Fix sending session ids in DTLS-1.3

DTLS 1.3 session id must not be sent by client unless it has a cached id. And DTLS 1.3 servers must not echo a session id from a client. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22366)
author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk> 2024-01-17 14:29:17 +0100
committer: Tomas Mraz <tomas@openssl.org> 2024-04-04 08:27:11 +0200
commit: 143483df9aff3ce4be4ba992a78e68ae07c687f2 (patch)
tree: fc2f5faa08210e19a84b92c3e829a733a850c12f /ssl/statem/statem_clnt.c
parent: c41bc1614932c188f8b20e26a082c0050739232f (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 616cc86b12..7509b69f7d 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1258,8 +1258,10 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt)
 
     /* Session ID */
     session_id = s->session->session_id;
-    if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) {
-        if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION)
+    if (s->new_session
+            || s->session->ssl_version == TLS1_3_VERSION
+            || s->session->ssl_version == DTLS1_3_VERSION) {
+        if (s->version == TLS1_3_VERSION
                 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
             sess_id_len = sizeof(s->tmp_session_id);
             s->tmp_session_id_len = sess_id_len;
author	Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>	2024-01-17 14:29:17 +0100
committer	Tomas Mraz <tomas@openssl.org>	2024-04-04 08:27:11 +0200
commit	143483df9aff3ce4be4ba992a78e68ae07c687f2 (patch)
tree	fc2f5faa08210e19a84b92c3e829a733a850c12f /ssl/statem/statem_clnt.c
parent	c41bc1614932c188f8b20e26a082c0050739232f (diff)