}
if (sess == NULL
- || !ssl_version_supported(s, sess->ssl_version)
+ || !ssl_version_supported(s, sess->ssl_version, NULL)
|| !SSL_SESSION_is_resumable(sess)) {
if (s->hello_retry_request == SSL_HRR_NONE
&& !ssl_get_new_session(s, 0)) {
RAW_EXTENSION *exts = NULL;
PACKET nonce;
+ PACKET_null_init(&nonce);
+
if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
|| (SSL_IS_TLS13(s)
&& (!PACKET_get_net_4(pkt, &age_add)
- || !PACKET_get_length_prefixed_1(pkt, &nonce)
- || !PACKET_memdup(&nonce, &s->session->ext.tick_nonce,
- &s->session->ext.tick_nonce_len)))
+ || !PACKET_get_length_prefixed_1(pkt, &nonce)))
|| !PACKET_get_net_2(pkt, &ticklen)
- || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) != ticklen)
- || (SSL_IS_TLS13(s)
- && (ticklen == 0 || PACKET_remaining(pkt) < ticklen))) {
+ || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen)
+ : PACKET_remaining(pkt) != ticklen)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
SSL_R_LENGTH_MISMATCH);
goto err;
*/
if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
SSL_SESSION *new_sess;
+
/*
* We reused an existing session, so we need to replace it with a new
* one
goto err;
}
+ if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
+ && !SSL_IS_TLS13(s)) {
+ /*
+ * In TLSv1.2 and below the arrival of a new tickets signals that
+ * any old ticket we were using is now out of date, so we remove the
+ * old session from the cache. We carry on if this fails
+ */
+ SSL_CTX_remove_session(s->session_ctx, s->session);
+ }
+
SSL_SESSION_free(s->session);
s->session = new_sess;
}
goto err;
}
s->session->session_id_length = sess_len;
+ s->session->not_resumable = 0;
/* This is a standalone message in TLSv1.3, so there is no more to read */
if (SSL_IS_TLS13(s)) {
if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
nonce_label,
sizeof(nonce_label) - 1,
- s->session->ext.tick_nonce,
- s->session->ext.tick_nonce_len,
+ PACKET_data(&nonce),
+ PACKET_remaining(&nonce),
s->session->master_key,
hashlen)) {
/* SSLfatal() already called */