diff options
author | Matt Caswell <matt@openssl.org> | 2018-03-14 19:22:48 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-05-17 16:48:25 +0100 |
commit | 36ff232cf2bf5dfcaf9e60a8c492439428a243bb (patch) | |
tree | 8e2dfdd9d77088c4ce0245708b9c906daced0e2f /ssl/statem/statem_srvr.c | |
parent | 394159da608f625b60f07c59e36dc7d01df3a709 (diff) |
Change the default number of NewSessionTickets we send to 2
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
-rw-r--r-- | ssl/statem/statem_srvr.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index dfeba173a7..ce8cec185a 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -507,6 +507,9 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) /* Fall through */ case TLS_ST_SW_KEY_UPDATE: + st->hand_state = TLS_ST_OK; + return WRITE_TRAN_CONTINUE; + case TLS_ST_SW_SESSION_TICKET: /* In a resumption we only ever send a maximum of one new ticket. * Following an initial handshake we send the number of tickets we have @@ -708,7 +711,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_IS_TLS13(s)) { + if (SSL_IS_TLS13(s) && s->sent_tickets == 0) { /* * Actually this is the end of the handshake, but we're going * straight into writing the session ticket out. So we finish off @@ -3687,12 +3690,16 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) sk = NULL; /* Save the current hash state for when we receive the CertificateVerify */ - if (SSL_IS_TLS13(s) - && !ssl_handshake_hash(s, s->cert_verify_hash, - sizeof(s->cert_verify_hash), - &s->cert_verify_hash_len)) { - /* SSLfatal() already called */ - goto err; + if (SSL_IS_TLS13(s)) { + if (!ssl_handshake_hash(s, s->cert_verify_hash, + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { + /* SSLfatal() already called */ + goto err; + } + + /* Resend session tickets */ + s->sent_tickets = 0; } ret = MSG_PROCESS_CONTINUE_READING; @@ -3989,7 +3996,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) goto err; } if (SSL_IS_TLS13(s)) { - ssl_update_cache(s, SSL_SESS_CACHE_SERVER); if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, NULL, 0)) { @@ -3997,6 +4003,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) goto err; } s->sent_tickets++; + ssl_update_cache(s, SSL_SESS_CACHE_SERVER); } EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); |