mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-05 21:17:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: enforce 1.3 record version semantics

Browse source 
1.3 expects the record version is always 1.2 (0x0303), this previously
wasn't enforced.

Change-Id: I8bc88f588e76f9b862b57601336bb5c5ff08b30e
Reviewed-on: https://go-review.googlesource.com/c/go/+/485876
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Roland Shoemaker 2023-04-18 10:24:32 -07:00 committed by Gopher Robot
parent a7a5e52760
commit 32e60edd6d
2 changed files with 40 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
conn.go
View file

@ -639,10 +639,16 @@ func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error {
} }
vers := uint16(hdr[1])<<8 | uint16(hdr[2]) vers := uint16(hdr[1])<<8 | uint16(hdr[2])
expectedVers := c.vers
if expectedVers == VersionTLS13 {
// All TLS 1.3 records are expected to have 0x0303 (1.2) after
// the initial hello (RFC 8446 Section 5.1).
expectedVers = VersionTLS12
}
n := int(hdr[3])<<8 | int(hdr[4]) n := int(hdr[3])<<8 | int(hdr[4])
if c.haveVers && c.vers != VersionTLS13 && vers != c.vers { if c.haveVers && vers != expectedVers {
c.sendAlert(alertProtocolVersion) c.sendAlert(alertProtocolVersion)
msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, c.vers) msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, expectedVers)
return c.in.setErrorLocked(c.newRecordHeaderError(nil, msg)) return c.in.setErrorLocked(c.newRecordHeaderError(nil, msg))
} }
if !c.haveVers { if !c.haveVers {

32
conn_test.go
View file

@ -285,3 +285,35 @@ func TestHairpinInClose(t *testing.T) {
// This call should not deadlock. // This call should not deadlock.
tlsConn.Close() tlsConn.Close()
} }
func TestRecordBadVersionTLS13(t *testing.T) {
client, server := localPipe(t)
defer server.Close()
defer client.Close()
config := testConfig.Clone()
config.MinVersion, config.MaxVersion = VersionTLS13, VersionTLS13
go func() {
tlsConn := Client(client, config)
if err := tlsConn.Handshake(); err != nil {
t.Errorf("Error from client handshake: %v", err)
return
}
tlsConn.vers = 0x1111
tlsConn.Write([]byte{1})
}()
tlsConn := Server(server, config)
if err := tlsConn.Handshake(); err != nil {
t.Errorf("Error from client handshake: %v", err)
return
}
expectedErr := "tls: received record with version 1111 when expecting version 303"
_, err := tlsConn.Read(make([]byte, 10))
if err.Error() != expectedErr {
t.Fatalf("unexpected error: got %q, want %q", err, expectedErr)
}
}