Add compatibility flag and tests for pre-5.9.0 DTLSv1.3 clients#10492
Open
rizlik wants to merge 2 commits into
Open
Add compatibility flag and tests for pre-5.9.0 DTLSv1.3 clients#10492rizlik wants to merge 2 commits into
rizlik wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a DTLS 1.3 compatibility mode (WOLFSSL_DTLS13_5_9_0_COMPAT) to interoperate with wolfSSL <= 5.9.0 peers that (incorrectly) required the legacy session ID to be echoed by the server, and introduces tests to validate behavior both with and without the compat flag.
Changes:
- Make DTLS 1.3 client parsing accept non-empty
legacy_session_id_echowhenWOLFSSL_DTLS13_5_9_0_COMPATis enabled. - Make DTLS 1.3 server-side generation (including stateless HRR) optionally echo the client’s
legacy_session_id. - Add an API test that verifies echoing behavior in both direct ServerHello and stateless HRR paths when compat is enabled (and gate the existing “no echo” test accordingly).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/api/test_dtls.h | Registers the new DTLS 1.3 compat test in the API test list. |
| tests/api/test_dtls.c | Updates the “no session id echo” test gating and adds a new compat-mode test covering ServerHello and stateless HRR. |
| src/tls13.c | Adds compat-flag conditional logic to DTLS 1.3 session-id echo validation and transcript reconstruction behavior. |
| src/dtls.c | Adds compat-flag conditional behavior to stateless DTLS 1.3 HRR generation to optionally copy/echo the ClientHello session ID. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+638
to
+643
| #ifdef WOLFSSL_DTLS13_5_9_0_COMPAT | ||
| if (ch->sessionId.size > ID_LEN) { | ||
| /* Too large. We can't echo this. */ | ||
| ERROR_OUT(INVALID_PARAMETER, dtls13_cleanup); | ||
| } | ||
| #endif |
|
rizlik
force-pushed
the
legacy_session_id_bad_client
branch
from
763cff4 to
baed98e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces a compatibility mode (
WOLFSSL_DTLS13_5_9_0_COMPAT) for DTLS 1.3 in wolfSSL, allowing interoperability with clients in wolfSSL <= 5.9.0 wrongly required the legacy session ID to be echoed back from the servers (both server and client behavior are fixed in 5.9.1).