Fix sending session ids in DTLS-1.3

DTLS 1.3 session id must not be sent by client unless
it has a cached id. And DTLS 1.3 servers must not echo
a session id from a client.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22366)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d2a06d0e97f3b1d64e084097814e9eb6b25fc192..a3665f71a4a65fdafa7009394b1ea58d8fe5b706 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1259,8 +1259,10 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
 
     /* Session ID */
     session_id = s->session->session_id;
-    if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) {
-        if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION)
+    if (s->new_session
+            || s->session->ssl_version == TLS1_3_VERSION
+            || s->session->ssl_version == DTLS1_3_VERSION) {
+        if (s->version == TLS1_3_VERSION
                 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
             sess_id_len = sizeof(s->tmp_session_id);
             s->tmp_session_id_len = sess_id_len;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 51d616f55a18a350cb7ee646a5308ec7ba7ecc4c..c0b31c7ae7d645e5913ce813586cf86aa84b9472 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2398,9 +2398,11 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
     int version;
     unsigned char *session_id;
     int usetls13 = SSL_CONNECTION_IS_TLS13(s)
-                   || s->hello_retry_request == SSL_HRR_PENDING;
+                   || (!SSL_CONNECTION_IS_DTLS(s)
+                       && s->hello_retry_request == SSL_HRR_PENDING);
     int usedtls13 = SSL_CONNECTION_IS_DTLS13(s)
-                   || s->hello_retry_request == SSL_HRR_PENDING;
+                    || (SSL_CONNECTION_IS_DTLS(s)
+                        && s->hello_retry_request == SSL_HRR_PENDING);
 
     version = usetls13 ? TLS1_2_VERSION : (usedtls13 ? DTLS1_2_VERSION : s->version);
     if (!WPACKET_put_bytes_u16(pkt, version)
@@ -2430,6 +2432,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
      *   we send back a 0-length session ID.
      * - In TLSv1.3 we echo back the session id sent to us by the client
      *   regardless
+     * - In DTLSv1.3 we must not echo the session id sent by the client
      * s->hit is non-zero in either case of session reuse,
      * so the following won't overwrite an ID that we're supposed
      * to send back.
@@ -2438,9 +2441,12 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
             && !s->hit)
         s->session->session_id_length = 0;
 
-    if (usetls13 || usedtls13) {
+    if (usetls13) {
         sl = s->tmp_session_id_len;
         session_id = s->tmp_session_id;
+    } else if (usedtls13) {
+        sl = 0;
+        session_id = NULL;
     } else {
         sl = s->session->session_id_length;
         session_id = s->session->session_id;