s3_srvr.c: fix typo.
[openssl.git] / ssl / s3_srvr.c
index 74af5dc..87678c1 100644 (file)
@@ -181,24 +181,25 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
        }
 
 #ifndef OPENSSL_NO_SRP
-static int SSL_check_srp_ext_ClientHello(SSL *s,int *ad)
+static int ssl_check_srp_ext_ClientHello(SSL *s,int *al)
        {
        int ret = SSL_ERROR_NONE;
 
-       *ad = SSL_AD_UNRECOGNIZED_NAME;
+       *al = SSL_AD_UNRECOGNIZED_NAME;
 
        if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
            (s->srp_ctx.TLS_ext_srp_username_callback != NULL))
                {
                if(s->srp_ctx.login == NULL)
                        {
-                       /* There isn't any srp login extension !!! */
-                       ret = SSL3_AL_WARNING;
-                       *ad = SSL_AD_MISSING_SRP_USERNAME;
+                       /* RFC 5054 says SHOULD reject, 
+                          we do so if There is no srp login name */
+                       ret = SSL3_AL_FATAL;
+                       *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
                        }
                else
                        {
-                       ret = SSL_srp_server_param_with_username(s,ad);
+                       ret = SSL_srp_server_param_with_username(s,al);
                        }
                }
        return ret;
@@ -217,9 +218,6 @@ int ssl3_accept(SSL *s)
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
        int new_state,state,skip=0;
-#ifndef OPENSSL_NO_SRP
-       int srp_no_username =0;
-#endif
 
        RAND_add(&Time,sizeof(Time),0);
        ERR_clear_error();
@@ -240,6 +238,18 @@ int ssl3_accept(SSL *s)
                return(-1);
                }
 
+#ifndef OPENSSL_NO_HEARTBEATS
+       /* If we're awaiting a HeartbeatResponse, pretend we
+        * already got and don't await it anymore, because
+        * Heartbeats don't make sense during handshakes anyway.
+        */
+       if (s->tlsext_hb_pending)
+               {
+               s->tlsext_hb_pending = 0;
+               s->tlsext_hb_seq++;
+               }
+#endif
+
        for (;;)
                {
                state=s->state;
@@ -287,6 +297,8 @@ int ssl3_accept(SSL *s)
                                }
 
                        s->init_num=0;
+                       s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
+                       s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
 
                        if (s->state != SSL_ST_RENEGOTIATE)
                                {
@@ -340,37 +352,34 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CLNT_HELLO_A:
                case SSL3_ST_SR_CLNT_HELLO_B:
                case SSL3_ST_SR_CLNT_HELLO_C:
-#ifndef OPENSSL_NO_SRP
-               case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
-#endif
 
-                       s->shutdown=0;
-                       ret=ssl3_get_client_hello(s);
-                       if (ret <= 0) goto end;
+                       if (s->rwstate != SSL_X509_LOOKUP)
+                       {
+                               ret=ssl3_get_client_hello(s);
+                               if (ret <= 0) goto end;
+                       }
 #ifndef OPENSSL_NO_SRP
                        {
-                       int extension_error = 0,al;
-
-                       if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
-                               {
-                               ssl3_send_alert(s,al,extension_error);
-                               if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
+                       int al;
+                       if ((ret = ssl_check_srp_ext_ClientHello(s,&al))  < 0)
                                        {
-                                       if (srp_no_username) goto end;
-                                       ERR_clear_error();
-                                       srp_no_username = 1;
-                                       s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
-                                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
-                                       if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
-                                       s->init_num=0;
-                                       break;
+                                       /* callback indicates firther work to be done */
+                                       s->rwstate=SSL_X509_LOOKUP;
+                                       goto end;
                                        }
-                               ret = -1;
-                               SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
-                               goto end;
+                       if (ret != SSL_ERROR_NONE)
+                               {
+                               ssl3_send_alert(s,SSL3_AL_FATAL,al);    
+                               /* This is not really an error but the only means to
+                                   for a client to detect whether srp is supported. */
+                                  if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)      
+                                       SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);                     
+                               ret = SSL_TLSEXT_ERR_ALERT_FATAL;                       
+                               ret= -1;
+                               goto end;       
                                }
                        }
-#endif
+#endif         
                        
                        s->renegotiate = 2;
                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
@@ -470,7 +479,7 @@ int ssl3_accept(SSL *s)
                            /* SRP: send ServerKeyExchange */
                            || (alg_k & SSL_kSRP)
 #endif
-                           || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
+                           || (alg_k & SSL_kEDH)
                            || (alg_k & SSL_kEECDH)
                            || ((alg_k & SSL_kRSA)
                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -695,14 +704,11 @@ int ssl3_accept(SSL *s)
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                                SSL3_ST_SR_FINISHED_B);
                        if (ret <= 0) goto end;
-#ifndef OPENSSL_NO_TLSEXT
-                       if (s->tlsext_ticket_expected)
-                               s->state=SSL3_ST_SW_SESSION_TICKET_A;
-                       else if (s->hit)
-                               s->state=SSL_ST_OK;
-#else
                        if (s->hit)
                                s->state=SSL_ST_OK;
+#ifndef OPENSSL_NO_TLSEXT
+                       else if (s->tlsext_ticket_expected)
+                               s->state=SSL3_ST_SW_SESSION_TICKET_A;
 #endif
                        else
                                s->state=SSL3_ST_SW_CHANGE_A;
@@ -789,9 +795,6 @@ int ssl3_accept(SSL *s)
 
                        if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
                                {
-                               /* actually not necessarily a 'new' session unless
-                                * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-                               
                                s->renegotiate=0;
                                s->new_session=0;
                                
@@ -882,10 +885,15 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
-                * which will now be aborted. (A full SSL_clear would be too much.)
-                * I hope that tmp.dh is the only thing that may need to be cleared
-                * when a handshake is not completed ... */
+                * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
                if (s->s3->tmp.dh != NULL)
                        {
@@ -893,6 +901,14 @@ int ssl3_check_client_hello(SSL *s)
                        s->s3->tmp.dh = NULL;
                        }
 #endif
+#ifndef OPENSSL_NO_ECDH
+               if (s->s3->tmp.ecdh != NULL)
+                       {
+                       EC_KEY_free(s->s3->tmp.ecdh);
+                       s->s3->tmp.ecdh = NULL;
+                       }
+#endif
+               s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                return 2;
                }
        return 1;
@@ -918,9 +934,6 @@ int ssl3_get_client_hello(SSL *s)
         * TLSv1.
         */
        if (s->state == SSL3_ST_SR_CLNT_HELLO_A
-#ifndef OPENSSL_NO_SRP
-               || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
-#endif
                )
                {
                s->state=SSL3_ST_SR_CLNT_HELLO_B;
@@ -978,13 +991,16 @@ int ssl3_get_client_hello(SSL *s)
        j= *(p++);
 
        s->hit=0;
-       /* Versions before 0.9.7 always allow session reuse during renegotiation
-        * (i.e. when s->new_session is true), option
-        * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
-        * Maybe this optional behaviour should always have been the default,
-        * but we cannot safely change the default behaviour (or new applications
-        * might be written that become totally unsecure when compiled with
-        * an earlier library version)
+       /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
+        * 0.9.7 and later allow this by default, but optionally ignore resumption requests
+        * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
+        * than a change to default behavior so that applications relying on this for security
+        * won't even compile against older library versions).
+        *
+        * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request
+        * renegotiation but not a new session (s->new_session remains unset): for servers,
+        * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+        * setting will be ignored.
         */
        if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
                {
@@ -1161,16 +1177,11 @@ int ssl3_get_client_hello(SSL *s)
        /* TLS extensions*/
        if (s->version >= SSL3_VERSION)
                {
-               if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+               if (!ssl_parse_clienthello_tlsext(s,&p,d,n))
                        {
-                       /* 'al' set by ssl_parse_clienthello_tlsext */
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
-                       goto f_err;
-                       }
-               }
-               if (ssl_check_clienthello_tlsext(s) <= 0) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
                        goto err;
+                       }
                }
 
        /* Check if we want to use external pre-shared secret for this
@@ -1439,20 +1450,20 @@ int ssl3_send_server_hello(SSL *s)
                memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
                p+=SSL3_RANDOM_SIZE;
 
-               /* now in theory we have 3 options to sending back the
-                * session id.  If it is a re-use, we send back the
-                * old session-id, if it is a new session, we send
-                * back the new session-id or we send back a 0 length
-                * session-id if we want it to be single use.
-                * Currently I will not implement the '0' length session-id
-                * 12-Jan-98 - I'll now support the '0' length stuff.
-                *
-                * We also have an additional case where stateless session
-                * resumption is successful: we always send back the old
-                * session id. In this case s->hit is non zero: this can
-                * only happen if stateless session resumption is succesful
-                * if session caching is disabled so existing functionality
-                * is unaffected.
+               /* There are several cases for the session ID to send
+                * back in the server hello:
+                * - For session reuse from the session cache,
+                *   we send back the old session ID.
+                * - If stateless session reuse (using a session ticket)
+                *   is successful, we send back the client's "session ID"
+                *   (which doesn't actually identify the session).
+                * - If it is a new session, we send back the new
+                *   session ID.
+                * - However, if we want the new session to be single-use,
+                *   we send back a 0-length session ID.
+                * s->hit is non-zero in either case of session reuse,
+                * so the following won't overwrite an ID that we're supposed
+                * to send back.
                 */
                if (s->session->not_resumable ||
                        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
@@ -1622,7 +1633,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.dh != NULL)
                                {
-                               DH_free(dh);
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1668,7 +1678,14 @@ int ssl3_send_server_key_exchange(SSL *s)
                        const EC_GROUP *group;
 
                        ecdhp=cert->ecdh_tmp;
-                       if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
+                       if (s->cert->ecdh_tmp_auto)
+                               {
+                               /* Get NID of first shared curve */
+                               int nid = tls1_shared_curve(s, 0);
+                               if (nid != NID_undef)
+                                       ecdhp = EC_KEY_new_by_curve_name(nid);
+                               }
+                       else if ((ecdhp == NULL) && s->cert->ecdh_tmp_cb)
                                {
                                ecdhp=s->cert->ecdh_tmp_cb(s,
                                      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
@@ -1683,7 +1700,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.ecdh != NULL)
                                {
-                               EC_KEY_free(s->s3->tmp.ecdh); 
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1694,12 +1710,13 @@ int ssl3_send_server_key_exchange(SSL *s)
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       if (!EC_KEY_up_ref(ecdhp))
+                       if (s->cert->ecdh_tmp_auto)
+                               ecdh = ecdhp;
+                       else if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
                                {
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       ecdh = ecdhp;
 
                        s->s3->tmp.ecdh=ecdh;
                        if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
@@ -1921,10 +1938,10 @@ int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
-                                       EVP_DigestInit_ex(&md_ctx,(num == 2)
-                                               ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_MD_CTX_set_flags(&md_ctx,
                                                EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+                                       EVP_DigestInit_ex(&md_ctx,(num == 2)
+                                               ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
                                        EVP_DigestUpdate(&md_ctx,&(d[4]),n);
@@ -2119,7 +2136,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 #endif
 #ifndef OPENSSL_NO_DH
        BIGNUM *pub=NULL;
-       DH *dh_srvr;
+       DH *dh_srvr, *dh_clnt = NULL;
 #endif
 #ifndef OPENSSL_NO_KRB5
        KSSL_ERR kssl_err;
@@ -2253,8 +2270,13 @@ int ssl3_get_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_DH
                if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                {
-               n2s(p,i);
-               if (n != i+2)
+               int idx = -1;
+               EVP_PKEY *skey = NULL;
+               if (n)
+                       n2s(p,i);
+               else
+                       i = 0;
+               if (n && n != i+2)
                        {
                        if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG))
                                {
@@ -2267,26 +2289,52 @@ int ssl3_get_client_key_exchange(SSL *s)
                                i=(int)n;
                                }
                        }
-
-               if (n == 0L) /* the parameters are in the cert */
+               if (alg_k & SSL_kDHr)
+                       idx = SSL_PKEY_DH_RSA;
+               else if (alg_k & SSL_kDHd)
+                       idx = SSL_PKEY_DH_DSA;
+               if (idx >= 0)
+                       {
+                       skey = s->cert->pkeys[idx].privatekey;
+                       if ((skey == NULL) ||
+                               (skey->type != EVP_PKEY_DH) ||
+                               (skey->pkey.dh == NULL))
+                               {
+                               al=SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_RSA_CERTIFICATE);
+                               goto f_err;
+                               }
+                       dh_srvr = skey->pkey.dh;
+                       }
+               else if (s->s3->tmp.dh == NULL)
                        {
                        al=SSL_AD_HANDSHAKE_FAILURE;
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_DECODE_DH_CERTS);
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
                        goto f_err;
                        }
                else
+                       dh_srvr=s->s3->tmp.dh;
+
+               if (n == 0L)
                        {
-                       if (s->s3->tmp.dh == NULL)
+                       /* Get pubkey from cert */
+                       EVP_PKEY *clkey=X509_get_pubkey(s->session->peer);
+                       if (clkey)
+                               {
+                               if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
+                                       dh_clnt = EVP_PKEY_get1_DH(clkey);
+                               }
+                       if (dh_clnt == NULL)
                                {
                                al=SSL_AD_HANDSHAKE_FAILURE;
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
                                goto f_err;
                                }
-                       else
-                               dh_srvr=s->s3->tmp.dh;
+                       EVP_PKEY_free(clkey);
+                       pub = dh_clnt->pub_key;
                        }
-
-               pub=BN_bin2bn(p,i,NULL);
+               else
+                       pub=BN_bin2bn(p,i,NULL);
                if (pub == NULL)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BN_LIB);
@@ -2298,18 +2346,23 @@ int ssl3_get_client_key_exchange(SSL *s)
                if (i <= 0)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                       BN_clear_free(pub);
                        goto err;
                        }
 
                DH_free(s->s3->tmp.dh);
                s->s3->tmp.dh=NULL;
-
-               BN_clear_free(pub);
+               if (dh_clnt)
+                       DH_free(dh_clnt);
+               else
+                       BN_clear_free(pub);
                pub=NULL;
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,p,i);
                OPENSSL_cleanse(p,i);
+               if (dh_clnt)
+                       return 2;
                }
        else
 #endif
@@ -2611,6 +2664,12 @@ int ssl3_get_client_key_exchange(SSL *s)
                        /* Get encoded point length */
                        i = *p; 
                        p += 1;
+                       if (n != 1 + i)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                   ERR_R_EC_LIB);
+                               goto err;
+                               }
                        if (EC_POINT_oct2point(group, 
                            clnt_ecpoint, p, i, bn_ctx) == 0)
                                {
@@ -2901,7 +2960,7 @@ int ssl3_get_cert_verify(SSL *s)
                SSL3_ST_SR_CERT_VRFY_A,
                SSL3_ST_SR_CERT_VRFY_B,
                -1,
-               514, /* 514? */
+               516, /* Enough for 4096 bit RSA key with TLS v1.2 */
                &ok);
 
        if (!ok) return((int)n);
@@ -2921,7 +2980,7 @@ int ssl3_get_cert_verify(SSL *s)
        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
                {
                s->s3->tmp.reuse_message=1;
-               if ((peer != NULL) && (type | EVP_PKT_SIGN))
+               if ((peer != NULL) && (type & EVP_PKT_SIGN))
                        {
                        al=SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
@@ -2984,7 +3043,7 @@ int ssl3_get_cert_verify(SSL *s)
                        md = tls12_get_hash(p[0]);
                        if (md == NULL)
                                {
-                               SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
+                               SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
                                al=SSL_AD_DECODE_ERROR;
                                goto f_err;
                                }
@@ -3308,12 +3367,12 @@ err:
 int ssl3_send_server_certificate(SSL *s)
        {
        unsigned long l;
-       X509 *x;
+       CERT_PKEY *cpk;
 
        if (s->state == SSL3_ST_SW_CERT_A)
                {
-               x=ssl_get_server_send_cert(s);
-               if (x == NULL)
+               cpk=ssl_get_server_send_pkey(s);
+               if (cpk == NULL)
                        {
                        /* VRS: allow null cert if auth == KRB5 */
                        if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3324,7 +3383,7 @@ int ssl3_send_server_certificate(SSL *s)
                                }
                        }
 
-               l=ssl3_output_cert_chain(s,x);
+               l=ssl3_output_cert_chain(s,cpk);
                s->state=SSL3_ST_SW_CERT_B;
                s->init_num=(int)l;
                s->init_off=0;
@@ -3333,13 +3392,17 @@ int ssl3_send_server_certificate(SSL *s)
        /* SSL3_ST_SW_CERT_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
+
 #ifndef OPENSSL_NO_TLSEXT
+/* send a new session ticket (not necessarily for a new session) */
 int ssl3_send_newsession_ticket(SSL *s)
        {
        if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
                {
                unsigned char *p, *senc, *macstart;
-               int len, slen;
+               const unsigned char *const_p;
+               int len, slen_full, slen;
+               SSL_SESSION *sess;
                unsigned int hlen;
                EVP_CIPHER_CTX ctx;
                HMAC_CTX hctx;
@@ -3348,12 +3411,38 @@ int ssl3_send_newsession_ticket(SSL *s)
                unsigned char key_name[16];
 
                /* get session encoding length */
-               slen = i2d_SSL_SESSION(s->session, NULL);
+               slen_full = i2d_SSL_SESSION(s->session, NULL);
                /* Some length values are 16 bits, so forget it if session is
                 * too long
                 */
-               if (slen > 0xFF00)
+               if (slen_full > 0xFF00)
+                       return -1;
+               senc = OPENSSL_malloc(slen_full);
+               if (!senc)
+                       return -1;
+               p = senc;
+               i2d_SSL_SESSION(s->session, &p);
+
+               /* create a fresh copy (not shared with other threads) to clean up */
+               const_p = senc;
+               sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
+               if (sess == NULL)
+                       {
+                       OPENSSL_free(senc);
                        return -1;
+                       }
+               sess->session_id_length = 0; /* ID is irrelevant for the ticket */
+
+               slen = i2d_SSL_SESSION(sess, NULL);
+               if (slen > slen_full) /* shouldn't ever happen */
+                       {
+                       OPENSSL_free(senc);
+                       return -1;
+                       }
+               p = senc;
+               i2d_SSL_SESSION(sess, &p);
+               SSL_SESSION_free(sess);
+
                /* Grow buffer if need be: the length calculation is as
                 * follows 1 (size of message name) + 3 (message length
                 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -3365,11 +3454,6 @@ int ssl3_send_newsession_ticket(SSL *s)
                        26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
                        EVP_MAX_MD_SIZE + slen))
                        return -1;
-               senc = OPENSSL_malloc(slen);
-               if (!senc)
-                       return -1;
-               p = senc;
-               i2d_SSL_SESSION(s->session, &p);
 
                p=(unsigned char *)s->init_buf->data;
                /* do the header */
@@ -3400,7 +3484,13 @@ int ssl3_send_newsession_ticket(SSL *s)
                                        tlsext_tick_md(), NULL);
                        memcpy(key_name, tctx->tlsext_tick_key_name, 16);
                        }
-               l2n(s->session->tlsext_tick_lifetime_hint, p);
+
+               /* Ticket lifetime hint (advisory only):
+                * We leave this unspecified for resumed session (for simplicity),
+                * and guess that tickets for new sessions will live as long
+                * as their sessions. */
+               l2n(s->hit ? 0 : s->session->timeout, p);
+
                /* Skip ticket length for now */
                p += 2;
                /* Output key name */