Be stricter with middlebox compatibility mode in the TLSv1.3 server.

Only allow a TLSv1.3 client to request middlebox compatibility mode if this is permitted. Ensure that the legacy session identifier is either zero length or 32 bytes in length. Additionally, only allow CCS messages on the server side if the client actually requested middlebox compatibility mode. ok tb@
author: jsing <> 2022-09-11 14:39:44 +0000
committer: jsing <> 2022-09-11 14:39:44 +0000
commit: 3e2640f885663e101f66709fa8e3f287b28b7c94 (patch)
tree: 0b3acb08b7157ce938fb3a4b4f14dbaea5a166ad
parent: f89c54df88fa62477e4eb5d92a93a2dc346c6c03 (diff)
download: openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.tar.gz
openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.tar.bz2
openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.zip
1 files changed, 21 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 8f225433f0..b1612a86e5 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.101 2022/08/17 07:39:19 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.102 2022/09/11 14:39:44 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -174,6 +174,15 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        /* Ensure we send subsequent alerts with the correct record version. */
        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
+        /*
+         * Ensure that the client has not requested middlebox compatibility mode
+         * if it is prohibited from doing so.
+         */
+        if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) {
+                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
+                goto err;
+        }
        /* Add decoded values to the current ClientHello hash */
        if (!tls13_clienthello_hash_init(ctx)) {
                ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
@@ -234,8 +243,14 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                goto err;
        }
-        /* Store legacy session identifier so we can echo it. */
+        /*
-        if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
+         * The legacy session identifier must either be zero length or a 32 byte
+         * value (in which case the client is requesting middlebox compatibility
+         * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value
+         * so that we can echo it back to the client.
+         */
+        if (CBS_len(&session_id) != 0 &&
+            CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) {
                ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
                goto err;
        }
@@ -303,8 +318,9 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (ctx->hs->key_share != NULL)
                ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
-        /* XXX - check this is the correct point */
+        /* Only allow CCS if client requested middlebox compatibility mode. */
-        tls13_record_layer_allow_ccs(ctx->rl, 1);
+        if (ctx->hs->tls13.legacy_session_id_len > 0)
+                tls13_record_layer_allow_ccs(ctx->rl, 1);
        return 1;
author	jsing <>	2022-09-11 14:39:44 +0000
committer	jsing <>	2022-09-11 14:39:44 +0000
commit	3e2640f885663e101f66709fa8e3f287b28b7c94 (patch)
tree	0b3acb08b7157ce938fb3a4b4f14dbaea5a166ad
parent	f89c54df88fa62477e4eb5d92a93a2dc346c6c03 (diff)
download	openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.tar.gz openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.tar.bz2 openbsd-3e2640f885663e101f66709fa8e3f287b28b7c94.zip