Don't remove sessions from the cache during PHA in TLSv1.3

If we issue new tickets due to post-handshake authentication there is no reason to remove previous tickets from the cache. The code that did that only removed the last session anyway - so if more than one ticket got issued then those other tickets are still valid. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6722)

Don't remove sessions from the cache during PHA in TLSv1.3
If we issue new tickets due to post-handshake authentication there is no reason to remove previous tickets from the cache. The code that did that only removed the last session anyway - so if more than one ticket got issued then those other tickets are still valid. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6722)
84475ccb · Matt Caswell · 57fd5170 · 84475ccb
显示空白变更内容
内联并排

Showing with 0 addition and 9 deletion

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +0 -9

未找到文件。
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3648,8 +3648,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
     */

    if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
-        int m = s->session_ctx->session_cache_mode;
-
        if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
@@ -3657,13 +3655,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
            goto err;
        }

-        if (m & SSL_SESS_CACHE_SERVER) {
-            /*
-             * Remove the old session from the cache. We carry on if this fails
-             */
-            SSL_CTX_remove_session(s->session_ctx, s->session);
-        }
-
        SSL_SESSION_free(s->session);
        s->session = new_sess;
    }