Google Git
Sign in
boringssl/boringssl.git/ef1b0093444e62644f9cdec4e516705cb79bcf79^!/./ssl/internal.h
commit
ef1b0093444e62644f9cdec4e516705cb79bcf79
[log] [tgz]
author
David Benjamin <davidben@chromium.org>
Sat Nov 21 14:05:44 2015 -0500
committer
Adam Langley <alangley@gmail.com>
Fri Jan 15 20:08:52 2016 +0000
tree
22ffec96b2b7be87931b6d9012681fe2024d1bfb
parent
dd1f6f4fbae4d420062fb7d7810badc754a909e2 [diff] [blame]
Consider session if the client supports tickets but offered a session ID.

This is a minor regression from
https://boringssl-review.googlesource.com/5235.

If the client, for whatever reason, had an ID-based session but also
supports tickets, it will send non-empty ID + empty ticket extension.
If the ticket extension is non-empty, then the ID is not an ID but a
dummy signaling value, so 5235 avoided looking it up. But if it is
present and empty, the ID is still an ID and should be looked up.

This shouldn't have any practical consequences, except if a server
switched from not supporting tickets and then started supporting it,
while keeping the session cache fixed.

Add a test for this case, and tighten up existing ID vs ticket tests so
they fail if we resume with the wrong type.

Change-Id: Id4d08cd809af00af30a2b67fe3a971078e404c75
Reviewed-on: https://boringssl-review.googlesource.com/6554
Reviewed-by: Adam Langley <alangley@gmail.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index 5acb598..99f083d 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1219,13 +1219,13 @@
 
 #define tlsext_tick_md EVP_sha256
 
-/* tls_process_ticket processes the session ticket extension. On success, it
- * sets |*out_session| to the decrypted session or NULL if the ticket was
- * rejected. It sets |*out_send_ticket| to whether a new ticket should be sent
- * at the end of the handshake. It returns one on success and zero on fatal
+/* tls_process_ticket processes a session ticket from the client. On success,
+ * it sets |*out_session| to the decrypted session or NULL if the ticket was
+ * rejected. If the ticket was valid, it sets |*out_renew_ticket| to whether
+ * the ticket should be renewed. It returns one on success and zero on fatal
  * error. */
 int tls_process_ticket(SSL *ssl, SSL_SESSION **out_session,
-                       int *out_send_ticket, const uint8_t *ticket,
+                       int *out_renew_ticket, const uint8_t *ticket,
                        size_t ticket_len, const uint8_t *session_id,
                        size_t session_id_len);