From 6b9adcf89cc2130fb9b26ac8e68e18a16ae477b7 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 25 Jan 2020 09:20:56 +0000
Subject: It is possible to receive a pre-TLSv1.3 alert in response to a
 TLSv1.3 client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@
---
 src/lib/libssl/tls13_client.c       |  8 +++++++-
 src/lib/libssl/tls13_internal.h     |  3 ++-
 src/lib/libssl/tls13_record_layer.c | 17 +++++++++++++++--
 3 files changed, 24 insertions(+), 4 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 20b3038b93..737a1015a5 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.32 2020/01/23 11:06:59 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.33 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -209,6 +209,9 @@ tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 	if (ctx->hs->min_version < TLS1_2_VERSION)
 		tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
 
+	/* We may receive a pre-TLSv1.3 alert in response to the client hello. */
+	tls13_record_layer_allow_legacy_alerts(ctx->rl, 1);
+
 	if (!tls13_client_hello_build(ctx, cbb))
 		return 0;
 
@@ -306,6 +309,9 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		return tls13_use_legacy_client(ctx);
 	}
 
+	/* From here on in we know we are doing TLSv1.3. */
+	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
+
 	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
 		ctx->alert = alert_desc;
 		goto err;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 4ff2df6e97..9aabc409d8 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.53 2020/01/24 08:21:24 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.54 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -122,6 +122,7 @@ struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read,
     tls13_phh_sent_cb phh_sent_cb, void *cb_arg);
 void tls13_record_layer_free(struct tls13_record_layer *rl);
 void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow);
+void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow);
 void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs);
 void tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead);
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index e5f8ba8859..7d882924bc 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.25 2020/01/24 04:36:29 beck Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.26 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -29,9 +29,11 @@ static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
 
 struct tls13_record_layer {
 	uint16_t legacy_version;
+
 	int ccs_allowed;
 	int ccs_seen;
 	int handshake_completed;
+	int legacy_alerts_allowed;
 	int phh;
 
 	/*
@@ -206,6 +208,12 @@ tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
 	rl->ccs_allowed = allow;
 }
 
+void
+tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
+{
+	rl->legacy_alerts_allowed = allow;
+}
+
 void
 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead)
@@ -279,10 +287,15 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
 		rl->read_closed = 1;
 		rl->write_closed = 1;
 		ret = TLS13_IO_ALERT;
-	} else
+	} else if (rl->legacy_alerts_allowed && alert_level == SSL3_AL_WARNING) {
+		/* Ignored and not passed to the callback. */
+		return TLS13_IO_WANT_RETRY;
+	} else {
 		return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER);
+	}
 
 	rl->alert_cb(alert_desc, rl->cb_arg);
+
 	return ret;
 }
 
-- 
cgit v1.2.3-55-g6feb