From 1a9f457c6656a0905102c8850ca586eda1e3ba91 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 25 Jan 2017 11:56:23 +0000 Subject: If we have no suitable PSK kex modes then don't attempt to resume Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2259) --- ssl/ssl_sess.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'ssl/ssl_sess.c') diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index c0fc8b356c..686d18a384 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -458,7 +458,7 @@ int ssl_get_new_session(SSL *s, int session) * - Both for new and resumed sessions, s->ext.ticket_expected is set to 1 * if the server should issue a new session ticket (to 0 otherwise). */ -int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) +int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello, int *al) { /* This is used only by servers. */ @@ -468,10 +468,10 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) TICKET_RETURN r; if (SSL_IS_TLS13(s)) { - int al; - - if (!tls_parse_extension(s, TLSEXT_IDX_psk, EXT_CLIENT_HELLO, - hello->pre_proc_exts, NULL, 0, &al)) + if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, EXT_CLIENT_HELLO, + hello->pre_proc_exts, NULL, 0, al) + || !tls_parse_extension(s, TLSEXT_IDX_psk, EXT_CLIENT_HELLO, + hello->pre_proc_exts, NULL, 0, al)) return -1; ret = s->session; @@ -637,10 +637,12 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello) s->ext.ticket_expected = 1; } } - if (fatal) + if (fatal) { + *al = SSL_AD_INTERNAL_ERROR; return -1; - else + } else { return 0; + } } int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) -- cgit v1.2.3