Sanity check the HRR version field

The previous commit removed version negotiation on an HRR. However we should
still sanity check the contents of the version field.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index fdf5d451df317fc33981fa1c1ef269d3fd11478c..338325f7779c3528009a177bf189a1ae75cbb000 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1569,6 +1569,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
         goto f_err;
     }
 
+    /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */
+    if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) {
+        SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_WRONG_SSL_VERSION);
+        al = SSL_AD_PROTOCOL_VERSION;
+        goto f_err;
+    }
+
     s->hello_retry_request = 1;
 
     /*