Ignore the record version for early alerts

On receiving the first flight from the peer, we do not yet know if
we are using TLSv1.3. In particular, we might get an alert record
with record version 0x0300 from a pre-TLSv1.2 peer in response to
our client hello. Ignore the record version instead of sending a
protocol version alert in that situtation. This may also be hit
when talking to a LibreSSL 3.3 server with an illegal SNI.

Part of an issue reported by danj.

ok jsing

1 files changed, 10 insertions, 4 deletions

diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c
index ff2a6884b6b..6556547353f 100644
--- a/lib/libssl/tls13_record_layer.c
+++ b/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.61 2021/05/16 14:19:04 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.62 2021/06/08 18:05:47 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -826,12 +826,18 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
 		return ret;
 	}
 
+	content_type = tls13_record_content_type(rl->rrec);
+
+	/*
+	 * In response to a client hello we may receive an alert in a
+	 * record with a legacy version. Otherwise enforce that the
+	 * legacy record version is 0x0303 per RFC 8446, section 5.1.
+	 */
 	if (rl->legacy_version == TLS1_2_VERSION &&
-	    tls13_record_version(rl->rrec) != TLS1_2_VERSION)
+	    tls13_record_version(rl->rrec) != TLS1_2_VERSION &&
+	    (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed))
 		return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION);
 
-	content_type = tls13_record_content_type(rl->rrec);
-
 	/*
 	 * Bag of hacks ahead... after the first ClientHello message has been
 	 * sent or received and before the peer's Finished message has been