Update session id and ticket logic for dtls13

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22936)
author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> 2023-10-13 13:57:43 +0200
committer: Matt Caswell <matt@openssl.org> 2024-06-27 15:00:34 +0100
commit: f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697 (patch)
tree: 7be2af39ed9cfd292f6ed16182dfd75f91f50732
parent: 424c9c8d61db0084cdfd6817b3bb588d8940fc7e (diff)
download: openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.zip
openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.gz
openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.bz2
3 files changed, 13 insertions, 12 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 6b5d9bb..c390aee 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -362,6 +362,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss)
     case DTLS1_BAD_VER:
     case DTLS1_VERSION:
     case DTLS1_2_VERSION:
+    case DTLS1_3_VERSION:
         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
         break;
     default:
@@ -456,7 +457,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session)
     s->session = NULL;
 
     if (session) {
-        if (SSL_CONNECTION_IS_TLS13(s)) {
+        if (SSL_CONNECTION_IS_VERSION13(s)) {
             /*
              * We generate the session id while constructing the
              * NewSessionTicket in TLSv1.3.
@@ -590,7 +591,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
     int try_session_cache = 0;
     SSL_TICKET_STATUS r;
 
-    if (SSL_CONNECTION_IS_TLS13(s)) {
+    if (SSL_CONNECTION_IS_VERSION13(s)) {
         /*
          * By default we will send a new ticket. This can be overridden in the
          * ticket processing.
@@ -685,8 +686,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
         goto err;
     }
 
-    if (!SSL_CONNECTION_IS_TLS13(s)) {
-        /* We already did this for TLS1.3 */
+    if (!SSL_CONNECTION_IS_VERSION13(s)) {
+        /* We already did this for (D)TLS1.3 */
         SSL_SESSION_free(s->session);
         s->session = ret;
     }
@@ -698,8 +699,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
  err:
     if (ret != NULL) {
         SSL_SESSION_free(ret);
-        /* In TLSv1.3 s->session was already set to ret, so we NULL it out */
-        if (SSL_CONNECTION_IS_TLS13(s))
+        /* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */
+        if (SSL_CONNECTION_IS_VERSION13(s))
             s->session = NULL;
 
         if (!try_session_cache) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7b56803..dda1533 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2187,7 +2187,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s,
     s->ext.ticket_expected = 0;
 
     /*
-     * If tickets disabled or not supported by the protocol version
+     * If tickets are disabled or not supported by the protocol version
      * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
      * resumption.
      */
@@ -2253,7 +2253,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
         ret = SSL_TICKET_EMPTY;
         goto end;
     }
-    if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) {
+    if (!SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb) {
         /*
          * Indicate that the ticket couldn't be decrypted rather than
          * generating the session from ticket now, trigger
@@ -2337,7 +2337,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
             goto end;
         }
         EVP_CIPHER_free(aes256cbc);
-        if (SSL_CONNECTION_IS_TLS13(s))
+        if (SSL_CONNECTION_IS_VERSION13(s))
             renew_ticket = 1;
     }
     /*
@@ -2483,7 +2483,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s,
         }
     }
 
-    if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) {
+    if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_VERSION13(s)) {
         switch (ret) {
         case SSL_TICKET_NO_DECRYPT:
         case SSL_TICKET_SUCCESS_RENEW:
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 58afbb1..5d3cbe6 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1563,7 +1563,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
     msg += 4;
     BIO_indent(bio, indent + 2, 80);
     BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life);
-    if (SSL_CONNECTION_IS_TLS13(sc)) {
+    if (SSL_CONNECTION_IS_VERSION13(sc)) {
         unsigned int ticket_age_add;
 
         if (msglen < 4)
@@ -1583,7 +1583,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc,
     }
     if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen))
         return 0;
-    if (SSL_CONNECTION_IS_TLS13(sc)
+    if (SSL_CONNECTION_IS_VERSION13(sc)
             && !ssl_print_extensions(bio, indent + 2, 0,
                                      SSL3_MT_NEWSESSION_TICKET, &msg, &msglen))
         return 0;
author	Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>	2023-10-13 13:57:43 +0200
committer	Matt Caswell <matt@openssl.org>	2024-06-27 15:00:34 +0100
commit	f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697 (patch)
tree	7be2af39ed9cfd292f6ed16182dfd75f91f50732
parent	424c9c8d61db0084cdfd6817b3bb588d8940fc7e (diff)
download	openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.zip openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.gz openssl-f5fb9f0bd3b0d709a99c47c0eacb5b2c9843a697.tar.bz2