The legacy_record_version must be set to TLS1_2_VERSION except

in the ClientHello where it may be set to TLS1_VERSION.  Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.

ok beck jsing

4 files changed, 30 insertions, 9 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index ed9a69918a..e0041eadae 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.23 2020/01/22 02:21:05 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.24 2020/01/22 02:39:45 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -199,6 +199,9 @@ tls13_client_hello_send(struct tls13_ctx *ctx)
 {
         CBB body;
 
+        if (ctx->hs->min_version < TLS1_2_VERSION)
+                tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
+
         if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO))
                 return 0;
         if (!tls13_client_hello_build(ctx->ssl, &body))
@@ -209,6 +212,14 @@ tls13_client_hello_send(struct tls13_ctx *ctx)
         return 1;
 }
 
+int
+tls13_client_hello_sent(struct tls13_ctx *ctx)
+{
+        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
+
+        return 1;
+}
+
 /*
  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
  */
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 48a01d3ca4..ca36f879b4 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.38 2020/01/21 03:40:05 beck Exp $       */
+/*      $OpenBSD: tls13_handshake.c,v 1.39 2020/01/22 02:39:45 tb Exp $ */
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -53,6 +53,7 @@ struct tls13_handshake_action state_machine[] = {
                 .handshake_type = TLS13_MT_CLIENT_HELLO,
                 .sender = TLS13_HS_CLIENT,
                 .send = tls13_client_hello_send,
+                .sent = tls13_client_hello_sent,
                 .recv = tls13_client_hello_recv,
         },
         [CLIENT_HELLO_RETRY] = {
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 167ed1f254..1eb05b7100 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.41 2020/01/22 02:21:05 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.42 2020/01/22 02:39:45 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -122,6 +122,8 @@ void tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead);
 void tls13_record_layer_set_hash(struct tls13_record_layer *rl,
     const EVP_MD *hash);
+void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
+    uint16_t version);
 void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl);
 int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl,
     struct tls13_secret *read_key);
@@ -253,6 +255,7 @@ int tls13_legacy_shutdown(SSL *ssl);
 int tls13_handshake_perform(struct tls13_ctx *ctx);
 
 int tls13_client_hello_send(struct tls13_ctx *ctx);
+int tls13_client_hello_sent(struct tls13_ctx *ctx);
 int tls13_client_hello_recv(struct tls13_ctx *ctx);
 int tls13_client_hello_retry_send(struct tls13_ctx *ctx);
 int tls13_client_hello_retry_recv(struct tls13_ctx *ctx);
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index dff5cd2bbe..600990a878 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.19 2020/01/22 01:02:28 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.20 2020/01/22 02:39:45 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -28,6 +28,7 @@ static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
     uint8_t content_type, const uint8_t *content, size_t content_len);
 
 struct tls13_record_layer {
+        uint16_t legacy_version;
         int change_cipher_spec_seen;
         int handshake_completed;
         int phh;
@@ -124,6 +125,8 @@ tls13_record_layer_new(tls13_read_cb wire_read, tls13_write_cb wire_write,
         if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL)
                 return NULL;
 
+        rl->legacy_version = TLS1_2_VERSION;
+
         rl->wire_read = wire_read;
         rl->wire_write = wire_write;
         rl->alert_cb = alert_cb;
@@ -211,6 +214,13 @@ tls13_record_layer_set_hash(struct tls13_record_layer *rl,
 }
 
 void
+tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl,
+    uint16_t version)
+{
+        rl->legacy_version = version;
+}
+
+void
 tls13_record_layer_handshake_completed(struct tls13_record_layer *rl)
 {
         rl->handshake_completed = 1;
@@ -563,15 +573,11 @@ tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
 {
         uint8_t *data = NULL;
         size_t data_len = 0;
-        uint16_t version;
         CBB cbb, body;
 
         if (rl->aead != NULL)
                 return 0;
 
-        /* XXX - TLS1_VERSION for first client hello... */
-        version = TLS1_2_VERSION;
-
         /*
          * We're still operating in plaintext mode, so just copy the
          * content into the record.
@@ -581,7 +587,7 @@ tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl,
 
         if (!CBB_add_u8(&cbb, content_type))
                 goto err;
-        if (!CBB_add_u16(&cbb, version))
+        if (!CBB_add_u16(&cbb, rl->legacy_version))
                 goto err;
         if (!CBB_add_u16_length_prefixed(&cbb, &body))
                 goto err;