Switch back to the legacy stack where the maximum is less than TLSv1.3.

This allows a server configured to only support TLSv1.2 and earlier, to correctly handle connections from a TLSv1.3 capable client. Issue reported by pvk@ ok inoguchi@ tb@
author: jsing <> 2020-05-13 17:53:15 +0000
committer: jsing <> 2020-05-13 17:53:15 +0000
commit: f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94 (patch)
tree: 0ff0eb0bda38440abe92bbc5472954e54183d52a
parent: eb0ad25bdc106121c23e0c23319707057b42c380 (diff)
download: openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.tar.gz
openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.tar.bz2
openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index ec612df90e..cd5f19afeb 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.45 2020/05/11 17:49:46 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -115,7 +115,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
        if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
                goto err;
-        if (tls13_client_hello_is_legacy(cbs)) {
+        if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) {
                if (!CBS_skip(cbs, CBS_len(cbs)))
                        goto err;
                return tls13_use_legacy_server(ctx);
author	jsing <>	2020-05-13 17:53:15 +0000
committer	jsing <>	2020-05-13 17:53:15 +0000
commit	f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94 (patch)
tree	0ff0eb0bda38440abe92bbc5472954e54183d52a
parent	eb0ad25bdc106121c23e0c23319707057b42c380 (diff)
download	openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.tar.gz openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.tar.bz2 openbsd-f6ec5bc3dcc9fa827f0aa4e61d3f864d41202d94.zip

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index ec612df90e..cd5f19afeb 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.45 2020/05/11 17:49:46 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.46 2020/05/13 17:53:15 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -115,7 +115,7 @@ tls13_client_hello_process(struct tls13_ctx ctx, CBS cbs)
115	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))	115	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
116	goto err;	116	goto err;
117		117
118	if (tls13_client_hello_is_legacy(cbs)) {	118	if (tls13_client_hello_is_legacy(cbs) \|\| s->version < TLS1_3_VERSION) {
119	if (!CBS_skip(cbs, CBS_len(cbs)))	119	if (!CBS_skip(cbs, CBS_len(cbs)))
120	goto err;	120	goto err;
121	return tls13_use_legacy_server(ctx);	121	return tls13_use_legacy_server(ctx);