Don't resume sessions if the negotiated version doesn't match.

All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the
client, that the ServerHello version match the session's version on resumption.
OpenSSL's current behavior is incompatible with all of these. Fall back to a
full handshake on the server instead of mismatch.

Add a comment on the client for why we are, as of
30ddb434bfb845356fbacb6b2bd51f8814c7043c, not currently enforcing the same in
the client.

Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175
Reviewed-on: https://boringssl-review.googlesource.com/2244
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 15 insertions, 9 deletions

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 5f861a7b..d591e192 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -881,21 +881,27 @@ int ssl3_get_client_hello(SSL *s)
 		}
 	else
 		{
-		i=ssl_get_prev_session(s, &early_ctx);
-		if (i == 1)
-			{ /* previous session */
-			s->hit=1;
+		i = ssl_get_prev_session(s, &early_ctx);
+		if (i == PENDING_SESSION)
+			{
+			ret = PENDING_SESSION;
+			goto err;
 			}
 		else if (i == -1)
-			goto err;
-		else if (i == PENDING_SESSION)
 			{
-			ret = PENDING_SESSION;
 			goto err;
 			}
-		else /* i == 0 */
+
+		/* Only resume if the session's version matches the negotiated
+		 * version: most clients do not accept a mismatch. */
+		if (i == 1 && s->version == s->session->ssl_version)
+			{
+			s->hit = 1;
+			}
+		else
 			{
-			if (!ssl_get_new_session(s,1))
+			/* No session was found or it was unacceptable. */
+			if (!ssl_get_new_session(s, 1))
 				goto err;
 			}
 		}