Merge branch 'update-session-id-logic-for-dtls13' into dtls1.3-pr

fwh-dc · Dec 4, 2023 · 85af1be · 85af1be
2 parents 78296c6 + c3543d6
commit 85af1be
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 14 deletions.
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
@@ -339,6 +339,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss)
     case DTLS1_BAD_VER:
     case DTLS1_VERSION:
     case DTLS1_2_VERSION:
+    case DTLS1_3_VERSION:
         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
         break;
     default:
@@ -433,7 +434,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session)
     s->session = NULL;
 
     if (session) {
-        if (SSL_CONNECTION_IS_TLS13(s)) {
+        if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
             /*
              * We generate the session id while constructing the
              * NewSessionTicket in TLSv1.3.
@@ -561,7 +562,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
     int try_session_cache = 0;
     SSL_TICKET_STATUS r;
 
-    if (SSL_CONNECTION_IS_TLS13(s)) {
+    if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) {
         /*
          * By default we will send a new ticket. This can be overridden in the
          * ticket processing.
@@ -656,8 +657,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
         goto err;
     }
 
-    if (!SSL_CONNECTION_IS_TLS13(s)) {
-        /* We already did this for TLS1.3 */
+    if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
+        /* We already did this for (D)TLS1.3 */
         SSL_SESSION_free(s->session);
         s->session = ret;
     }
@@ -669,8 +670,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
  err:
     if (ret != NULL) {
         SSL_SESSION_free(ret);
-        /* In TLSv1.3 s->session was already set to ret, so we NULL it out */
-        if (SSL_CONNECTION_IS_TLS13(s))
+        /* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */
+        if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
             s->session = NULL;
 
         if (!try_session_cache) {

diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
@@ -34,10 +34,12 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     size_t i;
     const char *s;
     int istls13;
+    int isdtls13;
 
     if (x == NULL)
         goto err;
     istls13 = (x->ssl_version == TLS1_3_VERSION);
+    isdtls13 = (x->ssl_version == DTLS1_3_VERSION);
     if (BIO_puts(bp, "SSL-Session:\n") <= 0)
         goto err;
     s = ssl_protocol_to_string(x->ssl_version);
@@ -72,7 +74,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
         if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0)
             goto err;
     }
-    if (istls13) {
+    if (istls13 || isdtls13) {
         if (BIO_puts(bp, "\n    Resumption PSK: ") <= 0)
             goto err;
     } else if (BIO_puts(bp, "\n    Master-Key: ") <= 0)
@@ -151,7 +153,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                    x->flags & SSL_SESS_FLAG_EXTMS ? "yes" : "no") <= 0)
         goto err;
 
-    if (istls13) {
+    if (istls13 || isdtls13) {
         if (BIO_printf(bp, "    Max Early Data: %u\n",
                        (unsigned int)x->ext.max_early_data) <= 0)
             goto err;

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
@@ -2182,7 +2182,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
     s->ext.ticket_expected = 0;
 
     /*
-     * If tickets disabled or not supported by the protocol version
+     * If tickets are disabled or not supported by the protocol version
      * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
      * resumption.
      */
@@ -2248,7 +2248,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
         ret = SSL_TICKET_EMPTY;
         goto end;
     }
-    if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) {
+    if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
+            && s->ext.session_secret_cb) {
         /*
          * Indicate that the ticket couldn't be decrypted rather than
          * generating the session from ticket now, trigger
@@ -2332,7 +2333,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
             goto end;
         }
         EVP_CIPHER_free(aes256cbc);
-        if (SSL_CONNECTION_IS_TLS13(s))
+        if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))
             renew_ticket = 1;
     }
     /*
@@ -2478,7 +2479,8 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
         }
     }
 
-    if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) {
+    if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)
+            || SSL_CONNECTION_IS_DTLS13(s)) {
         switch (ret) {
         case SSL_TICKET_NO_DECRYPT:
         case SSL_TICKET_SUCCESS_RENEW:

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
@@ -1559,7 +1559,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
     msg += 4;
     BIO_indent(bio, indent + 2, 80);
     BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life);
-    if (SSL_CONNECTION_IS_TLS13(sc)) {
+    if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) {
         unsigned int ticket_age_add;
 
         if (msglen < 4)
@@ -1579,7 +1579,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
     }
     if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen))
         return 0;
-    if (SSL_CONNECTION_IS_TLS13(sc)
+    if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))
             && !ssl_print_extensions(bio, indent + 2, 0,
                                      SSL3_MT_NEWSESSION_TICKET, &msg, &msglen))
         return 0;