Add a middlebox_compat flag and condition session ID randomisation on it.

ok tb@
author: jsing <jsing@openbsd.org> 2020-05-09 15:30:21 +0000
committer: jsing <jsing@openbsd.org> 2020-05-09 15:30:21 +0000
commit: 0e548c8feebabab6d01582c56a4e4e46725c89f8 (patch)
tree: d9d77d61b7fe1a06d1d3814c9bccd655effa387d /lib/libssl/tls13_client.c
parent: catch the other place this needs to change (diff)
download: wireguard-openbsd-0e548c8feebabab6d01582c56a4e4e46725c89f8.tar.xz
wireguard-openbsd-0e548c8feebabab6d01582c56a4e4e46725c89f8.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index aab83dcc692..d5ac6ba5e07 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.56 2020/05/09 15:30:21 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -61,7 +61,7 @@ tls13_client_init(struct tls13_ctx *ctx)
 	 * legacy session identifier triggers compatibility mode (see RFC 8446
 	 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
 	 */
-	if (ctx->hs->max_version >= TLS1_3_VERSION) {
+	if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) {
 		arc4random_buf(ctx->hs->legacy_session_id,
 		    sizeof(ctx->hs->legacy_session_id));
 		ctx->hs->legacy_session_id_len =
author	jsing <jsing@openbsd.org>	2020-05-09 15:30:21 +0000
committer	jsing <jsing@openbsd.org>	2020-05-09 15:30:21 +0000
commit	0e548c8feebabab6d01582c56a4e4e46725c89f8 (patch)
tree	d9d77d61b7fe1a06d1d3814c9bccd655effa387d /lib/libssl/tls13_client.c
parent	catch the other place this needs to change (diff)
download	wireguard-openbsd-0e548c8feebabab6d01582c56a4e4e46725c89f8.tar.xz wireguard-openbsd-0e548c8feebabab6d01582c56a4e4e46725c89f8.zip