Fix sending session ids in DTLS-1.3

DTLS 1.3 session id must not be sent by client unless it has a cached id. And DTLS 1.3 servers must not echo a session id from a client. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #22366)
openssl · Apr 4, 2024 · 143483d · 143483d
1 parent c41bc16
commit 143483d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
@@ -1258,8 +1258,10 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
 
     /* Session ID */
     session_id = s->session->session_id;
-    if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) {
-        if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION)
+    if (s->new_session
+            || s->session->ssl_version == TLS1_3_VERSION
+            || s->session->ssl_version == DTLS1_3_VERSION) {
+        if (s->version == TLS1_3_VERSION
                 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
             sess_id_len = sizeof(s->tmp_session_id);
             s->tmp_session_id_len = sess_id_len;

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
@@ -2390,9 +2390,11 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
     int version;
     unsigned char *session_id;
     int usetls13 = SSL_CONNECTION_IS_TLS13(s)
-                   || s->hello_retry_request == SSL_HRR_PENDING;
+                   || (!SSL_CONNECTION_IS_DTLS(s)
+                       && s->hello_retry_request == SSL_HRR_PENDING);
     int usedtls13 = SSL_CONNECTION_IS_DTLS13(s)
-                   || s->hello_retry_request == SSL_HRR_PENDING;
+                    || (SSL_CONNECTION_IS_DTLS(s)
+                        && s->hello_retry_request == SSL_HRR_PENDING);
 
     version = usetls13 ? TLS1_2_VERSION : (usedtls13 ? DTLS1_2_VERSION : s->version);
     if (!WPACKET_put_bytes_u16(pkt, version)
@@ -2422,6 +2424,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
      *   we send back a 0-length session ID.
      * - In TLSv1.3 we echo back the session id sent to us by the client
      *   regardless
+     * - In DTLSv1.3 we must not echo the session id sent by the client
      * s->hit is non-zero in either case of session reuse,
      * so the following won't overwrite an ID that we're supposed
      * to send back.
@@ -2431,9 +2434,12 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
          && !s->hit))
         s->session->session_id_length = 0;
 
-    if (usetls13 || usedtls13) {
+    if (usetls13) {
         sl = s->tmp_session_id_len;
         session_id = s->tmp_session_id;
+    } else if (usedtls13) {
+        sl = 0;
+        session_id = NULL;
     } else {
         sl = s->session->session_id_length;
         session_id = s->session->session_id;