DTLS 1.3: don't echo legacy_session_id in ServerHello

julek-wolfssl · julek-wolfssl · commit 0defef03fd05 · 2026-03-18T19:27:21.000+01:00
diff --git a/src/tls13.c b/src/tls13.c
@@ -5581,6 +5581,18 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
     case TLS_ASYNC_FINALIZE:
     {
+#ifdef WOLFSSL_DTLS13
+    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
+     * legacy_session_id_echo. */
+    if (ssl->options.dtls) {
+        if (args->sessIdSz != 0) {
+            WOLFSSL_MSG("DTLS 1.3 ServerHello must have empty session ID");
+            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
+            return INVALID_PARAMETER;
+        }
+    }
+    else
+#endif
 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
     if (ssl->options.tls13MiddleBoxCompat) {
         if (args->sessIdSz == 0) {
@@ -6607,8 +6619,11 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
         return ret;
 
     /* Reconstruct the HelloRetryMessage for handshake hash. */
-    length = HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz +
-             HRR_COOKIE_HDR_SZ + cookie->len;
+    length = HRR_BODY_SZ - ID_LEN + HRR_COOKIE_HDR_SZ + cookie->len;
+#ifdef WOLFSSL_DTLS13
+    if (!ssl->options.dtls)
+#endif
+        length += ssl->session->sessionIDSz;
     length += HRR_VERSIONS_SZ;
     /* HashSz (1 byte) + Hash (HashSz bytes) + CipherSuite (2 bytes) */
     if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) {
@@ -6634,10 +6649,17 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
     XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
     hrrIdx += RAN_LEN;
 
-    hrr[hrrIdx++] = ssl->session->sessionIDSz;
-    if (ssl->session->sessionIDSz > 0) {
-        XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
-        hrrIdx += ssl->session->sessionIDSz;
+#ifdef WOLFSSL_DTLS13
+    if (ssl->options.dtls)
+        hrr[hrrIdx++] = 0;
+    else
+#endif
+    {
+        hrr[hrrIdx++] = ssl->session->sessionIDSz;
+        if (ssl->session->sessionIDSz > 0) {
+            XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
+            hrrIdx += ssl->session->sessionIDSz;
+        }
     }
 
     /* Cipher Suite */
@@ -6648,7 +6670,11 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
     hrr[hrrIdx++] = 0;
 
     /* Extensions' length */
-    length -= HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz;
+    length -= HRR_BODY_SZ - ID_LEN;
+#ifdef WOLFSSL_DTLS13
+    if (!ssl->options.dtls)
+#endif
+        length -= ssl->session->sessionIDSz;
     c16toa(length, hrr + hrrIdx);
     hrrIdx += 2;
 
@@ -7073,9 +7099,17 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     if (sessIdSz + args->idx > helloSz)
         ERROR_OUT(BUFFER_ERROR, exit_dch);
 
-    ssl->session->sessionIDSz = sessIdSz;
-    if (sessIdSz > 0)
-        XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
+#ifdef WOLFSSL_DTLS13
+    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
+     * legacy_session_id_echo. Don't store the client's value so it
+     * won't be echoed in SendTls13ServerHello. */
+    if (!ssl->options.dtls)
+#endif
+    {
+        ssl->session->sessionIDSz = sessIdSz;
+        if (sessIdSz > 0)
+            XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
+    }
     args->idx += sessIdSz;
 
 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
@@ -7579,8 +7613,13 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
     /* Protocol version, server random, session id, cipher suite, compression
      * and extensions.
      */
-    length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
-             SUITE_LEN + COMP_LEN;
+    length = VERSION_SZ + RAN_LEN + ENUM_LEN + SUITE_LEN + COMP_LEN;
+#ifdef WOLFSSL_DTLS13
+    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
+     * legacy_session_id_echo. */
+    if (!ssl->options.dtls)
+#endif
+        length += ssl->session->sessionIDSz;
     ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
     if (ret != 0)
         return ret;
@@ -7624,10 +7663,21 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
     WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
 #endif
 
-    output[idx++] = ssl->session->sessionIDSz;
-    if (ssl->session->sessionIDSz > 0) {
-        XMEMCPY(output + idx, ssl->session->sessionID, ssl->session->sessionIDSz);
-        idx += ssl->session->sessionIDSz;
+#ifdef WOLFSSL_DTLS13
+    if (ssl->options.dtls) {
+        /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
+         * legacy_session_id_echo. */
+        output[idx++] = 0;
+    }
+    else
+#endif
+    {
+        output[idx++] = ssl->session->sessionIDSz;
+        if (ssl->session->sessionIDSz > 0) {
+            XMEMCPY(output + idx, ssl->session->sessionID,
+                ssl->session->sessionIDSz);
+            idx += ssl->session->sessionIDSz;
+        }
     }
 
     /* Chosen cipher suite */
diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c
@@ -2567,3 +2567,81 @@ int test_dtls13_min_rtx_interval(void)
 #endif
     return EXPECT_RESULT();
 }
+
+/* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
+ * legacy_session_id_echo, even if the ClientHello had a non-empty
+ * legacy_session_id. */
+int test_dtls13_no_session_id_echo(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS13)
+    struct test_memio_ctx test_ctx;
+    WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    WOLFSSL_SESSION *sess = NULL;
+    char readBuf[1];
+
+    /* First connection: complete a DTLS 1.3 handshake to get a session */
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+        wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), 0);
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    /* Read to process any NewSessionTicket */
+    ExpectIntEQ(wolfSSL_read(ssl_c, readBuf, sizeof(readBuf)), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+    ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
+
+    /* Ensure the session has a non-empty session ID so the ClientHello
+     * will have a populated legacy_session_id field (which is legal per
+     * RFC 9147). */
+    if (sess->sessionIDSz == 0) {
+        sess->sessionIDSz = ID_LEN;
+        XMEMSET(sess->sessionID, 0x42, ID_LEN);
+    }
+
+    wolfSSL_free(ssl_c); ssl_c = NULL;
+    wolfSSL_free(ssl_s); ssl_s = NULL;
+    wolfSSL_CTX_free(ctx_c); ctx_c = NULL;
+    wolfSSL_CTX_free(ctx_s); ctx_s = NULL;
+
+    /* Second connection: set the session on the client so the ClientHello
+     * contains a non-empty legacy_session_id. Verify the server does NOT
+     * echo it in the ServerHello. */
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+        wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), 0);
+    ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
+    /* Disable HRR cookie so the server directly sends a ServerHello */
+    ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS);
+
+    /* Client sends ClientHello (with non-empty legacy_session_id) */
+    ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+    /* Server processes ClientHello and sends ServerHello + flight */
+    ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
+
+    /* Verify the ServerHello on the wire.
+     * Layout: DTLS Record Header (13) + DTLS Handshake Header (12) +
+     *         ProtocolVersion (2) + Random (32) = offset 59 for
+     *         legacy_session_id_echo length byte. */
+    ExpectIntGE(test_ctx.c_len, 60);
+    ExpectIntEQ(test_ctx.c_buff[0], handshake);
+    ExpectIntEQ(test_ctx.c_buff[DTLS_RECORD_HEADER_SZ], server_hello);
+    ExpectIntEQ(test_ctx.c_buff[DTLS_RECORD_HEADER_SZ +
+        DTLS_HANDSHAKE_HEADER_SZ + OPAQUE16_LEN + RAN_LEN], 0);
+
+    /* Complete the handshake */
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    wolfSSL_SESSION_free(sess);
+    wolfSSL_free(ssl_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_CTX_free(ctx_s);
+#endif
+    return EXPECT_RESULT();
+}
diff --git a/tests/api/test_dtls.h b/tests/api/test_dtls.h
@@ -50,6 +50,7 @@ int test_dtls_memio_wolfio_stateless(void);
 int test_dtls_mtu_fragment_headroom(void);
 int test_dtls_mtu_split_messages(void);
 int test_dtls13_min_rtx_interval(void);
+int test_dtls13_no_session_id_echo(void);
 
 #define TEST_DTLS_DECLS                                                        \
         TEST_DECL_GROUP("dtls", test_dtls12_basic_connection_id),              \
@@ -79,5 +80,6 @@ int test_dtls13_min_rtx_interval(void);
         TEST_DECL_GROUP("dtls", test_dtls_mtu_fragment_headroom),              \
         TEST_DECL_GROUP("dtls", test_dtls_mtu_split_messages),                 \
         TEST_DECL_GROUP("dtls", test_dtls_memio_wolfio_stateless),             \
-        TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval)
+        TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval),              \
+        TEST_DECL_GROUP("dtls", test_dtls13_no_session_id_echo)
 #endif /* TESTS_API_DTLS_H */
