Send dummy ChangeCipherSpec messages from the TLSv1.3 server

If the client has requested middle box compatibility mode by sending a non-empty legacy_session_id, the server must send a dummy CCS right after its first handshake message. This means right after ServerHello or HelloRetryRequest. ok jsing
author: tb <> 2020-05-09 16:43:05 +0000
committer: tb <> 2020-05-09 16:43:05 +0000
commit: 5f9e50161ad02213ce0e8e216933bde0efc8bc02 (patch)
tree: b490ec08313675814e5201e93eb75bdb10cac539 /src/lib
parent: 99c3d9d6560601ac170c9657a01cf72bd69cfe63 (diff)
download: openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.tar.gz
openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.tar.bz2
openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.zip
3 files changed, 34 insertions, 3 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 05446380dd..1825bfbf6c 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.57 2020/05/09 15:47:11 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.58 2020/05/09 16:43:05 tb Exp $ */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -102,6 +102,7 @@ static const struct tls13_handshake_action state_machine[] = {
                .sender = TLS13_HS_SERVER,
                .send = tls13_server_hello_retry_request_send,
                .recv = tls13_server_hello_retry_request_recv,
+                .sent = tls13_server_hello_retry_request_sent,
        },
        [SERVER_ENCRYPTED_EXTENSIONS] = {
                .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
@@ -373,6 +374,12 @@ tls13_handshake_send_action(struct tls13_ctx *ctx,
        if (action->sent != NULL && !action->sent(ctx))
                return TLS13_IO_FAILURE;
+        if (ctx->send_dummy_ccs) {
+                if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
+                        return ret;
+                ctx->send_dummy_ccs = 0;
+        }
        return TLS13_IO_SUCCESS;
 }
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 438423aaff..e3aaf634c3 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.70 2020/05/09 15:47:11 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.71 2020/05/09 16:43:05 tb Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -323,6 +323,7 @@ int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_hello_sent(struct tls13_ctx *ctx);
 int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb);
+int tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx);
 int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs);
 int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb);
 int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs);
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 2fe5428b71..5e2711d4d4 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.38 2020/05/09 14:02:24 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.39 2020/05/09 16:43:05 tb Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -335,6 +335,20 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 }
 int
+tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
+{
+        /*
+         * If the client has requested middlebox compatibility mode,
+         * we MUST send a dummy CCS following our first handshake message.
+         * See RFC 8446 Appendix D.4.
+         */
+        if (ctx->hs->legacy_session_id_len > 0)
+                ctx->send_dummy_ccs = 1;
+        return 1;
+}
+int
 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
        SSL *s = ctx->ssl;
@@ -368,6 +382,15 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 int
 tls13_server_hello_sent(struct tls13_ctx *ctx)
 {
+        /*
+         * If the client has requested middlebox compatibility mode,
+         * we MUST send a dummy CCS following our first handshake message.
+         * See RFC 8446 Appendix D.4.
+         */
+        if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
+            ctx->hs->legacy_session_id_len > 0)
+                ctx->send_dummy_ccs = 1;
        return tls13_server_engage_record_protection(ctx);
 }
author	tb <>	2020-05-09 16:43:05 +0000
committer	tb <>	2020-05-09 16:43:05 +0000
commit	5f9e50161ad02213ce0e8e216933bde0efc8bc02 (patch)
tree	b490ec08313675814e5201e93eb75bdb10cac539 /src/lib
parent	99c3d9d6560601ac170c9657a01cf72bd69cfe63 (diff)
download	openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.tar.gz openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.tar.bz2 openbsd-5f9e50161ad02213ce0e8e216933bde0efc8bc02.zip