commit dfbc1a9769ecad4c2839bba772e49297f8ede7c7
author Gilles Peskine <Gilles.Peskine@arm.com> Fri Sep 13 16:03:20 2024 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Tue Sep 24 18:59:31 2024 +0200
tree 46c637f510e3374759d4a4e9a6d2b8ffd797f3aa
parent 6f03eb8ae13ebd933f6818564fa5cf58885d8c8c

Remove transitional always-on internal option

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 23d7b22..47e56e8 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -65,13 +65,6 @@
 /* Faked handshake message identity for HelloRetryRequest. */
 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
 
-/* TLS 1.3: Interoperate with peers that support middlebox compatibility
- * mode, but don't produce the relevant messages ourselves.
- *
- * This is always enabled (with effect only when TLS 1.3 is enabled).
- */
-#define MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE
-
 /*
  * Internal identity of handshake extensions
  */

library/ssl_msg.c

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 86463bc..b1fc27e 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5066,15 +5066,9 @@
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
-#if defined(MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE)
             MBEDTLS_SSL_DEBUG_MSG(1,
                                   ("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"));
             return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
-#else
-            MBEDTLS_SSL_DEBUG_MSG(1,
-                                  ("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"));
-            return MBEDTLS_ERR_SSL_INVALID_RECORD;
-#endif /* MBEDTLS_SSL_TLS1_3_ACCEPT_COMPATIBILITY_MODE */
         }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
     }