diff options
author | Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> | 2023-10-13 13:57:43 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2024-06-27 15:00:34 +0100 |
commit | f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697 (patch) | |
tree | 7be2af39ed9cfd292f6ed16182dfd75f91f50732 | |
parent | 424c9c8d61db0084cdfd6817b3bb588d8940fc7e (diff) | |
download | openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.zip openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.gz openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.bz2 |
Update session id and ticket logic for dtls13
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22936)
-rw-r--r-- | ssl/ssl_sess.c | 13 | ||||
-rw-r--r-- | ssl/t1_lib.c | 8 | ||||
-rw-r--r-- | ssl/t1_trce.c | 4 |
3 files changed, 13 insertions, 12 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6b5d9bb..c390aee 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -362,6 +362,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss) case DTLS1_BAD_VER: case DTLS1_VERSION: case DTLS1_2_VERSION: + case DTLS1_3_VERSION: ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; default: @@ -456,7 +457,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session) s->session = NULL; if (session) { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We generate the session id while constructing the * NewSessionTicket in TLSv1.3. @@ -590,7 +591,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) int try_session_cache = 0; SSL_TICKET_STATUS r; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * By default we will send a new ticket. This can be overridden in the * ticket processing. @@ -685,8 +686,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) goto err; } - if (!SSL_CONNECTION_IS_TLS13(s)) { - /* We already did this for TLS1.3 */ + if (!SSL_CONNECTION_IS_VERSION13(s)) { + /* We already did this for (D)TLS1.3 */ SSL_SESSION_free(s->session); s->session = ret; } @@ -698,8 +699,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) err: if (ret != NULL) { SSL_SESSION_free(ret); - /* In TLSv1.3 s->session was already set to ret, so we NULL it out */ - if (SSL_CONNECTION_IS_TLS13(s)) + /* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */ + if (SSL_CONNECTION_IS_VERSION13(s)) s->session = NULL; if (!try_session_cache) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7b56803..dda1533 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2187,7 +2187,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, s->ext.ticket_expected = 0; /* - * If tickets disabled or not supported by the protocol version + * If tickets are disabled or not supported by the protocol version * (e.g. TLSv1.3) behave as if no ticket present to permit stateful * resumption. */ @@ -2253,7 +2253,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, ret = SSL_TICKET_EMPTY; goto end; } - if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { + if (!SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb) { /* * Indicate that the ticket couldn't be decrypted rather than * generating the session from ticket now, trigger @@ -2337,7 +2337,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, goto end; } EVP_CIPHER_free(aes256cbc); - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) renew_ticket = 1; } /* @@ -2483,7 +2483,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, } } - if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { + if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_VERSION13(s)) { switch (ret) { case SSL_TICKET_NO_DECRYPT: case SSL_TICKET_SUCCESS_RENEW: diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 58afbb1..5d3cbe6 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1563,7 +1563,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, msg += 4; BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life); - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { unsigned int ticket_age_add; if (msglen < 4) @@ -1583,7 +1583,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, } if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen)) return 0; - if (SSL_CONNECTION_IS_TLS13(sc) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_print_extensions(bio, indent + 2, 0, SSL3_MT_NEWSESSION_TICKET, &msg, &msglen)) return 0; |