summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorjsing <>2022-09-11 14:33:07 +0000
committerjsing <>2022-09-11 14:33:07 +0000
commitf89c54df88fa62477e4eb5d92a93a2dc346c6c03 (patch)
treeb26aff081d10224d8e1af85ac3458a4e3f40a8d7 /src/lib
parent0e4a43263970930a73f26bc35df65ec5f1ad8166 (diff)
downloadopenbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.gz
openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.tar.bz2
openbsd-f89c54df88fa62477e4eb5d92a93a2dc346c6c03.zip
Only permit CCS messages if requesting middlebox compatibility mode.
Currently the TLSv1.3 client always permits the server to send CCS messages. Be more strict and only permit this if the client is actually requesitng middlebox compatibility mode. ok tb@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libssl/tls13_client.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 87759632f9..33ef55d2ec 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.98 2022/08/17 07:39:19 jsing Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.99 2022/09/11 14:33:07 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -148,12 +148,12 @@ tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
148int 148int
149tls13_client_hello_sent(struct tls13_ctx *ctx) 149tls13_client_hello_sent(struct tls13_ctx *ctx)
150{ 150{
151 tls13_record_layer_allow_ccs(ctx->rl, 1);
152
153 tls1_transcript_freeze(ctx->ssl); 151 tls1_transcript_freeze(ctx->ssl);
154 152
155 if (ctx->middlebox_compat) 153 if (ctx->middlebox_compat) {
154 tls13_record_layer_allow_ccs(ctx->rl, 1);
156 ctx->send_dummy_ccs = 1; 155 ctx->send_dummy_ccs = 1;
156 }
157 157
158 return 1; 158 return 1;
159} 159}