Detect WatchGuard's TLS 1.3 interference failure mode.

WatchGuard's bug is very distinctive. Report a dedicated error code out of BoringSSL so we can better track this. Bug: chromium:733223 Change-Id: Ia42abd8654e7987b1d43c63a4f454f35f6aa873b Reviewed-on: https://boringssl-review.googlesource.com/17328 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 15:03:18 -04:00 · 2017-06-22 15:03:18 -04:00 · 5aaaa98f8c
commit 5aaaa98f8c
parent bfd94db72c
4 changed files with 18 additions and 5 deletions
--- a/crypto/err/ssl.errordata
+++ b/crypto/err/ssl.errordata
@ -1,4 +1,5 @@
 SSL,277,ALPN_MISMATCH_ON_EARLY_DATA
+SSL,281,APPLICATION_DATA_INSTEAD_OF_HANDSHAKE
 SSL,100,APP_DATA_IN_HANDSHAKE
 SSL,101,ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
 SSL,102,BAD_ALERT
@ -178,6 +179,7 @@ SSL,218,TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
 SSL,219,TOO_MANY_EMPTY_FRAGMENTS
 SSL,260,TOO_MANY_KEY_UPDATES
 SSL,220,TOO_MANY_WARNING_ALERTS
+SSL,1117,TOO_MUCH_READ_EARLY_DATA
 SSL,270,TOO_MUCH_SKIPPED_EARLY_DATA
 SSL,221,UNABLE_TO_FIND_ECDH_PARAMETERS
 SSL,222,UNEXPECTED_EXTENSION
@ -210,4 +212,3 @@ SSL,247,WRONG_VERSION_NUMBER
 SSL,278,WRONG_VERSION_ON_EARLY_DATA
 SSL,248,X509_LIB
 SSL,249,X509_VERIFICATION_SETUP_PROBLEMS
-SSL,1117,TOO_MUCH_READ_EARLY_DATA
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -4678,6 +4678,7 @@ BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
 #define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278
 #define SSL_R_CHANNEL_ID_ON_EARLY_DATA 279
 #define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
+#define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281
 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@ -511,6 +511,17 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
      }
    }

+    /* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
+     * ServerHello and send the remaining encrypted application data records
+     * as-is. This manifests as an application data record when we expect
+     * handshake. Report a dedicated error code for this case. */
+    if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
+        ssl->s3->aead_read_ctx == NULL) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
+      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+      return -1;
+    }
+
    if (rr->type != SSL3_RT_HANDSHAKE) {
      OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -1577,7 +1577,7 @@ func addBasicTests() {
 				},
 			},
 			shouldFail:    true,
-			expectedError: ":UNEXPECTED_RECORD:",
+			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
 		},
 		{
 			name: "AppDataBeforeHandshake-Empty",
@ -1587,7 +1587,7 @@ func addBasicTests() {
 				},
 			},
 			shouldFail:    true,
-			expectedError: ":UNEXPECTED_RECORD:",
+			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
 		},
 		{
 			protocol: dtls,
@ -1757,7 +1757,7 @@ func addBasicTests() {
 			},
 			shimWritesFirst: true,
 			shouldFail:      true,
-			expectedError:   ":UNEXPECTED_RECORD:",
+			expectedError:   ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
 		},
 		{
 			name: "FalseStart-SkipServerSecondLeg-Implicit",
@ -1778,7 +1778,7 @@ func addBasicTests() {
 				"-advertise-alpn", "\x03foo",
 			},
 			shouldFail:    true,
-			expectedError: ":UNEXPECTED_RECORD:",
+			expectedError: ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:",
 		},
 		{
 			testType:           serverTest,