crypto/tls: enforce 1.3 record version semantics

1.3 expects the record version is always 1.2 (0x0303), this previously wasn't enforced. Change-Id: I8bc88f588e76f9b862b57601336bb5c5ff08b30e Reviewed-on: https://go-review.googlesource.com/c/go/+/485876 Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-04-18 10:24:32 -07:00 · 2023-04-18 10:24:32 -07:00 · 32e60edd6d
commit 32e60edd6d
parent a7a5e52760
2 changed files with 40 additions and 2 deletions
--- a/conn_test.go
+++ b/conn_test.go
@ -285,3 +285,35 @@ func TestHairpinInClose(t *testing.T) {
 	// This call should not deadlock.
 	tlsConn.Close()
 }
+
+func TestRecordBadVersionTLS13(t *testing.T) {
+	client, server := localPipe(t)
+	defer server.Close()
+	defer client.Close()
+
+	config := testConfig.Clone()
+	config.MinVersion, config.MaxVersion = VersionTLS13, VersionTLS13
+
+	go func() {
+		tlsConn := Client(client, config)
+		if err := tlsConn.Handshake(); err != nil {
+			t.Errorf("Error from client handshake: %v", err)
+			return
+		}
+		tlsConn.vers = 0x1111
+		tlsConn.Write([]byte{1})
+	}()
+
+	tlsConn := Server(server, config)
+	if err := tlsConn.Handshake(); err != nil {
+		t.Errorf("Error from client handshake: %v", err)
+		return
+	}
+
+	expectedErr := "tls: received record with version 1111 when expecting version 303"
+
+	_, err := tlsConn.Read(make([]byte, 10))
+	if err.Error() != expectedErr {
+		t.Fatalf("unexpected error: got %q, want %q", err, expectedErr)
+	}
+}