diff options
| author |   tb <tb@openbsd.org> | 2020-05-10 17:13:29 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-05-10 17:13:29 +0000 |
| commit | e0a52b2d4fbf69cfff99e467cc65aed6d347f53e (patch) | |
| tree | fbf9e96537abb7010bf49b2e5c04539f86106c38 /lib/libssl/tls13_server.c | |
| parent | Honour SSL_VERIFY_FAIL_IF_NO_PEER_CERT in the TLSv1.3 server. (diff) | |
| download | wireguard-openbsd-e0a52b2d4fbf69cfff99e467cc65aed6d347f53e.tar.xz wireguard-openbsd-e0a52b2d4fbf69cfff99e467cc65aed6d347f53e.zip | |
Send dummy ChangeCipherSpec messages from the TLSv1.3 server
If the client has requested middle box compatibility mode by sending
a non-empty legacy_session_id, the server must send a dummy CCS right
after its first handshake message. This means right after ServerHello
or HelloRetryRequest.
Two important improvements over the backed-out diffr: make sure that
First: client and server can send their dummy CCS at the correct moment
(right before the next flight or right after the current flight).
Second: as jsing noted, we also need to deal with the corner case that
tls13_send_dummy_ccs() can return TLS13_IO_WANT_POLLOUT.
with/ok jsing
Diffstat (limited to 'lib/libssl/tls13_server.c')
| -rw-r--r-- | lib/libssl/tls13_server.c | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c index f96d054500a..9616f392e1a 100644 --- a/lib/libssl/tls13_server.c +++ b/lib/libssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.43 2020/05/10 17:13:30 tb Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> * Copyright (c) 2020 Bob Beck <beck@openbsd.org> @@ -335,6 +335,20 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) } int +tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) +{ + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if (ctx->hs->legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + + return 1; +} + +int tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) { SSL *s = ctx->ssl; @@ -368,6 +382,15 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_server_hello_sent(struct tls13_ctx *ctx) { + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && + ctx->hs->legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + return tls13_server_engage_record_protection(ctx); } |