From 7fcf00883fb4d25a1bd085c824489c405b98666a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 2 Jan 2019 16:00:50 +0100
Subject: [PATCH] Bug 1490006, reject invalid CH.legacy_version in TLS 1.3

Summary: As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.

Reviewers: mt

Reviewed By: mt

Bug #: 1490006

Differential Revision: https://phabricator.services.mozilla.com/D11870
---
 gtests/ssl_gtest/ssl_version_unittest.cc | 7 +++++++
 lib/ssl/tls13con.c                       | 7 +++++++
 tests/tlsfuzzer/config.json.in           | 4 +---
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/gtests/ssl_gtest/ssl_version_unittest.cc b/gtests/ssl_gtest/ssl_version_unittest.cc
index ffc0893e90..10b931ef61 100644
--- a/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -269,4 +269,11 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
   ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), version);
 }
 
+// Offer 1.3 but with ClientHello.legacy_version == SSL 3.0. This
+// causes a protocol version alert.  See RFC 8446 Appendix D.5.
+TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
+  MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
+  ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
+}
+
 }  // namespace nss_test
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index 461cd2eb9c..10c4498033 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -1573,6 +1573,13 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
     const sslNamedGroupDef *previousGroup = NULL;
     PRBool hrr = PR_FALSE;
 
+    /* If the legacy_version field is set to 0x300 or smaller,
+     * reject the connection with protocol_version alert. */
+    if (ss->clientHelloVersion <= SSL_LIBRARY_VERSION_3_0) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO, protocol_version);
+        goto loser;
+    }
+
     ss->ssl3.hs.endOfFlight = PR_TRUE;
 
     if (ssl3_ExtensionNegotiated(ss, ssl_tls13_early_data_xtn)) {
diff --git a/tests/tlsfuzzer/config.json.in b/tests/tlsfuzzer/config.json.in
index 051bae2beb..767734ca1f 100644
--- a/tests/tlsfuzzer/config.json.in
+++ b/tests/tlsfuzzer/config.json.in
@@ -71,9 +71,7 @@
                 "name" : "test-tls13-legacy-version.py",
                 "arguments": [
                     "-p", "@PORT@"
-                ],
-                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
-                "exp_pass": false
+                ]
             },
             {
                 "name" : "test-tls13-nociphers.py",