Stop a TLSv1.3 server emitting an unsolicited PSK extension

If we attempt to accept a connection on an SSL object, and the
application has set an SSL_SESSION on that SSL object then we
can mistakenly believe that we are resuming and
emit an unsolicited PSK extension back to the client.

This can especially happen when using SSL_clear() which leaves
any SSL_SESSION associated with the SSL object.

See
https://github.com/openssl/openssl/discussions/27563#discussioncomment-13049352
and
https://github.com/openssl/openssl/discussions/24567

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27584)

(cherry picked from commit aa8bca2e81030560d690cb68bbcbe8b7d00d1d29)

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index ec937a321c30185d8ab7d627498d83e8b6c84763..0a24c484150ca68a2e2d4a44df3aefb71e2b8af6 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -612,6 +612,8 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
     SSL_TICKET_STATUS r;
 
     if (SSL_IS_TLS13(s)) {
+        SSL_SESSION_free(s->session);
+        s->session = NULL;
         /*
          * By default we will send a new ticket. This can be overridden in the
          * ticket processing.
@@ -624,6 +626,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
                                         hello->pre_proc_exts, NULL, 0))
             return -1;
 
+        /* If we resumed, s->session will now be set */
         ret = s->session;
     } else {
         /* sets s->ext.ticket_expected */