data != NULL) {
...@@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, ...@@ -674,10 +675,11 @@ int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
/* /*
* If this is a new session then we have nothing to resume so don't add * If this is an incompatible or new session then we have nothing to resume
* this extension. * so don't add this extension.
*/ */
if (s->session->ext.ticklen == 0) if (s->session->ssl_version != TLS1_3_VERSION
|| s->session->ext.ticklen == 0)
return 1; return 1;
/* /*
......
...@@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op) ...@@ -954,7 +954,7 @@ int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
int tls_use_ticket(SSL *s) int tls_use_ticket(SSL *s)
{ {
if ((s->options & SSL_OP_NO_TICKET) || SSL_IS_TLS13(s)) if ((s->options & SSL_OP_NO_TICKET))
return 0; return 0;
return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL); return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册