Always call the new_session_cb when issuing a NewSessionTicket in TLSv1.3

Conceptually in TLSv1.3 there can be multiple sessions associated with a single connection. Each NewSessionTicket issued can be considered a separate session. We can end up issuing multiple NewSessionTickets on a single connection at the moment (e.g. in a post-handshake auth scenario). Each of those issued tickets should have the new_session_cb called, it should go into the session cache separately and it should have a unique id associated with it (so that they can be found individually in the cache). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5644)
author: Matt Caswell <matt@openssl.org> 2018-03-15 17:47:29 +0000
committer: Matt Caswell <matt@openssl.org> 2018-03-19 12:21:17 +0000
commit: 32305f88509c1d9ccb3ad676209a25fa59b95488 (patch)
tree: 465d5906e932f6f930061a32e60c003b89f2b1a9 /ssl/ssl_sess.c
parent: 51cf8ba038aae10df9895b0001715938f7ad0c75 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1873237c70..5e44d4c41f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -417,7 +417,13 @@ int ssl_get_new_session(SSL *s, int session)
     s->session = NULL;
 
     if (session) {
-        if (!ssl_generate_session_id(s, ss)) {
+        if (SSL_IS_TLS13(s)) {
+            /*
+             * We generate the session id while constructing the
+             * NewSessionTicket in TLSv1.3.
+             */
+            ss->session_id_length = 0;
+        } else if (!ssl_generate_session_id(s, ss)) {
             /* SSLfatal() already called */
             SSL_SESSION_free(ss);
             return 0;
author	Matt Caswell <matt@openssl.org>	2018-03-15 17:47:29 +0000
committer	Matt Caswell <matt@openssl.org>	2018-03-19 12:21:17 +0000
commit	32305f88509c1d9ccb3ad676209a25fa59b95488 (patch)
tree	465d5906e932f6f930061a32e60c003b89f2b1a9 /ssl/ssl_sess.c
parent	51cf8ba038aae10df9895b0001715938f7ad0c75 (diff)