From 749a01f8891ca00e2929f61e3401dfe34c0035e5 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 25 Jan 2020 14:23:27 +0000
Subject: Only perform the downgrade check if our max version is less than
TLSv1.3.
Issue noticed by kn@ when talking to a TLSv1.3 capable mail server, but
with smtpd capping max version to TLSv1.2.
ok beck@
---
src/lib/libssl/tls13_client.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
(limited to 'src')
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 737a1015a5..fb21b54621 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.33 2020/01/25 09:20:56 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.34 2020/01/25 14:23:27 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -288,20 +288,22 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
goto err;
if (tls13_server_hello_is_legacy(cbs)) {
- /*
- * RFC 8446 section 4.1.3, We must not downgrade if
- * the server random value contains the TLS 1.2 or 1.1
- * magical value.
- */
- if (!CBS_skip(&server_random, CBS_len(&server_random) -
- sizeof(tls13_downgrade_12)))
- goto err;
- if (CBS_mem_equal(&server_random, tls13_downgrade_12,
- sizeof(tls13_downgrade_12)) ||
- CBS_mem_equal(&server_random, tls13_downgrade_11,
- sizeof(tls13_downgrade_11))) {
- ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
- goto err;
+ if (ctx->hs->max_version >= TLS1_3_VERSION) {
+ /*
+ * RFC 8446 section 4.1.3, We must not downgrade if
+ * the server random value contains the TLS 1.2 or 1.1
+ * magical value.
+ */
+ if (!CBS_skip(&server_random, CBS_len(&server_random) -
+ sizeof(tls13_downgrade_12)))
+ goto err;
+ if (CBS_mem_equal(&server_random, tls13_downgrade_12,
+ sizeof(tls13_downgrade_12)) ||
+ CBS_mem_equal(&server_random, tls13_downgrade_11,
+ sizeof(tls13_downgrade_11))) {
+ ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+ goto err;
+ }
}
if (!CBS_skip(cbs, CBS_len(cbs)))
--
cgit v1.2.3-55-g6feb