Fix EAP-FAST
authorMatt Caswell <matt@openssl.org>
Wed, 6 Jun 2018 10:54:32 +0000 (11:54 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 7 Jun 2018 08:48:49 +0000 (09:48 +0100)
Commit 61fb59238d broke EAP-FAST support. This fixes it.

Fixes #6395

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6428)

ssl/t1_lib.c

index aab50e1..1826dd2 100644 (file)
@@ -1487,11 +1487,13 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL *s, const unsigned char *etick,
         }
     }
 
-    switch (ret) {
-    case SSL_TICKET_NO_DECRYPT:
-    case SSL_TICKET_SUCCESS_RENEW:
-    case SSL_TICKET_EMPTY:
-        s->ext.ticket_expected = 1;
+    if (s->ext.session_secret_cb == NULL || SSL_IS_TLS13(s)) {
+        switch (ret) {
+        case SSL_TICKET_NO_DECRYPT:
+        case SSL_TICKET_SUCCESS_RENEW:
+        case SSL_TICKET_EMPTY:
+            s->ext.ticket_expected = 1;
+        }
     }
 
     *psess = sess;