From 4bd2835cf1890b7de56a68bebda8356fefad2544 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Thu, 10 Jul 2025 10:40:12 -0400 Subject: [PATCH] Change suggested by SparkiDev --- src/tls13.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index a4b3850a0a..dce053278a 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6817,22 +6817,6 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ERROR_OUT(VERSION_ERROR, exit_dch); } -#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION - /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446 - * Section 4.2.1 allows this action: - * - * "Servers MAY abort the handshake upon receiving a ClientHello with - * legacy_version 0x0304 or later." - * - * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the - * semantics of RFC 5246 Appendix E will be followed. A ServerHello with - * version 1.2 will be sent. */ - if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) { - WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting."); - ERROR_OUT(VERSION_ERROR, exit_dch); - } -#endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */ - #ifdef WOLFSSL_DTLS13 if (ssl->options.dtls && args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) { @@ -6842,6 +6826,22 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif /* WOLFSSL_DTLS13 */ if (!ssl->options.dtls) { +#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION + /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446 + * Section 4.2.1 allows this action: + * + * "Servers MAY abort the handshake upon receiving a ClientHello with + * legacy_version 0x0304 or later." + * + * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the + * semantics of RFC 5246 Appendix E will be followed. A ServerHello with + * version 1.2 will be sent. */ + if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) { + WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting."); + ERROR_OUT(VERSION_ERROR, exit_dch); + } +#endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */ + /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */ if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR)) {