Honor SSL_SESS_CACHE_CLIENT in TLS 1.3.
The new_session_cb callback should not be run if SSL_SESS_CACHE_CLIENT
is off.
Change-Id: I1ab320f33688f186b241d95c81775331a5c5b1a1
Reviewed-on: https://boringssl-review.googlesource.com/20065
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 48e50ee..66f0304 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -3102,6 +3102,18 @@
SSL_get_servername(server_.get(), TLSEXT_NAMETYPE_host_name));
}
+// Test that session cache mode bits are honored in the client session callback.
+TEST_P(SSLVersionTest, ClientSessionCacheMode) {
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_OFF);
+ EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
+
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_CLIENT);
+ EXPECT_TRUE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
+
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_SERVER);
+ EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
+}
+
TEST(SSLTest, AddChainCertHack) {
// Ensure that we don't accidently break the hack that we have in place to
// keep curl and serf happy when they use an |X509| even after transfering
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index f91da26..98ddaf3 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -839,7 +839,8 @@
session->ticket_age_add_valid = 1;
session->not_resumable = 0;
- if (ssl->ctx->new_session_cb != NULL &&
+ if ((ssl->ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
+ ssl->ctx->new_session_cb != NULL &&
ssl->ctx->new_session_cb(ssl, session.get())) {
// |new_session_cb|'s return value signals that it took ownership.
session.release();
