Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically. ok beck@ tb@
author: jsing <> 2020-05-11 18:03:51 +0000
committer: jsing <> 2020-05-11 18:03:51 +0000
commit: 825d508a4b688821e99561b72a842c81c93b84a5 (patch)
tree: 8db77e997c933fb8987ec9250fff46520b8c6487 /src/lib/libssl/tls13_record_layer.c
parent: 28b584ddd2d0a41bceacbb1c350d790e3a39cd75 (diff)
download: openbsd-825d508a4b688821e99561b72a842c81c93b84a5.tar.gz
openbsd-825d508a4b688821e99561b72a842c81c93b84a5.tar.bz2
openbsd-825d508a4b688821e99561b72a842c81c93b84a5.zip
1 files changed, 12 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index e7650b1ecc..8ca52d0b7f 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.39 2020/05/11 17:46:46 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.40 2020/05/11 18:03:51 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -769,11 +769,18 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
                        goto err;
        }
-        if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0)
+        if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
+                switch (ret) {
+                case TLS13_IO_RECORD_VERSION:
+                        return tls13_send_alert(rl, SSL_AD_PROTOCOL_VERSION);
+                }
                return ret;
+        }
-        /* XXX - record version checks. */
+ 
+        if (rl->legacy_version == TLS1_2_VERSION &&
+            tls13_record_version(rl->rrec) != TLS1_2_VERSION)
+                return tls13_send_alert(rl, SSL_AD_PROTOCOL_VERSION);
+ 
        content_type = tls13_record_content_type(rl->rrec);
        /*
author	jsing <>	2020-05-11 18:03:51 +0000
committer	jsing <>	2020-05-11 18:03:51 +0000
commit	825d508a4b688821e99561b72a842c81c93b84a5 (patch)
tree	8db77e997c933fb8987ec9250fff46520b8c6487 /src/lib/libssl/tls13_record_layer.c
parent	28b584ddd2d0a41bceacbb1c350d790e3a39cd75 (diff)
download	openbsd-825d508a4b688821e99561b72a842c81c93b84a5.tar.gz openbsd-825d508a4b688821e99561b72a842c81c93b84a5.tar.bz2 openbsd-825d508a4b688821e99561b72a842c81c93b84a5.zip

diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index e7650b1ecc..8ca52d0b7f 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_record_layer.c,v 1.39 2020/05/11 17:46:46 jsing Exp $ */	1	/* $OpenBSD: tls13_record_layer.c,v 1.40 2020/05/11 18:03:51 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -769,11 +769,18 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
769	goto err;	769	goto err;
770	}	770	}
771		771
772	if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0)	772	if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
		773	switch (ret) {
		774	case TLS13_IO_RECORD_VERSION:
		775	return tls13_send_alert(rl, SSL_AD_PROTOCOL_VERSION);
		776	}
773	return ret;	777	return ret;
774		778	}
775	/* XXX - record version checks. */	779
776		780	if (rl->legacy_version == TLS1_2_VERSION &&
		781	tls13_record_version(rl->rrec) != TLS1_2_VERSION)
		782	return tls13_send_alert(rl, SSL_AD_PROTOCOL_VERSION);
		783
777	content_type = tls13_record_content_type(rl->rrec);	784	content_type = tls13_record_content_type(rl->rrec);
778		785
779	/*	786	/*