Bug 1328952 - Return a special error when we sent 0-RTT data but the …

…server responds with TLS 1.2. r=mt This allows the client to re-connect with a TLS 1.3 (non 0-RTT) handshake as described in https://tlswg.github.io/tls13-spec/#rfc.appendix.D.3. Reviewers: mt Differential Revision: https://nss-review.dev.mozaws.net/D144
sailfishos-mirror · Jan 12, 2017 · 24567ad · 24567ad
1 parent 83cfab8
commit 24567ad
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 8 deletions.
diff --git a/gtests/ssl_gtest/ssl_0rtt_unittest.cc b/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -227,7 +227,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngrade) {
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
-      (client_->error_code() == SSL_ERROR_RX_MALFORMED_SERVER_HELLO), 2000);
+      (client_->error_code() == SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.
@@ -266,7 +266,7 @@ TEST_P(TlsConnectTls13, TestTls13ZeroRttDowngradeEarlyData) {
   client_->Handshake();
   server_->Handshake();
   ASSERT_TRUE_WAIT(
-      (client_->error_code() == SSL_ERROR_RX_MALFORMED_SERVER_HELLO), 2000);
+      (client_->error_code() ==  SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA), 2000);
 
   // DTLS will timeout as we bump the epoch when installing the early app data
   // cipher suite. Thus the encrypted alert will be ignored.

diff --git a/lib/ssl/SSLerrs.h b/lib/ssl/SSLerrs.h
@@ -505,3 +505,6 @@ ER3(SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 158),
 
 ER3(SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES, (SSL_ERROR_BASE + 159),
     "SSL expected a PSK key exchange modes extension.")
+
+ER3(SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA, (SSL_ERROR_BASE + 160),
+    "SSL got a pre-TLS 1.3 version even though we sent early data.")
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
@@ -6655,12 +6655,19 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 
     /* The server didn't pick 1.3 although we either received a
      * HelloRetryRequest, or we prepared to send early app data. */
-    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
-        (ss->ssl3.hs.helloRetry || ss->ssl3.hs.zeroRttState == ssl_0rtt_sent)) {
-        /* SSL3_SendAlert() will uncache the SID. */
-        desc = illegal_parameter;
-        errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
-        goto alert_loser;
+    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+        if (ss->ssl3.hs.helloRetry) {
+            /* SSL3_SendAlert() will uncache the SID. */
+            desc = illegal_parameter;
+            errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
+            goto alert_loser;
+        }
+        if (ss->ssl3.hs.zeroRttState == ssl_0rtt_sent) {
+            /* SSL3_SendAlert() will uncache the SID. */
+            desc = illegal_parameter;
+            errCode = SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA;
+            goto alert_loser;
+        }
     }
 
     /* Check that the server negotiated the same version as it did

diff --git a/lib/ssl/sslerr.h b/lib/ssl/sslerr.h
@@ -244,6 +244,7 @@ typedef enum {
     SSL_ERROR_MISSING_SIGNATURE_ALGORITHMS_EXTENSION = (SSL_ERROR_BASE + 157),
     SSL_ERROR_MALFORMED_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 158),
     SSL_ERROR_MISSING_PSK_KEY_EXCHANGE_MODES = (SSL_ERROR_BASE + 159),
+    SSL_ERROR_DOWNGRADE_WITH_EARLY_DATA = (SSL_ERROR_BASE + 160),
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */