DTLS 1.3: don't echo legacy_session_id in ServerHello#10007
DTLS 1.3: don't echo legacy_session_id in ServerHello#10007julek-wolfssl wants to merge 3 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds DTLS 1.3 compliance behavior to avoid echoing the ClientHello legacy session ID in ServerHello, along with a regression test to validate the on-wire encoding.
Changes:
- Add a new DTLS 1.3 test that verifies
legacy_session_id_echois empty in ServerHello. - Update TLS 1.3 message construction/parsing paths to ensure DTLS 1.3 does not include/echo a session ID (including HRR transcript reconstruction).
- Add a guard in
DoTls13ServerHelloto enforce an empty session ID for DTLS 1.3.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| tests/api/test_dtls.h | Registers the new DTLS 1.3 regression test in the test declarations list. |
| tests/api/test_dtls.c | Implements a memio-based DTLS 1.3 test that inspects the ServerHello bytes for empty legacy_session_id_echo. |
| src/tls13.c | Ensures DTLS 1.3 does not store/echo legacy session IDs and adjusts HRR handshake-hash reconstruction accordingly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
src/tls13.c
Outdated
|
|
||
| case TLS_ASYNC_FINALIZE: | ||
| { | ||
| #ifdef WOLFSSL_DTLS13 |
There was a problem hiding this comment.
can this be merged to the QUIC check some lines below?
| length = HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz + | ||
| HRR_COOKIE_HDR_SZ + cookie->len; | ||
| length = HRR_BODY_SZ - ID_LEN + HRR_COOKIE_HDR_SZ + cookie->len; | ||
| #ifdef WOLFSSL_DTLS13 |
There was a problem hiding this comment.
Please don't gather single if without the body as it makes the code very hard to read.
options.dtls is not guarded.
Prefer using an extra sessionIDSz variable set to zero when options.dtls is true
src/tls13.c
Outdated
| if (ssl->session->sessionIDSz > 0) { | ||
| XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz); | ||
| hrrIdx += ssl->session->sessionIDSz; | ||
| #ifdef WOLFSSL_DTLS13 |
There was a problem hiding this comment.
prefer using extra variable sessId size to avoid this if/else
src/tls13.c
Outdated
| /* Extensions' length */ | ||
| length -= HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz; | ||
| length -= HRR_BODY_SZ - ID_LEN; | ||
| #ifdef WOLFSSL_DTLS13 |
| ssl->session->sessionIDSz = sessIdSz; | ||
| if (sessIdSz > 0) | ||
| XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz); | ||
| #ifdef WOLFSSL_DTLS13 |
src/tls13.c
Outdated
| length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz + | ||
| SUITE_LEN + COMP_LEN; | ||
| length = VERSION_SZ + RAN_LEN + ENUM_LEN + SUITE_LEN + COMP_LEN; | ||
| #ifdef WOLFSSL_DTLS13 |
There was a problem hiding this comment.
here sessionIDSz should be already be zero because of the changes in DoTls13ClientHello.
is ssl->sessionIDSz is used by tls 1.3 resumption code (not checked assumption), just use new var set to zero at the beginning of the function to avoid if/else branches.
rizlik
left a comment
rizlik
left a comment
There was a problem hiding this comment.
I do think we should avoid to send the legacy session id in client hello if doing 1.3 resumption.
This also means we should manually set the legacy id in the test.
Add test for flexible 1.3/1.2 client doing 1.2 resumption against a flexible 1.3/1.2 server for both dtls and tls
|
I'm not sure about that. This section encourages populating it in the CH
|
Check the important MUST part:
We probably send a random value due to Middlebox compatibility if resuming with 1.3 PSK method. |
There was a problem hiding this comment.
Pull request overview
Updates wolfSSL DTLS 1.3 behavior to comply with RFC 9147 by ensuring legacy_session_id_echo is empty in ServerHello, and adds regression tests to prevent session-id resumption/version-downgrade issues.
Changes:
- Enforce empty
legacy_session_id_echofor DTLS 1.3 (and QUIC) in TLS 1.3 ServerHello processing/sending. - Adjust DTLS 1.3 handling around session IDs/HRR hashing to avoid echoing the client’s legacy session id.
- Add new TLS/DTLS API tests covering DTLS 1.3 session id echo behavior and a session-id resumption downgrade scenario.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/api/test_tls.h | Registers the new TLS resumption/downgrade regression test. |
| tests/api/test_tls.c | Adds test_tls_session_id_resume_downgrade covering resumption behavior. |
| tests/api/test_dtls.h | Registers the new DTLS 1.3 legacy session id echo regression test. |
| tests/api/test_dtls.c | Adds test_dtls13_no_session_id_echo validating RFC 9147 ServerHello requirements. |
| src/tls13.c | Ensures DTLS 1.3/QUIC don’t echo legacy session id; updates HRR hashing and ClientHello options. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| #ifdef WOLFSSL_DTLS13 | ||
| if (ssl->options.dtls) { | ||
| /* RFC 9147 Section 5: DTLS implementations do not use the | ||
| * TLS 1.3 "compatibility mode" */ | ||
| ssl->options.tls13MiddleBoxCompat = 0; | ||
| } |
ZD21376