TLS1.3: Improve session version handling for resumption

julek-wolfssl · julek-wolfssl · commit c9c2376068dc · 2026-03-31T12:42:16.000+02:00
diff --git a/src/ssl_sess.c b/src/ssl_sess.c
@@ -1551,12 +1551,11 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
     ssl->options.resuming = 1;
     ssl->options.haveEMS = (ssl->session->haveEMS) ? 1 : 0;
 
-#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \
-                           defined(HAVE_SESSION_TICKET))
-    ssl->version              = ssl->session->version;
-    if (IsAtLeastTLSv1_3(ssl->version))
-        ssl->options.tls1_3 = 1;
-#endif
+    if (ssl->session->version.major != 0) {
+        ssl->version              = ssl->session->version;
+        if (IsAtLeastTLSv1_3(ssl->version))
+            ssl->options.tls1_3 = 1;
+    }
 #if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \
                     (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET))
     ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
diff --git a/src/tls.c b/src/tls.c
@@ -12198,7 +12198,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
         }
         list->chosen = 1;
 
-    #ifdef HAVE_SESSION_TICKET
         if (list->resumption) {
            /* Check that the session's details are the same as the server's. */
            if (ssl->options.cipherSuite0  != ssl->session->cipherSuite0       ||
@@ -12209,7 +12208,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
                return PSK_KEY_ERROR;
            }
         }
-    #endif
 
         return 0;
     }
diff --git a/src/tls13.c b/src/tls13.c
@@ -4574,8 +4574,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     }
 #endif /* WOLFSSL_DTLS */
 
-#ifdef HAVE_SESSION_TICKET
     if (ssl->options.resuming &&
+            ssl->session->version.major != 0 &&
             (ssl->session->version.major != ssl->version.major ||
              ssl->session->version.minor != ssl->version.minor)) {
     #ifndef WOLFSSL_NO_TLS12
@@ -4594,7 +4594,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)
             return VERSION_ERROR;
         }
     }
-#endif
 
     suites = WOLFSSL_SUITES(ssl);
     if (suites == NULL) {

Original file line number	Diff line number	Diff line change
`@@ -12198,7 +12198,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,`
`12198`	`12198`	`}`
`12199`	`12199`	`list->chosen = 1;`
`12200`	`12200`
`12201`		`- #ifdef HAVE_SESSION_TICKET`
`12202`	`12201`	`if (list->resumption) {`
`12203`	`12202`	`/* Check that the session's details are the same as the server's. */`
`12204`	`12203`	`if (ssl->options.cipherSuite0 != ssl->session->cipherSuite0 \|\|`
`@@ -12209,7 +12208,6 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,`
`12209`	`12208`	`return PSK_KEY_ERROR;`
`12210`	`12209`	`}`
`12211`	`12210`	`}`
`12212`		`- #endif`
`12213`	`12211`
`12214`	`12212`	`return 0;`
`12215`	`12213`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4574,8 +4574,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)`
`4574`	`4574`	`}`
`4575`	`4575`	`#endif /* WOLFSSL_DTLS */`
`4576`	`4576`
`4577`		`-#ifdef HAVE_SESSION_TICKET`
`4578`	`4577`	`if (ssl->options.resuming &&`
	`4578`	`+ ssl->session->version.major != 0 &&`
`4579`	`4579`	`(ssl->session->version.major != ssl->version.major \|\|`
`4580`	`4580`	`ssl->session->version.minor != ssl->version.minor)) {`
`4581`	`4581`	`#ifndef WOLFSSL_NO_TLS12`
`@@ -4594,7 +4594,6 @@ int SendTls13ClientHello(WOLFSSL* ssl)`
`4594`	`4594`	`return VERSION_ERROR;`
`4595`	`4595`	`}`
`4596`	`4596`	`}`
`4597`		`-#endif`
`4598`	`4597`
`4599`	`4598`	`suites = WOLFSSL_SUITES(ssl);`
`4600`	`4599`	`if (suites == NULL) {`