diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 3dcc4d81e5bc6..084ca0a79931a 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -339,6 +339,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss) case DTLS1_BAD_VER: case DTLS1_VERSION: case DTLS1_2_VERSION: + case DTLS1_3_VERSION: ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; default: @@ -433,7 +434,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session) s->session = NULL; if (session) { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* * We generate the session id while constructing the * NewSessionTicket in TLSv1.3. @@ -561,7 +562,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) int try_session_cache = 0; SSL_TICKET_STATUS r; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* * By default we will send a new ticket. This can be overridden in the * ticket processing. @@ -656,8 +657,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) goto err; } - if (!SSL_CONNECTION_IS_TLS13(s)) { - /* We already did this for TLS1.3 */ + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + /* We already did this for (D)TLS1.3 */ SSL_SESSION_free(s->session); s->session = ret; } @@ -669,8 +670,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) err: if (ret != NULL) { SSL_SESSION_free(ret); - /* In TLSv1.3 s->session was already set to ret, so we NULL it out */ - if (SSL_CONNECTION_IS_TLS13(s)) + /* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */ + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) s->session = NULL; if (!try_session_cache) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 631e1fdef93ce..55be3645f36f3 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2179,7 +2179,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, s->ext.ticket_expected = 0; /* - * If tickets disabled or not supported by the protocol version + * If tickets are disabled or not supported by the protocol version * (e.g. TLSv1.3) behave as if no ticket present to permit stateful * resumption. */ @@ -2245,7 +2245,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, ret = SSL_TICKET_EMPTY; goto end; } - if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && s->ext.session_secret_cb) { /* * Indicate that the ticket couldn't be decrypted rather than * generating the session from ticket now, trigger @@ -2329,7 +2330,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, goto end; } EVP_CIPHER_free(aes256cbc); - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) renew_ticket = 1; } /* @@ -2475,7 +2476,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, } } - if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { + if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s) + || SSL_CONNECTION_IS_DTLS13(s)) { switch (ret) { case SSL_TICKET_NO_DECRYPT: case SSL_TICKET_SUCCESS_RENEW: diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index b05012f74fd67..9226fd9e440e1 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1558,7 +1558,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, msg += 4; BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life); - if (SSL_CONNECTION_IS_TLS13(sc)) { + if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) { unsigned int ticket_age_add; if (msglen < 4) @@ -1578,7 +1578,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, } if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen)) return 0; - if (SSL_CONNECTION_IS_TLS13(sc) + if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) && !ssl_print_extensions(bio, indent + 2, 0, SSL3_MT_NEWSESSION_TICKET, &msg, &msglen)) return 0;