Only permit CCS messages if requesting middlebox compatibility mode.

Currently the TLSv1.3 client always permits the server to send CCS messages. Be more strict and only permit this if the client is actually requesitng middlebox compatibility mode. ok tb@
author: jsing <> 2022-09-11 14:33:07 +0000
committer: jsing <> 2022-09-11 14:33:07 +0000
commit: f89c54df88fa62477e4eb5d92a93a2dc346c6c03 (patch)
tree: b26aff081d10224d8e1af85ac3458a4e3f40a8d7 /src/lib
parent: 0e4a43263970930a73f26bc35df65ec5f1ad8166 (diff)
download: openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.gz
openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.bz2
openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 87759632f9..33ef55d2ec 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.98 2022/08/17 07:39:19 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.99 2022/09/11 14:33:07 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -148,12 +148,12 @@ tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_client_hello_sent(struct tls13_ctx *ctx)
 {
-        tls13_record_layer_allow_ccs(ctx->rl, 1);
        tls1_transcript_freeze(ctx->ssl);
-        if (ctx->middlebox_compat)
+        if (ctx->middlebox_compat) {
+                tls13_record_layer_allow_ccs(ctx->rl, 1);
                ctx->send_dummy_ccs = 1;
+        }
        return 1;
 }
author	jsing <>	2022-09-11 14:33:07 +0000
committer	jsing <>	2022-09-11 14:33:07 +0000
commit	f89c54df88fa62477e4eb5d92a93a2dc346c6c03 (patch)
tree	b26aff081d10224d8e1af85ac3458a4e3f40a8d7 /src/lib
parent	0e4a43263970930a73f26bc35df65ec5f1ad8166 (diff)
download	openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.gz openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.bz2 openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.zip