mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-05 09:40:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Separate accepting TLS 1.3 middlebox compatibility from sending it

Browse Source 
The compile-time option MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE gates both
support for interoperability with a peer that uses middlebox compatibility
mode, and support for activating that mode ourselves. Change code that is
only needed for interoperability to be guarded by
MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE.

As of this commit, MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE is always
enabled: there is no way to disable it, and there are no tests with it
disabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2024-09-13 13:44:29 +02:00
parent 365296aace
commit 78df03aaa5
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
library/ssl_misc.h
View File

@ -65,6 +65,13 @@
/* Faked handshake message identity for HelloRetryRequest. */
#define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
/* TLS 1.3: Interoperate with peers that support middlebox compatibility
* mode, but don't produce the relevant messages ourselves.
*
* This is always enabled (with effect only when TLS 1.3 is enabled).
*/
#define MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE
/*
* Internal identity of handshake extensions
*/

4
library/ssl_msg.c
View File

@ -5066,7 +5066,7 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
#if defined(MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE)
MBEDTLS_SSL_DEBUG_MSG(1,
("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"));
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
@ -5074,7 +5074,7 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(1,
("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#endif /* MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
}