handshake: do not negotiate TLS1.3 using the legacy version fieldtmp-update-version-numbers

Previously we could end-up with a TLS1.3 connection if the TLS1.3
ID was seen on the wire. We now explicitly fallback to TLS1.2
when we see a protocol with TLS1.3 semantics in an SSL2.0 or
in the legacy version of the client hello.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c
index de762a5674..9d8fd91bf4 100644
--- a/lib/sslv2_compat.c
+++ b/lib/sslv2_compat.c
@@ -96,6 +96,7 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
 	uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor;
 	int len = datalen;
 	int neg_version;
+	const version_entry_st *vers;
 	uint16_t challenge;
 	uint8_t session_id[GNUTLS_MAX_SESSION_ID_SIZE];
 
@@ -109,12 +110,17 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
 	minor = data[pos + 1];
 	set_adv_version(session, major, minor);
 
-	ret = _gnutls_negotiate_version(session, major, minor);
+	ret = _gnutls_negotiate_version(session, major, minor, 0);
 	if (ret < 0) {
 		gnutls_assert();
 		return ret;
 	}
-	neg_version = ret;
+
+	vers = get_version(session);
+	if (vers == NULL)
+		return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+
+	neg_version = vers->id;
 
 	pos += 2;