It is possible to receive a pre-TLSv1.3 alert in response to a TLSv1.3

client hello.

Allow pre-TLSv1.3 alerts (including warnings) to be received before the
server hello message. Disallow pre-TLSv1.3 alerts as soon as we know that
we are using TLSv1.3.

Noticed by ajacoutot@ while connecting to www.openprinting.org.

ok tb@

3 files changed, 24 insertions, 4 deletions

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 20b3038b93e..737a1015a56 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.32 2020/01/23 11:06:59 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.33 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -209,6 +209,9 @@ tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 	if (ctx->hs->min_version < TLS1_2_VERSION)
 		tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
 
+	/* We may receive a pre-TLSv1.3 alert in response to the client hello. */
+	tls13_record_layer_allow_legacy_alerts(ctx->rl, 1);
+
 	if (!tls13_client_hello_build(ctx, cbb))
 		return 0;
 
@@ -306,6 +309,9 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
 		return tls13_use_legacy_client(ctx);
 	}
 
+	/* From here on in we know we are doing TLSv1.3. */
+	tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
+
 	if (!tlsext_client_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_SH)) {
 		ctx->alert = alert_desc;
 		goto err;
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index 4ff2df6e976..9aabc409d8c 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.53 2020/01/24 08:21:24 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.54 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -122,6 +122,7 @@ struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read,
     tls13_phh_sent_cb phh_sent_cb, void *cb_arg);
 void tls13_record_layer_free(struct tls13_record_layer *rl);
 void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow);
+void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow);
 void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs);
 void tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead);
diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c
index e5f8ba88596..7d882924bc7 100644
--- a/lib/libssl/tls13_record_layer.c
+++ b/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.25 2020/01/24 04:36:29 beck Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.26 2020/01/25 09:20:56 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -29,9 +29,11 @@ static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl,
 
 struct tls13_record_layer {
 	uint16_t legacy_version;
+
 	int ccs_allowed;
 	int ccs_seen;
 	int handshake_completed;
+	int legacy_alerts_allowed;
 	int phh;
 
 	/*
@@ -207,6 +209,12 @@ tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow)
 }
 
 void
+tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow)
+{
+	rl->legacy_alerts_allowed = allow;
+}
+
+void
 tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead)
 {
@@ -279,10 +287,15 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl)
 		rl->read_closed = 1;
 		rl->write_closed = 1;
 		ret = TLS13_IO_ALERT;
-	} else
+	} else if (rl->legacy_alerts_allowed && alert_level == SSL3_AL_WARNING) {
+		/* Ignored and not passed to the callback. */
+		return TLS13_IO_WANT_RETRY;
+	} else {
 		return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER);
+	}
 
 	rl->alert_cb(alert_desc, rl->cb_arg);
+
 	return ret;
 }