Address review

julek-wolfssl · julek-wolfssl · commit cf66a89c33bf · 2026-03-19T12:33:49.000+01:00
diff --git a/src/tls13.c b/src/tls13.c
@@ -4663,6 +4663,13 @@ int SendTls13ClientHello(WOLFSSL* ssl)
         ssl->session->sessionIDSz = 0;
         ssl->options.tls13MiddleBoxCompat = 0;
     }
+#endif
+#ifdef WOLFSSL_DTLS13
+    if (ssl->options.dtls) {
+        /* RFC 9147 Section 5: DTLS implementations do not use the
+         *                     TLS 1.3 "compatibility mode" */
+        ssl->options.tls13MiddleBoxCompat = 0;
+    }
 #endif
     GetTls13SessionId(ssl, NULL, &sessIdSz);
     args->length += (word16)sessIdSz;
@@ -5581,18 +5588,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
     case TLS_ASYNC_FINALIZE:
     {
-#ifdef WOLFSSL_DTLS13
-    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
-     * legacy_session_id_echo. */
-    if (ssl->options.dtls) {
-        if (args->sessIdSz != 0) {
-            WOLFSSL_MSG("DTLS 1.3 ServerHello must have empty session ID");
-            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
-            return INVALID_PARAMETER;
-        }
-    }
-    else
-#endif
 #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
     if (ssl->options.tls13MiddleBoxCompat) {
         if (args->sessIdSz == 0) {
@@ -5618,16 +5613,25 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     }
     else
 #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
+#if defined(WOLFSSL_QUIC) || defined(WOLFSSL_DTLS13)
+    if (0
 #ifdef WOLFSSL_QUIC
-    if (WOLFSSL_IS_QUIC(ssl)) {
+        || WOLFSSL_IS_QUIC(ssl)
+#endif
+#ifdef WOLFSSL_DTLS13
+        || ssl->options.dtls
+#endif
+    ) {
+        /* RFC 9147 Section 5.3 / RFC 9001 Section 8.4: DTLS 1.3 and QUIC
+         * ServerHello must have empty legacy_session_id_echo. */
         if (args->sessIdSz != 0) {
             WOLFSSL_MSG("args->sessIdSz != 0");
             WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
             return INVALID_PARAMETER;
         }
     }
     else
-#endif /* WOLFSSL_QUIC */
+#endif /* WOLFSSL_QUIC || WOLFSSL_DTLS13 */
     if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
         XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
     {
@@ -6595,6 +6599,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
     word16 length;
     int    keyShareExt = 0;
     int    ret;
+    byte   sessIdSz;
 
     ret = TlsCheckCookie(ssl, cookie->data, (byte)cookie->len);
     if (ret < 0)
@@ -6619,11 +6624,14 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
         return ret;
 
     /* Reconstruct the HelloRetryMessage for handshake hash. */
-    length = HRR_BODY_SZ - ID_LEN + HRR_COOKIE_HDR_SZ + cookie->len;
+    sessIdSz = ssl->session->sessionIDSz;
 #ifdef WOLFSSL_DTLS13
-    if (!ssl->options.dtls)
+    /* RFC 9147 Section 5.3: DTLS 1.3 must use empty legacy_session_id. */
+    if (ssl->options.dtls)
+        sessIdSz = 0;
 #endif
-        length += ssl->session->sessionIDSz;
+    length = HRR_BODY_SZ - ID_LEN + sessIdSz +
+             HRR_COOKIE_HDR_SZ + cookie->len;
     length += HRR_VERSIONS_SZ;
     /* HashSz (1 byte) + Hash (HashSz bytes) + CipherSuite (2 bytes) */
     if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) {
@@ -6649,17 +6657,10 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
     XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
     hrrIdx += RAN_LEN;
 
-#ifdef WOLFSSL_DTLS13
-    if (ssl->options.dtls)
-        hrr[hrrIdx++] = 0;
-    else
-#endif
-    {
-        hrr[hrrIdx++] = ssl->session->sessionIDSz;
-        if (ssl->session->sessionIDSz > 0) {
-            XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
-            hrrIdx += ssl->session->sessionIDSz;
-        }
+    hrr[hrrIdx++] = sessIdSz;
+    if (sessIdSz > 0) {
+        XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, sessIdSz);
+        hrrIdx += sessIdSz;
     }
 
     /* Cipher Suite */
@@ -6670,11 +6671,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
     hrr[hrrIdx++] = 0;
 
     /* Extensions' length */
-    length -= HRR_BODY_SZ - ID_LEN;
-#ifdef WOLFSSL_DTLS13
-    if (!ssl->options.dtls)
-#endif
-        length -= ssl->session->sessionIDSz;
+    length -= HRR_BODY_SZ - ID_LEN + sessIdSz;
     c16toa(length, hrr + hrrIdx);
     hrrIdx += 2;
 
@@ -7103,7 +7100,10 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
      * legacy_session_id_echo. Don't store the client's value so it
      * won't be echoed in SendTls13ServerHello. */
-    if (!ssl->options.dtls)
+    if (ssl->options.dtls) {
+        ssl->session->sessionIDSz = 0;
+    }
+    else
 #endif
     {
         ssl->session->sessionIDSz = sessIdSz;
@@ -7613,13 +7613,8 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
     /* Protocol version, server random, session id, cipher suite, compression
      * and extensions.
      */
-    length = VERSION_SZ + RAN_LEN + ENUM_LEN + SUITE_LEN + COMP_LEN;
-#ifdef WOLFSSL_DTLS13
-    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
-     * legacy_session_id_echo. */
-    if (!ssl->options.dtls)
-#endif
-        length += ssl->session->sessionIDSz;
+    length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
+             SUITE_LEN + COMP_LEN;
     ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
     if (ret != 0)
         return ret;
