[openssl-commits] [openssl] master update

Wed Feb 14 15:49:18 UTC 2018

The branch master has been updated
       via  6e99ae58c8e1b4a41ae376f91affc7992b0738f7 (commit)
      from  cb1c3d1a2714eb69012b079053f7fbcca1acc544 (commit)


- Log -----------------------------------------------------------------
commit 6e99ae58c8e1b4a41ae376f91affc7992b0738f7
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jan 30 15:41:56 2018 +0000

    Ignore an s_client psk in TLSv1.3 if not TLSv1.3 suitable
    
    The s_client psk_use_session_cb callback has a comment stating that we
    should ignore a key that isn't suitable for TLSv1.3. However we were
    actually causing the connection to fail. Changing the return value fixes
    the issue.
    
    Also related to this is that the early_data extension was not marked as
    TLSv1.3 only which it should be.
    
    Fixes #5202
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    (Merged from https://github.com/openssl/openssl/pull/5205)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c         | 2 +-
 ssl/statem/extensions.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index ca2bd0d..eca0a4a 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -208,7 +208,7 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md,
             *id = NULL;
             *idlen = 0;
             *sess = NULL;
-            return 0;
+            return 1;
         }
         usesess = SSL_SESSION_new();
         if (usesess == NULL
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index daf43c6..7d456f3 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -358,7 +358,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
     {
         TLSEXT_TYPE_early_data,
         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
-        | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
+        | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
         NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
         tls_construct_stoc_early_data, tls_construct_ctos_early_data,
         final_early_data
