Add a middlebox_compat flag and condition session ID randomisation on it.

ok tb@
author: jsing <> 2020-05-09 15:30:21 +0000
committer: jsing <> 2020-05-09 15:30:21 +0000
commit: e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3 (patch)
tree: 6666049523937c7ae835bbe58ae646628168a32f /src/lib/libssl/tls13_client.c
parent: 465ed0712229ad7d942b62e920b8adff60f611ab (diff)
download: openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.tar.gz
openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.tar.bz2
openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index aab83dcc69..d5ac6ba5e0 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.56 2020/05/09 15:30:21 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -61,7 +61,7 @@ tls13_client_init(struct tls13_ctx *ctx)
         * legacy session identifier triggers compatibility mode (see RFC 8446
         * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
         */
-        if (ctx->hs->max_version >= TLS1_3_VERSION) {
+        if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) {
                arc4random_buf(ctx->hs->legacy_session_id,
                    sizeof(ctx->hs->legacy_session_id));
                ctx->hs->legacy_session_id_len =
author	jsing <>	2020-05-09 15:30:21 +0000
committer	jsing <>	2020-05-09 15:30:21 +0000
commit	e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3 (patch)
tree	6666049523937c7ae835bbe58ae646628168a32f /src/lib/libssl/tls13_client.c
parent	465ed0712229ad7d942b62e920b8adff60f611ab (diff)
download	openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.tar.gz openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.tar.bz2 openbsd-e60743c2598f2b8d05fbd008cafbfe16bfe0b9a3.zip

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index aab83dcc69..d5ac6ba5e0 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.56 2020/05/09 15:30:21 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -61,7 +61,7 @@ tls13_client_init(struct tls13_ctx *ctx)
61	* legacy session identifier triggers compatibility mode (see RFC 8446	61	* legacy session identifier triggers compatibility mode (see RFC 8446
62	* Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.	62	* Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
63	*/	63	*/
64	if (ctx->hs->max_version >= TLS1_3_VERSION) {	64	if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) {
65	arc4random_buf(ctx->hs->legacy_session_id,	65	arc4random_buf(ctx->hs->legacy_session_id,
66	sizeof(ctx->hs->legacy_session_id));	66	sizeof(ctx->hs->legacy_session_id));
67	ctx->hs->legacy_session_id_len =	67	ctx->hs->legacy_session_id_len =