Add record version checks.

When legacy version is below TLSv1.2 ensure that the record version is SSL3/TLS, however when the legacy version is set to TLSv1.2 require this specifically. ok beck@ tb@
author: jsing <jsing@openbsd.org> 2020-05-11 18:03:51 +0000
committer: jsing <jsing@openbsd.org> 2020-05-11 18:03:51 +0000
commit: 204f36c2801813e90c79fe8b14e633e73b4bb770 (patch)
tree: 93d42a200e665575a33d8b8bb0ad541663e5ddbd /lib/libssl/tls13_record.c
parent: More accurate remaining power reporting with disparate batteries (diff)
download: wireguard-openbsd-204f36c2801813e90c79fe8b14e633e73b4bb770.tar.xz
wireguard-openbsd-204f36c2801813e90c79fe8b14e633e73b4bb770.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libssl/tls13_record.c b/lib/libssl/tls13_record.c
index 9ab4cdba36e..ca61a94ff1e 100644
--- a/lib/libssl/tls13_record.c
+++ b/lib/libssl/tls13_record.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record.c,v 1.4 2020/02/15 14:36:58 jsing Exp $ */
+/* $OpenBSD: tls13_record.c,v 1.5 2020/05/11 18:03:51 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -146,6 +146,8 @@ tls13_record_recv(struct tls13_record *rec, tls13_read_cb wire_read,
 			return TLS13_IO_FAILURE;
 
 		/* XXX - record overflow alert. */
+		if ((rec_version >> 8) != SSL3_VERSION_MAJOR)
+			return TLS13_IO_RECORD_VERSION;
 		if (rec_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
 			return TLS13_IO_FAILURE;
author	jsing <jsing@openbsd.org>	2020-05-11 18:03:51 +0000
committer	jsing <jsing@openbsd.org>	2020-05-11 18:03:51 +0000
commit	204f36c2801813e90c79fe8b14e633e73b4bb770 (patch)
tree	93d42a200e665575a33d8b8bb0ad541663e5ddbd /lib/libssl/tls13_record.c
parent	More accurate remaining power reporting with disparate batteries (diff)
download	wireguard-openbsd-204f36c2801813e90c79fe8b14e633e73b4bb770.tar.xz wireguard-openbsd-204f36c2801813e90c79fe8b14e633e73b4bb770.zip