diff options
| author | jsing <> | 2020-04-08 16:23:58 +0000 |
|---|---|---|
| committer | jsing <> | 2020-04-08 16:23:58 +0000 |
| commit | 62a1f3a5f30834cae9924b9bf74062621b5eea7a (patch) | |
| tree | 33a2c465b12594e979cf53e457b5cab27ab15e20 /src | |
| parent | b4dba776b53e94077ded196b61300b5bb1c44269 (diff) | |
| download | openbsd-62a1f3a5f30834cae9924b9bf74062621b5eea7a.tar.gz openbsd-62a1f3a5f30834cae9924b9bf74062621b5eea7a.tar.bz2 openbsd-62a1f3a5f30834cae9924b9bf74062621b5eea7a.zip | |
Ensure legacy session ID is persistent during client TLS session.
Generate an unpredictable 32-byte legacy session ID during client
initialisation, rather than when the ClientHello message is being created.
Otherwise in the case of a HelloRetryRequest the legacy session ID values
will differ between the first and second ClientHello messages, which is
not permitted by the RFC.
Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com.
ok beck@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 82fc50ed9e..22cda1e6be 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.47 2020/04/06 16:28:38 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.48 2020/04/08 16:23:58 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -58,6 +58,19 @@ tls13_client_init(struct tls13_ctx *ctx) | |||
| 58 | 58 | ||
| 59 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); | 59 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
| 60 | 60 | ||
| 61 | /* | ||
| 62 | * The legacy session identifier should either be set to an | ||
| 63 | * unpredictable 32-byte value or zero length... a non-zero length | ||
| 64 | * legacy session identifier triggers compatibility mode (see RFC 8446 | ||
| 65 | * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. | ||
| 66 | */ | ||
| 67 | if (ctx->hs->max_version >= TLS1_3_VERSION) { | ||
| 68 | arc4random_buf(ctx->hs->legacy_session_id, | ||
| 69 | sizeof(ctx->hs->legacy_session_id)); | ||
| 70 | ctx->hs->legacy_session_id_len = | ||
| 71 | sizeof(ctx->hs->legacy_session_id); | ||
| 72 | } | ||
| 73 | |||
| 61 | return 1; | 74 | return 1; |
| 62 | } | 75 | } |
| 63 | 76 | ||
| @@ -176,14 +189,6 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) | |||
| 176 | if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) | 189 | if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) |
| 177 | goto err; | 190 | goto err; |
| 178 | 191 | ||
| 179 | /* Either 32-random bytes or zero length... */ | ||
| 180 | if (ctx->hs->max_version >= TLS1_3_VERSION) { | ||
| 181 | arc4random_buf(ctx->hs->legacy_session_id, | ||
| 182 | sizeof(ctx->hs->legacy_session_id)); | ||
| 183 | ctx->hs->legacy_session_id_len = | ||
| 184 | sizeof(ctx->hs->legacy_session_id); | ||
| 185 | } | ||
| 186 | |||
| 187 | if (!CBB_add_u8_length_prefixed(cbb, &session_id)) | 192 | if (!CBB_add_u8_length_prefixed(cbb, &session_id)) |
| 188 | goto err; | 193 | goto err; |
| 189 | if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, | 194 | if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, |