From 62a1f3a5f30834cae9924b9bf74062621b5eea7a Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 8 Apr 2020 16:23:58 +0000 Subject: Ensure legacy session ID is persistent during client TLS session. Generate an unpredictable 32-byte legacy session ID during client initialisation, rather than when the ClientHello message is being created. Otherwise in the case of a HelloRetryRequest the legacy session ID values will differ between the first and second ClientHello messages, which is not permitted by the RFC. Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com. ok beck@ --- src/lib/libssl/tls13_client.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 82fc50ed9e..22cda1e6be 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.47 2020/04/06 16:28:38 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.48 2020/04/08 16:23:58 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -58,6 +58,19 @@ tls13_client_init(struct tls13_ctx *ctx) arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); + /* + * The legacy session identifier should either be set to an + * unpredictable 32-byte value or zero length... a non-zero length + * legacy session identifier triggers compatibility mode (see RFC 8446 + * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. + */ + if (ctx->hs->max_version >= TLS1_3_VERSION) { + arc4random_buf(ctx->hs->legacy_session_id, + sizeof(ctx->hs->legacy_session_id)); + ctx->hs->legacy_session_id_len = + sizeof(ctx->hs->legacy_session_id); + } + return 1; } @@ -176,14 +189,6 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) goto err; - /* Either 32-random bytes or zero length... */ - if (ctx->hs->max_version >= TLS1_3_VERSION) { - arc4random_buf(ctx->hs->legacy_session_id, - sizeof(ctx->hs->legacy_session_id)); - ctx->hs->legacy_session_id_len = - sizeof(ctx->hs->legacy_session_id); - } - if (!CBB_add_u8_length_prefixed(cbb, &session_id)) goto err; if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, -- cgit v1.2.3-55-g6feb