TLSv1.3 server: avoid sending alerts in legacy records

As soon as we know that we're dealing with a TLSv1.3 client, set
the legacy version in the record layer to 0x0303 so that we send
alerts with the correct record version.  Previously we would send
early alerts with a record version of 0x0300.

ok jsing

1 files changed, 4 insertions, 3 deletions

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 40454f8163..19ad0af487 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.76 2021/05/16 14:10:43 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.77 2021/06/08 17:41:52 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -165,6 +165,9 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
         }
         ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
 
+        /* Ensure we send subsequent alerts with the correct record version. */
+        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
+
         /* Add decoded values to the current ClientHello hash */
         if (!tls13_clienthello_hash_init(ctx)) {
                 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
@@ -282,8 +285,6 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
         if (s->method->internal->version < TLS1_3_VERSION)
                 return 1;
 
-        tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
-
         /*
          * If a matching key share was provided, we do not need to send a
          * HelloRetryRequest.