diff options
author | Martin Thomson <mt@lowentropy.net> | 2019-02-13 08:49:16 +1100 |
---|---|---|
committer | Martin Thomson <mt@lowentropy.net> | 2019-02-13 08:49:16 +1100 |
commit | 2a93a3f21372bd63175e5f277d3b98949489bd87 (patch) | |
tree | 51fc1ed17e6961d32f207e774a372f2f32ac9f9d | |
parent | 104cee2c73df6fcbc525ba66e33d382774fa603c (diff) | |
download | nss-hg-2a93a3f21372bd63175e5f277d3b98949489bd87.tar.gz |
Bug 1520459 - Send decode_error for padded record_size_limit extension, r=jcj
Summary: This is all I plan to do for this bug.
Reviewers: jcj
Tags: #secure-revision
Bug #: 1520459
Differential Revision: https://phabricator.services.mozilla.com/D19576
-rw-r--r-- | gtests/ssl_gtest/ssl_recordsize_unittest.cc | 10 | ||||
-rw-r--r-- | lib/ssl/ssl3exthandle.c | 2 |
2 files changed, 11 insertions, 1 deletions
diff --git a/gtests/ssl_gtest/ssl_recordsize_unittest.cc b/gtests/ssl_gtest/ssl_recordsize_unittest.cc index 0a54ae1a8..c9149bcd9 100644 --- a/gtests/ssl_gtest/ssl_recordsize_unittest.cc +++ b/gtests/ssl_gtest/ssl_recordsize_unittest.cc @@ -397,6 +397,16 @@ TEST_P(TlsConnectGeneric, RecordSizeServerExtensionInvalid) { ConnectExpectAlert(client_, kTlsAlertIllegalParameter); } +TEST_P(TlsConnectGeneric, RecordSizeServerExtensionExtra) { + EnsureTlsSetup(); + server_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000); + static const uint8_t v[] = {0x01, 0x00, 0x00}; + auto replace = MakeTlsFilter<TlsExtensionReplacer>( + server_, ssl_record_size_limit_xtn, DataBuffer(v, sizeof(v))); + replace->EnableDecryption(); + ConnectExpectAlert(client_, kTlsAlertDecodeError); +} + class RecordSizeDefaultsTest : public ::testing::Test { public: void SetUp() { diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c index a2d83fa97..e25a8f887 100644 --- a/lib/ssl/ssl3exthandle.c +++ b/lib/ssl/ssl3exthandle.c @@ -1927,7 +1927,7 @@ ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData, return SECFailure; } if (data->len != 0 || limit < 64) { - ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); + ssl3_ExtSendAlert(ss, alert_fatal, decode_error); PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE); return SECFailure; } |