From 932b432c3b9e9c407ff00712d9587cdd1bdfd76a Mon Sep 17 00:00:00 2001
From: beck <>
Date: Thu, 23 Jan 2020 06:15:44 +0000
Subject: Save the legacy session id in the client, and enforce that it is
 returned the same from the server.

ok jsing@ tb@
---
 src/lib/libssl/ssl_locl.h     |  6 +++++-
 src/lib/libssl/tls13_client.c | 19 +++++++++++++------
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 8649f651fa..2c774a3d77 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.253 2020/01/23 03:17:40 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.254 2020/01/23 06:15:44 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -469,6 +469,10 @@ typedef struct ssl_handshake_tls13_st {
 	/* Preserved transcript hash. */
 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
 	size_t transcript_hash_len;
+
+	/* Legacy session ID. */
+	uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+	size_t legacy_session_id_len;
 } SSL_HANDSHAKE_TLS13;
 
 typedef struct ssl_ctx_internal_st {
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 1d59f33279..cab113b8c3 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.29 2020/01/23 02:24:38 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.30 2020/01/23 06:15:44 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -157,7 +157,6 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 	CBB cipher_suites, compression_methods, session_id;
 	uint16_t client_version;
 	SSL *s = ctx->ssl;
-	uint8_t *sid;
 
 	/* Legacy client version is capped at TLS 1.2. */
 	client_version = ctx->hs->max_version;
@@ -170,12 +169,15 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 		goto err;
 
 	/* Either 32-random bytes or zero length... */
-	/* XXX - session resumption for TLSv1.2? */
+	arc4random_buf(ctx->hs->legacy_session_id,
+	    sizeof(ctx->hs->legacy_session_id));
+	ctx->hs->legacy_session_id_len = sizeof(ctx->hs->legacy_session_id);
+
 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
 		goto err;
-	if (!CBB_add_space(&session_id, &sid, 32))
+	if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
+	    ctx->hs->legacy_session_id_len))
 		goto err;
-	arc4random_buf(sid, 32);
 
 	if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
 		goto err;
@@ -315,7 +317,12 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		ctx->hs->server_version = legacy_version;
 	}
 
-	/* XXX - session_id must match. */
+	/* The session_id must match. */
+	if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
+	    ctx->hs->legacy_session_id_len)) {
+		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+		goto err;
+	}
 
 	/*
 	 * Ensure that the cipher suite is one that we offered in the client
-- 
cgit v1.2.3-55-g6feb