[gnutls-devel] GnuTLS | ClientHello.legacy_session_id is not set even if middlebox compat mode is enabled in TLS 1.3 (#1074)

[Read-only notification of GnuTLS library development activities]

Daiki Ueno created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1074



The RFC suggests that ClientHello.legacy_session_id should be non-empty if TLS 1.3 client supports the middlebox compatibility mode, though GnuTLS client always sends empty session ID while `TLS13_APPENDIX_D4` is defined as 1.  This is because, while the session id is generated in `send_client_hello`, it is not copied to the ClientHello:
```c
#ifdef TLS13_APPENDIX_D4
		if (max_ver->tls13_sem &&
		    session->security_parameters.session_id_size == 0) {

			/* Under TLS1.3 we generate a random session ID to make
			 * the TLS1.3 session look like a resumed TLS1.2 session */
			ret = _gnutls_generate_session_id(session->security_parameters.
							  session_id,
							  &session->security_parameters.
							  session_id_size);
			if (ret < 0) {
				gnutls_assert();
				goto cleanup;
			}
		}
#endif

		/* Copy the Session ID - if any
		 */
		ret = _gnutls_buffer_append_data_prefix(&extdata, 8,
							session->internals.resumed_security_parameters.session_id,
							session_id_len);
		if (ret < 0) {
			gnutls_assert();
			goto cleanup;
		}
```
We probably should set the local variable `session_id_len` and also point to `security_parameters.session_id` rather than `resumed_security_parameters.session_id`.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1074
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200825/2bb1f6e4/attachment.html>