From 18e0c284877380b3781f78e75b03a0fb75eb0cee Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Mon, 10 Apr 2023 15:43:31 -0600
Subject: [PATCH] Only send session ID in resumed ClientHello from
 SendTls13ClientHello() if ssl->options.resuming

---
 src/tls13.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/tls13.c b/src/tls13.c
index b81e92e72..882622025 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -4084,7 +4084,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
         ssl->options.tls13MiddleBoxCompat = 1;
     }
 #else
-    if (ssl->session->sessionIDSz > 0)
+    if (ssl->options.resuming && ssl->session->sessionIDSz > 0)
         args->length += ssl->session->sessionIDSz;
 #endif
 
@@ -4229,10 +4229,16 @@ int SendTls13ClientHello(WOLFSSL* ssl)
 
     if (ssl->session->sessionIDSz > 0) {
         /* Session resumption for old versions of protocol. */
-        args->output[args->idx++] = ID_LEN;
-        XMEMCPY(args->output + args->idx, ssl->session->sessionID,
-            ssl->session->sessionIDSz);
-        args->idx += ID_LEN;
+        if (ssl->options.resuming) {
+            args->output[args->idx++] = ID_LEN;
+            XMEMCPY(args->output + args->idx, ssl->session->sessionID,
+                ssl->session->sessionIDSz);
+            args->idx += ID_LEN;
+        }
+        else {
+            /* Not resuming, zero length session ID */
+            args->output[args->idx++] = 0;
+        }
     }
     else {
     #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT