If we attempt to accept a connection on an SSL object, and the
application has set an SSL_SESSION on that SSL object then we
can mistakenly believe that we are resuming and
emit an unsolicited PSK extension back to the client.
This can especially happen when using SSL_clear() which leaves
any SSL_SESSION associated with the SSL object.
See
https://github.com/openssl/openssl/discussions/27563#discussioncomment-
13049352
and
https://github.com/openssl/openssl/discussions/24567
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27584)
SSL_TICKET_STATUS r;
if (SSL_CONNECTION_IS_TLS13(s)) {
+ SSL_SESSION_free(s->session);
+ s->session = NULL;
/*
* By default we will send a new ticket. This can be overridden in the
* ticket processing.
hello->pre_proc_exts, NULL, 0))
return -1;
+ /* If we resumed, s->session will now be set */
ret = s->session;
} else {
/* sets s->ext.ticket_expected */
} else {
SSL_set_accept_state(serverssl);
}
- /*
- * A peculiarity of SSL_clear() is that it does not clear the session.
- * This is intended behaviour so that a client can create a new
- * connection and reuse the session. But this doesn't make much sense
- * on the server side - and causes incorrect behaviour due to the
- * handshake failing (even though the documentation does say SSL_clear()
- * is supposed to work on the server side). We clear the session
- * explicitly - although note that the documentation for
- * SSL_set_session() says that its only useful for clients!
- */
- if (!TEST_true(SSL_set_session(serverssl, NULL)))
- goto end;
SSL_free(clientssl);
clientssl = NULL;
} else {
projects / thirdparty / openssl.git / commitdiff
