1386475 - Deliver 0-RTT before the handshake callback

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement)

Description

[Martin Thomson [:mt:]]

In discussion in the HTTP WG, Subodh identified a potential problem with the way that early data is delivered at the server side.  If an attacker could coalesce early data with the handshake, then they might be able to cause the server to be confused about the status of the early data.

In this case, if the packet is processed in a chunk, then the application might be able to see that the handshake is complete while it is processing the early data.

Servers using NSS are vulnerable to this manipulation because any early data that arrives at the same time as the final handshake message will be delivered after receiving the handshake callback.  The callback is called synchronously from the call to PR_Recv, but early data is only delivered on the next invocation of the function.

More seriously, I discovered that if you coalesce early data, handshake, and 1-RTT data, then any 1-RTT data is delivered BEFORE the early data.  This is because the early data is put aside and only delivered at the start of the call to ssl_SecureRecv, if the packet that is being processed contains 1-RTT data, then that will be delivered inline, with the early data being delivered on the next invocation.

I have a patch for this that should fix the problem.

Comment 1

[Martin Thomson [:mt:]]

https://nss-review.dev.mozaws.net/D392

The main question being whether a simpler solution can be found.

Comment 2

[Martin Thomson [:mt:]]

Trunk: https://hg.mozilla.org/projects/nss/rev/f4a9de53fe5a6c0ed6ba5290b5901c0c2eeb56ce
Trunk-only test fix: https://hg.mozilla.org/projects/nss/rev/d50a14c51077c38506ea2304c315b39ed1b739e6
NSS_TLS13_DRAFT19_BRANCH: https://hg.mozilla.org/projects/nss/rev/0f34fb88edaab713e44977f5c33ff69a742c8da2