Google Git
Sign in
boringssl / boringssl.git / e32549edf945287cb799c8deb5c2524eee527779^! / . / ssl / handshake_client.cc
commite32549edf945287cb799c8deb5c2524eee527779[log] [tgz]
authorNick Harper <nharper@chromium.org>Wed May 06 14:27:11 2020 -0700
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Thu May 07 23:25:51 2020 +0000
treed710ffeddbd4906e6d9a873d40f25fa29ce10d16
parentd4a97fa65fcb95c779404a17b6609912c9e34bb8 [diff] [blame]
Disable TLS 1.3 compatibility mode for QUIC.

Bug: 335
Change-Id: Ic22dafbc4ada3af56260bc7213f0078876e56c3d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41244
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index d77a971..9625b8e 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc

@@ -416,17 +416,20 @@
     return ssl_hs_error;
   }
 
-  if (ssl->session != nullptr &&
-      !ssl->s3->initial_handshake_complete &&
-      ssl->session->session_id_length > 0) {
-    hs->session_id_len = ssl->session->session_id_length;
-    OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
-                   hs->session_id_len);
-  } else if (hs->max_version >= TLS1_3_VERSION) {
-    // Initialize a random session ID.
-    hs->session_id_len = sizeof(hs->session_id);
-    if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
-      return ssl_hs_error;
+  // Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and
+  // disables TLS 1.3 middlebox compatibility mode.
+  if (ssl->quic_method == nullptr) {
+    if (ssl->session != nullptr && !ssl->s3->initial_handshake_complete &&
+        ssl->session->session_id_length > 0) {
+      hs->session_id_len = ssl->session->session_id_length;
+      OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
+                     hs->session_id_len);
+    } else if (hs->max_version >= TLS1_3_VERSION) {
+      // Initialize a random session ID.
+      hs->session_id_len = sizeof(hs->session_id);
+      if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
+        return ssl_hs_error;
+      }
     }
   }