diff options
author | David Keeler <dkeeler@mozilla.com> | 2017-02-17 14:37:17 +0100 |
---|---|---|
committer | David Keeler <dkeeler@mozilla.com> | 2017-02-17 14:37:17 +0100 |
commit | 4bf1d1cf020c261b76a810a155567bc93fd4f9c5 (patch) | |
tree | 799da43e79516b8227c0d4d1a57bf3ebcccb59b3 | |
parent | 449248d5020eba9333af73ed598dd6a23e441df4 (diff) | |
download | nss-hg-4bf1d1cf020c261b76a810a155567bc93fd4f9c5.tar.gz |
Bug 1339923 - Prevent assertion failure when ssl3_SendRecord needs to send more than MAX_FRAGMENT_LENGTH r=ekr
Differential Revision: https://nss-review.dev.mozaws.net/D218
-rw-r--r-- | gtests/ssl_gtest/ssl_cert_ext_unittest.cc | 31 | ||||
-rw-r--r-- | lib/ssl/ssl3con.c | 6 |
2 files changed, 35 insertions, 2 deletions
diff --git a/gtests/ssl_gtest/ssl_cert_ext_unittest.cc b/gtests/ssl_gtest/ssl_cert_ext_unittest.cc index 886ef48d3..c9bb390f1 100644 --- a/gtests/ssl_gtest/ssl_cert_ext_unittest.cc +++ b/gtests/ssl_gtest/ssl_cert_ext_unittest.cc @@ -223,4 +223,35 @@ TEST_P(TlsConnectGeneric, OcspSuccess) { EXPECT_EQ(0U, capture_ocsp->extension().len()); } +TEST_P(TlsConnectGeneric, OcspHugeSuccess) { + EnsureTlsSetup(); + EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(), + SSL_ENABLE_OCSP_STAPLING, PR_TRUE)); + + uint8_t hugeOcspValue[16385]; + memset(hugeOcspValue, 0xa1, sizeof(hugeOcspValue)); + const SECItem hugeOcspItems[] = { + {siBuffer, const_cast<uint8_t*>(hugeOcspValue), sizeof(hugeOcspValue)}}; + const SECItemArray hugeOcspResponses = {const_cast<SECItem*>(hugeOcspItems), + PR_ARRAY_SIZE(hugeOcspItems)}; + const SSLExtraServerCertData hugeOcspExtraData = { + ssl_auth_null, nullptr, &hugeOcspResponses, nullptr}; + + // The value should be available during the AuthCertificateCallback + client_->SetAuthCertificateCallback([&](TlsAgent* agent, bool checksig, + bool isServer) -> SECStatus { + const SECItemArray* ocsp = SSL_PeerStapledOCSPResponses(agent->ssl_fd()); + if (!ocsp) { + return SECFailure; + } + EXPECT_EQ(1U, ocsp->len) << "We only provide the first item"; + EXPECT_EQ(0, SECITEM_CompareItem(&hugeOcspItems[0], &ocsp->items[0])); + return SECSuccess; + }); + EXPECT_TRUE(server_->ConfigServerCert(TlsAgent::kServerRsa, true, + &hugeOcspExtraData)); + + Connect(); +} + } // namespace nspr_test diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index ea8fa77b6..86ceecb6d 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -2694,6 +2694,7 @@ ssl3_SendRecord(sslSocket *ss, SECStatus rv; PRInt32 totalSent = 0; PRBool capRecordVersion; + ssl3CipherSpec *spec; SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d", SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type), @@ -2798,11 +2799,12 @@ ssl3_SendRecord(sslSocket *ss, PORT_Assert(IS_DTLS(ss) && (type == content_handshake || type == content_change_cipher_spec)); + spec = cwSpec; } else { - cwSpec = ss->ssl3.cwSpec; + spec = ss->ssl3.cwSpec; } - rv = ssl_ProtectRecord(ss, cwSpec, !IS_DTLS(ss) && capRecordVersion, + rv = ssl_ProtectRecord(ss, spec, !IS_DTLS(ss) && capRecordVersion, type, pIn, contentLen, wrBuf); if (rv == SECSuccess) { PRINT_BUF(50, (ss, "send (encrypted) record data:", |