Commit 7fcf0088 authored by Daiki Ueno's avatar Daiki Ueno

Bug 1490006, reject invalid CH.legacy_version in TLS 1.3

Summary: As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.

Reviewers: mt

Reviewed By: mt

Bug #: 1490006

Differential Revision: https://phabricator.services.mozilla.com/D11870
parent c4d5cb52
......@@ -269,4 +269,11 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), version);
}
// Offer 1.3 but with ClientHello.legacy_version == SSL 3.0. This
// causes a protocol version alert. See RFC 8446 Appendix D.5.
TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
}
} // namespace nss_test
......@@ -1573,6 +1573,13 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
const sslNamedGroupDef *previousGroup = NULL;
PRBool hrr = PR_FALSE;
/* If the legacy_version field is set to 0x300 or smaller,
* reject the connection with protocol_version alert. */
if (ss->clientHelloVersion <= SSL_LIBRARY_VERSION_3_0) {
FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, protocol_version);
goto loser;
}
ss->ssl3.hs.endOfFlight = PR_TRUE;
if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) {
......
......@@ -71,9 +71,7 @@
"name" : "test-tls13-legacy-version.py",
"arguments": [
"-p", "@PORT@"
],
"comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
"exp_pass": false
]
},
{
"name" : "test-tls13-nociphers.py",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment