From 2d0eb2a93d37902db52673925b3fdf0daff29d39 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 22 Feb 2021 16:13:31 +0000 Subject: [PATCH] Simplify version checks in the TLSv1.3 client Ensure that the server announced TLSv1.3 (and nothing higher) in the supported_versions extension. In that case, the legacy_version must be TLSv1.2 according to RFC 8446, 4.1.3 and 4.2.1. This commit also removes some unreachable code which is a remnant of very early TLSv1.3 code from before the legacy fallback was introduced. Simplify a few checks and adjust some comments nearby. ok jsing --- lib/libssl/tls13_client.c | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index 1f51748147e..38eca61d9a0 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.70 2021/01/06 20:15:35 tb Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.71 2021/02/22 16:13:31 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -271,25 +271,14 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) } /* - * See if a supported versions extension was returned. If it was then - * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). - * Otherwise, fallback to the legacy version, ensuring that it is both - * within range and not TLS 1.3 or greater (which must use the - * supported version extension. + * The supported versions extension indicated 0x0304 or greater. + * Ensure that it was 0x0304 and that legacy version is set to 0x0303 + * (RFC 8446 section 4.2.1). */ - if (ctx->hs->server_version != 0) { - if (legacy_version != TLS1_2_VERSION) { - ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; - goto err; - } - } else { - if (legacy_version < ctx->hs->min_version || - legacy_version > ctx->hs->max_version || - legacy_version > TLS1_2_VERSION) { - ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; - goto err; - } - ctx->hs->server_version = legacy_version; + if (ctx->hs->server_version != TLS1_3_VERSION || + legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; } /* The session_id must match. */ @@ -301,15 +290,14 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) /* * Ensure that the cipher suite is one that we offered in the client - * hello and that it matches the TLS version selected. + * hello and that it is a TLSv1.3 cipher suite. */ cipher = ssl3_get_cipher_by_value(cipher_suite); if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } - if (ctx->hs->server_version == TLS1_3_VERSION && - cipher->algorithm_ssl != SSL_TLSV1_3) { + if (cipher->algorithm_ssl != SSL_TLSV1_3) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } -- 2.20.1