Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts. r=djackson

Differential Revision: https://phabricator.services.mozilla.com/D138647

3 files changed, 35 insertions, 1 deletions

diff --git a/gtests/ssl_gtest/ssl_version_unittest.cc b/gtests/ssl_gtest/ssl_version_unittest.cc
index 7fc59d2c2..275972a39 100644
--- a/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -329,13 +329,24 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
   ASSERT_LT(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_2), version);
 }
 
-// Offer 1.3 but with ClientHello.legacy_version == SSL 3.0. This
+// Offer 1.3 but with Server/ClientHello.legacy_version == SSL 3.0. This
 // causes a protocol version alert.  See RFC 8446 Appendix D.5.
 TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
   ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
 }
 
+TEST_F(TlsConnectStreamTls13, Ssl30ServerHelloWithSupportedVersions) {
+  MakeTlsFilter<TlsServerHelloVersionSetter>(server_, SSL_LIBRARY_VERSION_3_0);
+  StartConnect();
+  client_->ExpectSendAlert(kTlsAlertProtocolVersion);
+  /* Since the handshake is not finished the client will send an unencrypted
+   * alert. The server is expected to close the connection with a unexpected
+   * message alert. */
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+  Handshake();
+}
+
 // Verify the client sends only DTLS versions in supported_versions
 TEST_F(DtlsConnectTest, DtlsSupportedVersionsEncoding) {
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
diff --git a/gtests/ssl_gtest/tls_filter.cc b/gtests/ssl_gtest/tls_filter.cc
index d018ab5f6..02fc3a303 100644
--- a/gtests/ssl_gtest/tls_filter.cc
+++ b/gtests/ssl_gtest/tls_filter.cc
@@ -1207,6 +1207,14 @@ PacketFilter::Action TlsClientHelloVersionSetter::FilterHandshake(
   return CHANGE;
 }
 
+PacketFilter::Action TlsServerHelloVersionSetter::FilterHandshake(
+    const HandshakeHeader& header, const DataBuffer& input,
+    DataBuffer* output) {
+  *output = input;
+  output->Write(0, version_, 2);
+  return CHANGE;
+}
+
 PacketFilter::Action SelectedCipherSuiteReplacer::FilterHandshake(
     const HandshakeHeader& header, const DataBuffer& input,
     DataBuffer* output) {
diff --git a/gtests/ssl_gtest/tls_filter.h b/gtests/ssl_gtest/tls_filter.h
index 1cf34508c..decf4eaa2 100644
--- a/gtests/ssl_gtest/tls_filter.h
+++ b/gtests/ssl_gtest/tls_filter.h
@@ -799,6 +799,21 @@ class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
   uint16_t version_;
 };
 
+// Set the version number in the ServerHello.
+class TlsServerHelloVersionSetter : public TlsHandshakeFilter {
+ public:
+  TlsServerHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
+                              uint16_t version)
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), version_(version) {}
+
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output);
+
+ private:
+  uint16_t version_;
+};
+
 // Damages the last byte of a handshake message.
 class TlsLastByteDamager : public TlsHandshakeFilter {
  public: