[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Mar 15 09:09:13 UTC 2018
The branch master has been updated
via 16ff13427f00753a76672317143753b83cea7982 (commit)
from 5cd42251bae72ab73542019342362063e882e66f (commit)
- Log -----------------------------------------------------------------
commit 16ff13427f00753a76672317143753b83cea7982
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 14 17:51:18 2018 +0000
Only update the server session cache when the session is ready
In TLSv1.3 the session is not ready until after the end of the handshake
when we are constructing the NewSessionTicket.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5621)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_lib.c | 7 ++++++-
ssl/statem/statem_srvr.c | 14 ++++++++------
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 82a7119..a82079c 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1043,7 +1043,12 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
ssl3_cleanup_key_block(s);
if (s->server) {
- ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
+ /*
+ * In TLSv1.3 we update the cache as part of constructing the
+ * NewSessionTicket
+ */
+ if (!SSL_IS_TLS13(s))
+ ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
/* N.B. s->ctx may not equal s->session_ctx */
CRYPTO_atomic_add(&s->ctx->stats.sess_accept_good, 1, &discard,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 041089c..50be825 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3889,12 +3889,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (SSL_IS_TLS13(s)
- && !tls_construct_extensions(s, pkt,
- SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
- NULL, 0)) {
- /* SSLfatal() already called */
- goto err;
+ if (SSL_IS_TLS13(s)) {
+ ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
+ if (!tls_construct_extensions(s, pkt,
+ SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
+ NULL, 0)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
}
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
More information about the openssl-commits
mailing list