From 57e2ae5a2108851692a67f95e76c647907537372 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Wed, 9 Jul 2025 12:45:04 -0400
Subject: [PATCH] Abort TLS connection if legacy version field indicates TLS
 1.3 or higher.

---
 src/tls13.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/tls13.c b/src/tls13.c
index 135f78407..a4b3850a0 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -6817,6 +6817,22 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         ERROR_OUT(VERSION_ERROR, exit_dch);
     }
 
+#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION
+    /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446
+     * Section 4.2.1 allows this action:
+     *
+     * "Servers MAY abort the handshake upon receiving a ClientHello with
+     * legacy_version 0x0304 or later."
+     *
+     * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the
+     * semantics of RFC 5246 Appendix E will be followed. A ServerHello with
+     * version 1.2 will be sent. */
+    if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) {
+        WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting.");
+        ERROR_OUT(VERSION_ERROR, exit_dch);
+    }
+#endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */
+
 #ifdef WOLFSSL_DTLS13
     if (ssl->options.dtls &&
         args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) {