Don't check ciphersuite and compression in SSL session cache lookup
Session-ID based session resumption requires that the resumed session
is consistent with the client's ClientHello in terms of choice of
ciphersuite and choice of compression.
This check was previously assumed to be performed in the session cache
implementation, which seems wrong: The session cache should be an id-based
lookup only, and protocol specific checks should be left to Mbed TLS.
This commit
- adds an explicit ciphersuite and compression consistency check after
the SSL session cache has been queried
- removes the ciphersuite and compression consistency check from
Mbed TLS' session cache reference implementation.
Don't use ssl_check_xxx() for functions with void return
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 7e9d4da..32188cf 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -78,14 +78,12 @@
continue;
#endif
- if( session->ciphersuite != entry->session.ciphersuite ||
- session->compression != entry->session.compression ||
- session->id_len != entry->session.id_len )
- continue;
-
- if( memcmp( session->id, entry->session.id,
+ if( session->id_len != entry->session.id_len ||
+ memcmp( session->id, entry->session.id,
entry->session.id_len ) != 0 )
+ {
continue;
+ }
ret = mbedtls_ssl_session_copy( session, &entry->session );
if( ret != 0 )