diff options
author | Dennis Jackson <djackson@mozilla.com> | 2023-02-22 10:08:17 +0000 |
---|---|---|
committer | Dennis Jackson <djackson@mozilla.com> | 2023-02-22 10:08:17 +0000 |
commit | 21b01575d99ae1872b999683807ab5ae1b654cd9 (patch) | |
tree | 840d3091fed7c297469daf048d57e760d472a42e | |
parent | a785cec7d1c4abeb60ea1f521c2cdb4d3b2563fb (diff) | |
download | nss-hg-21b01575d99ae1872b999683807ab5ae1b654cd9.tar.gz |
Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. r=mt,nss-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D169918
-rw-r--r-- | gtests/ssl_gtest/ssl_extension_unittest.cc | 18 | ||||
-rw-r--r-- | lib/ssl/ssl3ext.c | 1 | ||||
-rw-r--r-- | lib/ssl/tls13con.c | 2 | ||||
-rw-r--r-- | lib/ssl/tls13exthandle.c | 9 | ||||
-rw-r--r-- | lib/ssl/tls13exthandle.h | 2 |
5 files changed, 31 insertions, 1 deletions
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc index 1f115ea0f..0d7a77cfa 100644 --- a/gtests/ssl_gtest/ssl_extension_unittest.cc +++ b/gtests/ssl_gtest/ssl_extension_unittest.cc @@ -1440,6 +1440,24 @@ TEST_F(TlsConnectStreamTls13, PR_ASSERT(inequal >= 1); } +// The certificate_authorities xtn can be included in a ClientHello [RFC 8446, +// Section 4.2] +TEST_F(TlsConnectStreamTls13, ClientHelloCertAuthXtnToleration) { + EnsureTlsSetup(); + uint8_t bodyBuf[3] = {0x00,0x01,0xff}; + DataBuffer body(bodyBuf,sizeof(bodyBuf)); + auto ch = MakeTlsFilter<TlsExtensionAppender>( + client_, kTlsHandshakeClientHello, ssl_tls13_certificate_authorities_xtn, + body); + // The Connection will fail because the added extension isn't in the client's + // transcript not because the extension is unsupported (Bug 1815167). + server_->ExpectSendAlert(bad_record_mac); + client_->ExpectSendAlert(bad_record_mac); + ConnectExpectFail(); + server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); + client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ); +} + INSTANTIATE_TEST_SUITE_P( ExtensionStream, TlsExtensionTestGeneric, ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c index de7523566..0bc7b955b 100644 --- a/lib/ssl/ssl3ext.c +++ b/lib/ssl/ssl3ext.c @@ -45,6 +45,7 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = { { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn }, { ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn }, { ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn }, + { ssl_tls13_certificate_authorities_xtn, &tls13_ServerHandleCertAuthoritiesXtn }, { ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn }, { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, { ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn }, diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index 144731982..fbbc510f1 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -5654,7 +5654,7 @@ static const struct { certificate) }, { ssl_delegated_credentials_xtn, _M2(client_hello, certificate) }, { ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) }, - { ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) }, + { ssl_tls13_certificate_authorities_xtn, _M2(client_hello, certificate_request) }, { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello, hello_retry_request) }, { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }, diff --git a/lib/ssl/tls13exthandle.c b/lib/ssl/tls13exthandle.c index 4d24b37d6..4d8c711bd 100644 --- a/lib/ssl/tls13exthandle.c +++ b/lib/ssl/tls13exthandle.c @@ -1217,6 +1217,15 @@ loser: } SECStatus +tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data) +{ + SSL_TRC(3, ("%d: TLS13[%d]: ignore certificate_authorities extension", + SSL_GETPID(), ss->fd)); + /* NSS ignores certificate_authorities in the ClientHello */ + return SECSuccess; +} + +SECStatus tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData, sslBuffer *buf, PRBool *added) { diff --git a/lib/ssl/tls13exthandle.h b/lib/ssl/tls13exthandle.h index fb4a18965..e4247e295 100644 --- a/lib/ssl/tls13exthandle.h +++ b/lib/ssl/tls13exthandle.h @@ -75,6 +75,8 @@ SECStatus tls13_SendCertAuthoritiesXtn(const sslSocket *ss, SECStatus tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data); +SECStatus tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data); + SECStatus tls13_ServerHandleCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data); |