crypto/tls: check client's supported versions when using QUIC

According to RFC 9001 Section 4.2, the client MUST NOT offer any TLS version
older than 1.3.

Fixes #63723.

Change-Id: Ia92f98274ca784e2bc151faf236380af51f699c1
Reviewed-on: https://go-review.googlesource.com/c/go/+/537576
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 07b1a3851e0714eb6c4a19a63254f79fd9a8b94b..21d798de37db0ab5a351968efa427d5e565a523c 100644 (file)
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -240,8 +240,15 @@ GroupSelection:
        c.clientProtocol = selectedProto
 
        if c.quic != nil {
+               // RFC 9001 Section 4.2: Clients MUST NOT offer TLS versions older than 1.3.
+               for _, v := range hs.clientHello.supportedVersions {
+                       if v < VersionTLS13 {
+                               c.sendAlert(alertProtocolVersion)
+                               return errors.New("tls: client offered TLS version older than TLS 1.3")
+                       }
+               }
+               // RFC 9001 Section 8.2.
                if hs.clientHello.quicTransportParameters == nil {
-                       // RFC 9001 Section 8.2.
                        c.sendAlert(alertMissingExtension)
                        return errors.New("tls: client did not send a quic_transport_parameters extension")
                }