public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update session id and ticket logic for dtls13

Browse source 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22936)
This commit is contained in:
Frederik Wedel-Heinen 2023-10-13 13:57:43 +02:00 committed by Tomas Mraz
parent 30386820fb
commit 73d1d24c0c
3 changed files with 13 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

13
ssl/ssl_sess.c
View file

@ -362,6 +362,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss)
case DTLS1_BAD_VER:
case DTLS1_VERSION:
case DTLS1_2_VERSION:
case DTLS1_3_VERSION:
ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
break;
default:
@ -456,7 +457,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session)
s->session = NULL;
if (session) {
if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_VERSION13(s)) {
/*
* We generate the session id while constructing the
* NewSessionTicket in TLSv1.3.
@ -590,7 +591,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
int try_session_cache = 0;
SSL_TICKET_STATUS r;
if (SSL_CONNECTION_IS_TLS13(s)) {
if (SSL_CONNECTION_IS_VERSION13(s)) {
/*
* By default we will send a new ticket. This can be overridden in the
* ticket processing.
@ -685,8 +686,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
goto err;
}
if (!SSL_CONNECTION_IS_TLS13(s)) {
/* We already did this for TLS1.3 */
if (!SSL_CONNECTION_IS_VERSION13(s)) {
/* We already did this for (D)TLS1.3 */
SSL_SESSION_free(s->session);
s->session = ret;
}
@ -698,8 +699,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
err:
if (ret != NULL) {
SSL_SESSION_free(ret);
/* In TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_CONNECTION_IS_TLS13(s))
/* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */
if (SSL_CONNECTION_IS_VERSION13(s))
s->session = NULL;
if (!try_session_cache) {

8
ssl/t1_lib.c
View file

@ -2323,7 +2323,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
s->ext.ticket_expected = 0;
/*
* If tickets disabled or not supported by the protocol version
* If tickets are disabled or not supported by the protocol version
* (e.g. TLSv1.3) behave as if no ticket present to permit stateful
* resumption.
*/
@ -2389,7 +2389,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
ret = SSL_TICKET_EMPTY;
goto end;
}
if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) {
if (!SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb) {
/*
* Indicate that the ticket couldn't be decrypted rather than
* generating the session from ticket now, trigger
@ -2474,7 +2474,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
goto end;
}
EVP_CIPHER_free(aes256cbc);
if (SSL_CONNECTION_IS_TLS13(s))
if (SSL_CONNECTION_IS_VERSION13(s))
renew_ticket = 1;
}
/*
@ -2620,7 +2620,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
}
}
if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) {
if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_VERSION13(s)) {
switch (ret) {
case SSL_TICKET_NO_DECRYPT:
case SSL_TICKET_SUCCESS_RENEW:

4
ssl/t1_trce.c
View file

@ -1565,7 +1565,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
msg += 4;
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life);
if (SSL_CONNECTION_IS_TLS13(sc)) {
if (SSL_CONNECTION_IS_VERSION13(sc)) {
unsigned int ticket_age_add;
if (msglen < 4)
@ -1585,7 +1585,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
}
if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen))
return 0;
if (SSL_CONNECTION_IS_TLS13(sc)
if (SSL_CONNECTION_IS_VERSION13(sc)
&& !ssl_print_extensions(bio, indent + 2, 0,
SSL3_MT_NEWSESSION_TICKET, &msg, &msglen))
return 0;