Skip to content

Commit

Permalink
Update session id and ticket logic for dtls13
Browse files Browse the repository at this point in the history
  • Loading branch information
fwh-dc committed Oct 13, 2023
1 parent eaee176 commit 832ba8c
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 12 deletions.
13 changes: 7 additions & 6 deletions ssl/ssl_sess.c
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss)
case DTLS1_BAD_VER:
case DTLS1_VERSION:
case DTLS1_2_VERSION:
case DTLS1_3_VERSION:
ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
break;
default:
Expand Down Expand Up @@ -433,7 +434,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session)
s->session = NULL;

if (session) {
if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/*
* We generate the session id while constructing the
* NewSessionTicket in TLSv1.3.
Expand Down Expand Up @@ -561,7 +562,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
int try_session_cache = 0;
SSL_TICKET_STATUS r;

if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
/*
* By default we will send a new ticket. This can be overridden in the
* ticket processing.
Expand Down Expand Up @@ -656,8 +657,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
goto err;
}

if (!SSL_CONNECTION_IS_TLS13(s)) {
/* We already did this for TLS1.3 */
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
/* We already did this for (D)TLS1.3 */
SSL_SESSION_free(s->session);
s->session = ret;
}
Expand All @@ -669,8 +670,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
/* In TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_CONNECTION_IS_TLS13(s))
/* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
s->session = NULL;

if (!try_session_cache) {
Expand Down
10 changes: 6 additions & 4 deletions ssl/t1_lib.c
Original file line number Diff line number Diff line change
Expand Up @@ -2179,7 +2179,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
s->ext.ticket_expected = 0;

/*
* If tickets disabled or not supported by the protocol version
* If tickets are disabled or not supported by the protocol version
* (e.g. TLSv1.3) behave as if no ticket present to permit stateful
* resumption.
*/
Expand Down Expand Up @@ -2245,7 +2245,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
ret = SSL_TICKET_EMPTY;
goto end;
}
if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) {
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
&& s->ext.session_secret_cb) {
/*
* Indicate that the ticket couldn't be decrypted rather than
* generating the session from ticket now, trigger
Expand Down Expand Up @@ -2329,7 +2330,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
goto end;
}
EVP_CIPHER_free(aes256cbc);
if (SSL_CONNECTION_IS_TLS13(s))
if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
renew_ticket = 1;
}
/*
Expand Down Expand Up @@ -2475,7 +2476,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
}
}

if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) {
if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)
|| SSL_CONNECTION_IS_DTLS13(s)) {
switch (ret) {
case SSL_TICKET_NO_DECRYPT:
case SSL_TICKET_SUCCESS_RENEW:
Expand Down
4 changes: 2 additions & 2 deletions ssl/t1_trce.c
Original file line number Diff line number Diff line change
Expand Up @@ -1558,7 +1558,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
msg += 4;
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life);
if (SSL_CONNECTION_IS_TLS13(sc)) {
if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) {
unsigned int ticket_age_add;

if (msglen < 4)
Expand All @@ -1578,7 +1578,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
}
if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen))
return 0;
if (SSL_CONNECTION_IS_TLS13(sc)
if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))
&& !ssl_print_extensions(bio, indent + 2, 0,
SSL3_MT_NEWSESSION_TICKET, &msg, &msglen))
return 0;
Expand Down

0 comments on commit 832ba8c

Please sign in to comment.