Bug 1490006, reject invalid CH.legacy_version in TLS 1.3

Summary: As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.

Reviewers: mt

Reviewed By: mt

Bug #: 1490006

Differential Revision: https://phabricator.services.mozilla.com/D11870

gtests/ssl_gtest/ssl_version_unittest.cc

@@ -269,4 +269,11 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
   ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), version);
 }
 
+// Offer 1.3 but with ClientHello.legacy_version == SSL 3.0. This
+// causes a protocol version alert.  See RFC 8446 Appendix D.5.
+TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
+  MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
+  ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
+}
+
 }  // namespace nss_test

lib/ssl/tls13con.c

@@ -1573,6 +1573,13 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
     const sslNamedGroupDef *previousGroup = NULL;
     PRBool hrr = PR_FALSE;
 
+    /* If the legacy_version field is set to 0x300 or smaller,
+     * reject the connection with protocol_version alert. */
+    if (ss->clientHelloVersion <= SSL_LIBRARY_VERSION_3_0) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, protocol_version);
+        goto loser;
+    }
+
     ss->ssl3.hs.endOfFlight = PR_TRUE;
 
     if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) {

tests/tlsfuzzer/config.json.in

@@ -71,9 +71,7 @@
                 "name" : "test-tls13-legacy-version.py",
                 "arguments": [
                     "-p", "@PORT@"
-                ],
-                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
-                "exp_pass": false
+                ]
             },
             {
                 "name" : "test-tls13-nociphers.py",