Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.

While RFC 8446 is clear about what legacy session identifiers can be sent
by a TLSv1.3 client and how middlebox compatibility mode is requested, it
is delightfully vague about the circumstances under which a client is
permitted to send CCS messages. While it does not make sense for a client
to send CCS messages when they are not requesting middlebox compatibility
mode, it is not strictly forbidden by the RFC and at least one (unknown)
TLSv1.3 stack has been observed to do this in the wild.

Revert part of the previous change and allow clients to send CCS messages,
even if they are not requesting middlebox compatibility mode.

Found the hard way by florian@

ok tb@

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index b1612a8..8235070 100644 (file)
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.102 2022/09/11 14:39:44 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -318,9 +318,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
        if (ctx->hs->key_share != NULL)
                ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
 
-       /* Only allow CCS if client requested middlebox compatibility mode. */
-       if (ctx->hs->tls13.legacy_session_id_len > 0)
-               tls13_record_layer_allow_ccs(ctx->rl, 1);
+       tls13_record_layer_allow_ccs(ctx->rl, 1);
 
        return 1;