diff --git a/crypto/src/tls/DtlsClientProtocol.cs b/crypto/src/tls/DtlsClientProtocol.cs
index a4810b983..44f574e3a 100644
--- a/crypto/src/tls/DtlsClientProtocol.cs
+++ b/crypto/src/tls/DtlsClientProtocol.cs
@@ -177,10 +177,7 @@ namespace Org.BouncyCastle.Tls
}
InvalidateSession(state);
-
state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
- state.sessionParameters = null;
- state.sessionMasterSecret = null;
serverMessage = handshake.ReceiveMessage();
@@ -343,6 +340,14 @@ namespace Org.BouncyCastle.Tls
serverMessage = handshake.ReceiveMessage();
if (serverMessage.Type == HandshakeType.new_session_ticket)
{
+ /*
+ * RFC 5077 3.4. If the client receives a session ticket from the server, then it
+ * discards any Session ID that was sent in the ServerHello.
+ */
+ securityParameters.m_sessionID = TlsUtilities.EmptyBytes;
+ InvalidateSession(state);
+ state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
+
ProcessNewSessionTicket(state, serverMessage.Body);
}
else
@@ -373,7 +378,7 @@ namespace Org.BouncyCastle.Tls
.SetServerExtensions(state.serverExtensions)
.Build();
- state.tlsSession = TlsUtilities.ImportSession(state.tlsSession.SessionID, state.sessionParameters);
+ state.tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, state.sessionParameters);
securityParameters.m_tlsUnique = securityParameters.LocalVerifyData;
diff --git a/crypto/src/tls/DtlsReliableHandshake.cs b/crypto/src/tls/DtlsReliableHandshake.cs
index b2f8f130a..e27d72762 100644
--- a/crypto/src/tls/DtlsReliableHandshake.cs
+++ b/crypto/src/tls/DtlsReliableHandshake.cs
@@ -408,9 +408,10 @@ namespace Org.BouncyCastle.Tls
case HandshakeType.hello_request:
case HandshakeType.hello_verify_request:
case HandshakeType.key_update:
- case HandshakeType.new_session_ticket:
break;
+ // TODO[dtls13] Not included in the transcript for (D)TLS 1.3+
+ case HandshakeType.new_session_ticket:
default:
{
byte[] body = message.Body;
diff --git a/crypto/src/tls/DtlsServerProtocol.cs b/crypto/src/tls/DtlsServerProtocol.cs
index 5637d4106..99c47ba1b 100644
--- a/crypto/src/tls/DtlsServerProtocol.cs
+++ b/crypto/src/tls/DtlsServerProtocol.cs
@@ -313,6 +313,11 @@ namespace Org.BouncyCastle.Tls
if (state.expectSessionTicket)
{
+ /*
+ * TODO[new_session_ticket] Check the server-side rules regarding the session ID, since the client
+ * is going to ignore any session ID it received once it sees the new_session_ticket message.
+ */
+
NewSessionTicket newSessionTicket = state.server.GetNewSessionTicket();
byte[] newSessionTicketBody = GenerateNewSessionTicket(state, newSessionTicket);
handshake.SendMessage(HandshakeType.new_session_ticket, newSessionTicketBody);
diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs
index 4616580f0..c132b257b 100644
--- a/crypto/src/tls/TlsClientProtocol.cs
+++ b/crypto/src/tls/TlsClientProtocol.cs
@@ -708,7 +708,9 @@ namespace Org.BouncyCastle.Tls
* RFC 5077 3.4. If the client receives a session ticket from the server, then it
* discards any Session ID that was sent in the ServerHello.
*/
+ securityParameters.m_sessionID = TlsUtilities.EmptyBytes;
InvalidateSession();
+ this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
ReceiveNewSessionTicket(buf);
break;
@@ -1001,13 +1003,8 @@ namespace Org.BouncyCastle.Tls
TlsUtilities.Establish13PhaseSecrets(m_tlsClientContext, pskEarlySecret, sharedSecret);
- {
- InvalidateSession();
-
- this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
- this.m_sessionParameters = null;
- this.m_sessionMasterSecret = null;
- }
+ InvalidateSession();
+ this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
}
/// <exception cref="IOException"/>
@@ -1325,10 +1322,7 @@ namespace Org.BouncyCastle.Tls
else
{
InvalidateSession();
-
this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, null);
- this.m_sessionParameters = null;
- this.m_sessionMasterSecret = null;
}
}
diff --git a/crypto/src/tls/TlsProtocol.cs b/crypto/src/tls/TlsProtocol.cs
index 8d0e3fc0d..8fe6dc225 100644
--- a/crypto/src/tls/TlsProtocol.cs
+++ b/crypto/src/tls/TlsProtocol.cs
@@ -450,7 +450,7 @@ namespace Org.BouncyCastle.Tls
.SetServerExtensions(m_serverExtensions)
.Build();
- this.m_tlsSession = TlsUtilities.ImportSession(m_tlsSession.SessionID, m_sessionParameters);
+ this.m_tlsSession = TlsUtilities.ImportSession(securityParameters.SessionID, m_sessionParameters);
}
else
{
@@ -590,8 +590,21 @@ namespace Org.BouncyCastle.Tls
*/
case HandshakeType.hello_request:
case HandshakeType.key_update:
+ break;
+
+ /*
+ * Not included in the transcript for (D)TLS 1.3+
+ */
case HandshakeType.new_session_ticket:
+ {
+ ProtocolVersion negotiatedVersion = Context.ServerVersion;
+ if (null != negotiatedVersion && !TlsUtilities.IsTlsV13(negotiatedVersion))
+ {
+ buf.UpdateHash(m_handshakeHash);
+ }
+
break;
+ }
/*
* These message types are deferred to the handler to explicitly update the transcript.
@@ -956,8 +969,21 @@ namespace Org.BouncyCastle.Tls
*/
case HandshakeType.hello_request:
case HandshakeType.key_update:
+ break;
+
+ /*
+ * Not included in the transcript for (D)TLS 1.3+
+ */
case HandshakeType.new_session_ticket:
+ {
+ ProtocolVersion negotiatedVersion = Context.ServerVersion;
+ if (null != negotiatedVersion && !TlsUtilities.IsTlsV13(negotiatedVersion))
+ {
+ m_handshakeHash.Update(buf, off, len);
+ }
+
break;
+ }
/*
* These message types are deferred to the writer to explicitly update the transcript.
diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs
index 1320cf5fa..e14fb7d70 100644
--- a/crypto/src/tls/TlsServerProtocol.cs
+++ b/crypto/src/tls/TlsServerProtocol.cs
@@ -1148,6 +1148,12 @@ namespace Org.BouncyCastle.Tls
if (m_expectSessionTicket)
{
+ /*
+ * TODO[new_session_ticket] Check the server-side rules regarding the session ID, since
+ * the client is going to ignore any session ID it received once it sees the
+ * new_session_ticket message.
+ */
+
SendNewSessionTicketMessage(m_tlsServer.GetNewSessionTicket());
this.m_connectionState = CS_SERVER_SESSION_TICKET;
}
|
