Contact Details
conrad@owatz.de
Version
5.5.0
Description
While doing a psk session resumption in DTLS 1.3 wolfssl uses the wrong label in the HLDF-expand-function.
As of https://www.rfc-editor.org/rfc/rfc9147.html the label has to be dtls13. But what is used is the label from TLS 1.3 which is tls13 .
The label is used in the function DeriveResumptionPSK in tls13.c.
Reproduction steps
To use DTLS 1.3 you have to enable it in user_setting.h, as well as enable support for session ticket resumption:
#define WOLFSSL_DTLS
#define WOLFSSL_DTLS13
#define HAVE_SESSION_TICKET
To do a resumption start the wolfssl example server or client with -r. As both of them use the same wrong label, the work together. But if you use a different tls library, decryption errors occur. I testet with a yet unreleased version of TLS-Attacker.
Relevant log output
No response
Contact Details
conrad@owatz.de
Version
5.5.0
Description
While doing a psk session resumption in DTLS 1.3 wolfssl uses the wrong label in the HLDF-expand-function.
As of https://www.rfc-editor.org/rfc/rfc9147.html the label has to be
dtls13. But what is used is the label from TLS 1.3 which istls13.The label is used in the function
DeriveResumptionPSKintls13.c.Reproduction steps
To use DTLS 1.3 you have to enable it in user_setting.h, as well as enable support for session ticket resumption:
To do a resumption start the wolfssl example server or client with
-r. As both of them use the same wrong label, the work together. But if you use a different tls library, decryption errors occur. I testet with a yet unreleased version of TLS-Attacker.Relevant log output
No response