diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2020-05-09 15:30:22 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2020-05-09 15:30:22 +0000 |
| commit | ac7895d867cc4803b196b6928888975ee923a969 (patch) | |
| tree | c35e6a76c3e1ac00cc6f2afb9016f3e2c1cf0d14 /lib | |
| parent | a4cfe5fce54390c5e2b81325b310c906df3171c5 (diff) | |
Add a middlebox_compat flag and condition session ID randomisation on it.
ok tb@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/tls13_client.c | 4 | ||||
| -rw-r--r-- | lib/libssl/tls13_internal.h | 3 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 4 |
3 files changed, 7 insertions, 4 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index aab83dcc692..d5ac6ba5e07 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.56 2020/05/09 15:30:21 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -61,7 +61,7 @@ tls13_client_init(struct tls13_ctx *ctx) * legacy session identifier triggers compatibility mode (see RFC 8446 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. */ - if (ctx->hs->max_version >= TLS1_3_VERSION) { + if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) { arc4random_buf(ctx->hs->legacy_session_id, sizeof(ctx->hs->legacy_session_id)); ctx->hs->legacy_session_id_len = diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index b699b205010..f15d11551a8 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.68 2020/05/09 15:05:50 beck Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.69 2020/05/09 15:30:21 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> @@ -218,6 +218,7 @@ struct tls13_ctx { uint8_t mode; struct tls13_handshake_stage handshake_stage; int handshake_completed; + int middlebox_compat; int close_notify_sent; int close_notify_recv; diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 37f300ae43b..3825707d5c9 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.37 2020/05/09 15:05:50 beck Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.38 2020/05/09 15:30:21 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -351,6 +351,8 @@ tls13_ctx_new(int mode) ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; + ctx->middlebox_compat = 1; + return ctx; err: |