diff options
author | Ingela Anderton Andin <ingela@erlang.org> | 2023-02-15 10:56:01 +0100 |
---|---|---|
committer | Ingela Anderton Andin <ingela@erlang.org> | 2023-02-15 12:06:58 +0100 |
commit | 2ad32862c6532f69b4ee5b95ef2620f20bee0552 (patch) | |
tree | 820a75ea22eb73b3782f5a93e3b08757b83e3baa | |
parent | f17ccd2dffb651599c9e55b1550ce45c0ba92af8 (diff) | |
download | erlang-2ad32862c6532f69b4ee5b95ef2620f20bee0552.tar.gz |
ssl: Adjust assert of middlebox change_cipher_spec for better interop
To ensure interoperability assert middlebox change_cipher_spec after processing an
hello_retry_request instead of before.
-rw-r--r-- | lib/ssl/src/tls_connection_1_3.erl | 6 | ||||
-rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 14 |
2 files changed, 15 insertions, 5 deletions
diff --git a/lib/ssl/src/tls_connection_1_3.erl b/lib/ssl/src/tls_connection_1_3.erl index 51b964a27e..a04f2d7e46 100644 --- a/lib/ssl/src/tls_connection_1_3.erl +++ b/lib/ssl/src/tls_connection_1_3.erl @@ -453,8 +453,8 @@ wait_sh(internal, #server_hello{} = Hello, #alert{} = Alert -> ssl_gen_statem:handle_own_alert(Alert, wait_sh, State0); {State1 = #state{}, start, ServerHello} -> - %% hello_retry_request : assert middlebox before going back to start - {next_state, hello_retry_middlebox_assert, State1, [{next_event, internal, ServerHello}]}; + %% hello_retry_request: go to start + {next_state, start, State1, [{next_event, internal, ServerHello}]}; {State1, wait_ee} when IsRetry == true -> tls_gen_connection:next_event(wait_ee, no_record, State1); {State1, wait_ee} when IsRetry == false -> @@ -477,7 +477,7 @@ hello_middlebox_assert(Type, Msg, State) -> hello_retry_middlebox_assert(enter, _, State) -> {keep_state, State}; hello_retry_middlebox_assert(internal, #change_cipher_spec{}, State) -> - tls_gen_connection:next_event(start, no_record, State); + tls_gen_connection:next_event(wait_sh, no_record, State); hello_retry_middlebox_assert(internal, #server_hello{}, State) -> tls_gen_connection:next_event(?FUNCTION_NAME, no_record, State, [postpone]); hello_retry_middlebox_assert(info, Msg, State) -> diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 025dbce72c..6cd3f623e5 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -745,6 +745,7 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = #handshake_env{renegotiation = {Renegotiation, _}, ocsp_stapling_state = OcspState}, connection_env = #connection_env{negotiated_version = NegotiatedVersion}, + protocol_specific = PS, ssl_options = #{ciphers := ClientCiphers, supported_groups := ClientGroups0, use_ticket := UseTicket, @@ -818,8 +819,17 @@ do_start(#server_hello{cipher_suite = SelectedCipherSuite, handshake_env = HsEnv#handshake_env{tls_handshake_history = HHistory}, key_share = ClientKeyShare}, - {State, wait_sh} - + %% If it is a hello_retry and middlebox mode is + %% used assert the change_cipher_spec message + %% that the server should send next + case (maps:get(hello_retry, PS, false)) andalso + (maps:get(middlebox_comp_mode, SslOpts, true)) + of + true -> + {State, hello_retry_middlebox_assert}; + false -> + {State, wait_sh} + end catch {Ref, #alert{} = Alert} -> Alert |