TLS1.3: Improve session version handling for resumption

julek-wolfssl · julek-wolfssl · commit 2059d646fd59 · 2026-03-26T15:41:13.000+01:00
diff --git a/src/ssl_sess.c b/src/ssl_sess.c
@@ -1551,12 +1551,11 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
     ssl->options.resuming = 1;
     ssl->options.haveEMS = (ssl->session->haveEMS) ? 1 : 0;
 
-#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \
-                           defined(HAVE_SESSION_TICKET))
-    ssl->version              = ssl->session->version;
-    if (IsAtLeastTLSv1_3(ssl->version))
-        ssl->options.tls1_3 = 1;
-#endif
+    if (ssl->session->version.major != 0) {
+        ssl->version              = ssl->session->version;
+        if (IsAtLeastTLSv1_3(ssl->version))
+            ssl->options.tls1_3 = 1;
+    }
 #if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \
                     (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET))
     ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
diff --git a/src/tls.c b/src/tls.c
@@ -12173,7 +12173,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
         }
         list->chosen = 1;
 
-    #ifdef HAVE_SESSION_TICKET
         if (list->resumption) {
            /* Check that the session's details are the same as the server's. */
            if (ssl->options.cipherSuite0  != ssl->session->cipherSuite0       ||
@@ -12184,7 +12183,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
                return PSK_KEY_ERROR;
            }
         }
-    #endif
 
         return 0;
     }
diff --git a/src/tls13.c b/src/tls13.c
@@ -4570,8 +4570,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     }
 #endif /* WOLFSSL_DTLS */
 
-#ifdef HAVE_SESSION_TICKET
     if (ssl->options.resuming &&
+            ssl->session->version.major != 0 &&
             (ssl->session->version.major != ssl->version.major ||
              ssl->session->version.minor != ssl->version.minor)) {
     #ifndef WOLFSSL_NO_TLS12
@@ -4590,7 +4590,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)
             return VERSION_ERROR;
         }
     }
-#endif
 
     suites = WOLFSSL_SUITES(ssl);
     if (suites == NULL) {

Original file line number	Diff line number	Diff line change
`@@ -12173,7 +12173,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,`
`12173`	`12173`	`}`
`12174`	`12174`	`list->chosen = 1;`
`12175`	`12175`
`12176`		`- #ifdef HAVE_SESSION_TICKET`
`12177`	`12176`	`if (list->resumption) {`
`12178`	`12177`	`/* Check that the session's details are the same as the server's. */`
`12179`	`12178`	`if (ssl->options.cipherSuite0 != ssl->session->cipherSuite0 \|\|`
`@@ -12184,7 +12183,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,`
`12184`	`12183`	`return PSK_KEY_ERROR;`
`12185`	`12184`	`}`
`12186`	`12185`	`}`
`12187`		`- #endif`
`12188`	`12186`
`12189`	`12187`	`return 0;`
`12190`	`12188`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4570,8 +4570,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)`
`4570`	`4570`	`}`
`4571`	`4571`	`#endif /* WOLFSSL_DTLS */`
`4572`	`4572`
`4573`		`-#ifdef HAVE_SESSION_TICKET`
`4574`	`4573`	`if (ssl->options.resuming &&`
	`4574`	`+ ssl->session->version.major != 0 &&`
`4575`	`4575`	`(ssl->session->version.major != ssl->version.major \|\|`
`4576`	`4576`	`ssl->session->version.minor != ssl->version.minor)) {`
`4577`	`4577`	`#ifndef WOLFSSL_NO_TLS12`
`@@ -4590,7 +4590,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)`
`4590`	`4590`	`return VERSION_ERROR;`
`4591`	`4591`	`}`
`4592`	`4592`	`}`
`4593`		`-#endif`
`4594`	`4593`
`4595`	`4594`	`suites = WOLFSSL_SUITES(ssl);`
`4596`	`4595`	`if (suites == NULL) {`