After the ClientHello has been sent or received and before the peer's

Finished message has been received, a change cipher spec may be received and must be ignored. Add a flag to the record layer struct and set it at the appropriate moments during the handshake so that we will ignore it. ok jsing
author: tb <tb@openbsd.org> 2020-01-22 05:06:23 +0000
committer: tb <tb@openbsd.org> 2020-01-22 05:06:23 +0000
commit: 138e3c44917861170a76677532999de39025dd0c (patch)
tree: 3ae103bcaed44ad139c7ab878bdabf167f8e3467 /lib/libssl/tls13_server.c
parent: rm rtfps driver. disabled and man page doesn't inspire much confidence. (diff)
download: wireguard-openbsd-138e3c44917861170a76677532999de39025dd0c.tar.xz
wireguard-openbsd-138e3c44917861170a76677532999de39025dd0c.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 10d85a62b3c..fc3e80ad587 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.4 2020/01/22 02:21:05 beck Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.5 2020/01/22 05:06:23 tb Exp $ */
 /*
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -81,6 +81,8 @@ tls13_legacy_accept(SSL *ssl)
 int
 tls13_client_hello_recv(struct tls13_ctx *ctx)
 {
+	tls13_record_layer_allow_ccs(ctx->rl, 1);
+
 	return 0;
 }
 
@@ -135,6 +137,8 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx)
 int
 tls13_client_finished_recv(struct tls13_ctx *ctx)
 {
+	tls13_record_layer_allow_ccs(ctx->rl, 0);
+
 	return 0;
 }
author	tb <tb@openbsd.org>	2020-01-22 05:06:23 +0000
committer	tb <tb@openbsd.org>	2020-01-22 05:06:23 +0000
commit	138e3c44917861170a76677532999de39025dd0c (patch)
tree	3ae103bcaed44ad139c7ab878bdabf167f8e3467 /lib/libssl/tls13_server.c
parent	rm rtfps driver. disabled and man page doesn't inspire much confidence. (diff)
download	wireguard-openbsd-138e3c44917861170a76677532999de39025dd0c.tar.xz wireguard-openbsd-138e3c44917861170a76677532999de39025dd0c.zip