Use ssl3_is_version_enabled to skip offering sessions.

We do an ad-hoc upper-bound check, but if the version is too low, we also
shouldn't offer the session. This isn't fatal to the connection and doesn't
have issues (we'll check the version later regardless), but offering a session
we're never going to accept is pointless. The check should match what we do in
ServerHello.

Credit to Matt Caswell for noticing the equivalent issue in an OpenSSL pull
request.

Change-Id: I17a4efd37afa63b34fca53f4c9b7ac3ae2fa3336
Reviewed-on: https://boringssl-review.googlesource.com/7543
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-03-23 16:10:44 -04:00
parent 762e1d039c
commit e29ea166a6

View File

@ -666,13 +666,12 @@ int ssl3_send_client_hello(SSL *ssl) {
ssl->client_version = max_version; ssl->client_version = max_version;
} }
/* If the configured session has expired or was created at a version higher /* If the configured session has expired or was created at a disabled
* than our maximum version, drop it. */ * version, drop it. */
if (ssl->session != NULL && if (ssl->session != NULL &&
(ssl->session->session_id_length == 0 || ssl->session->not_resumable || (ssl->session->session_id_length == 0 || ssl->session->not_resumable ||
ssl->session->timeout < (long)(time(NULL) - ssl->session->time) || ssl->session->timeout < (long)(time(NULL) - ssl->session->time) ||
(!SSL_IS_DTLS(ssl) && ssl->session->ssl_version > ssl->version) || !ssl3_is_version_enabled(ssl, ssl->session->ssl_version))) {
(SSL_IS_DTLS(ssl) && ssl->session->ssl_version < ssl->version))) {
SSL_set_session(ssl, NULL); SSL_set_session(ssl, NULL);
} }