diff options
author | Daiki Ueno <dueno@redhat.com> | 2018-11-29 18:13:10 +0100 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2018-11-29 18:13:10 +0100 |
commit | 811a3684c7ec9345dea387bfa141a33db26fe474 (patch) | |
tree | c327e2d774c2a0d2dca8ee890b8a719c5aad749d /lib/ssl | |
parent | a1280e010a3c6f9105c01552cd0245af516054ba (diff) | |
download | nss-hg-811a3684c7ec9345dea387bfa141a33db26fe474.tar.gz |
Bug 1507179, reject CCS after handshake is complete in TLS 1.3, r=mt
Reviewers: mt
Reviewed By: mt
Subscribers: mt, ekr, franziskus, ueno
Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
Bug #: 1507179
Differential Revision: https://phabricator.services.mozilla.com/D12887
Diffstat (limited to 'lib/ssl')
-rw-r--r-- | lib/ssl/SSLerrs.h | 3 | ||||
-rw-r--r-- | lib/ssl/sslerr.h | 1 | ||||
-rw-r--r-- | lib/ssl/tls13con.c | 22 |
3 files changed, 15 insertions, 11 deletions
diff --git a/lib/ssl/SSLerrs.h b/lib/ssl/SSLerrs.h index dda6dc2fd..9be219494 100644 --- a/lib/ssl/SSLerrs.h +++ b/lib/ssl/SSLerrs.h @@ -561,3 +561,6 @@ ER3(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, (SSL_ERROR_BASE + 177), ER3(SSL_ERROR_MISSING_ESNI_EXTENSION, (SSL_ERROR_BASE + 178), "SSL did not receive an ESNI extension") + +ER3(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, (SSL_ERROR_BASE + 179), + "SSL received an unexpected record type.") diff --git a/lib/ssl/sslerr.h b/lib/ssl/sslerr.h index 98247afb7..a4aa27657 100644 --- a/lib/ssl/sslerr.h +++ b/lib/ssl/sslerr.h @@ -267,6 +267,7 @@ typedef enum { SSL_ERROR_RX_MALFORMED_ESNI_KEYS = (SSL_ERROR_BASE + 176), SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION = (SSL_ERROR_BASE + 177), SSL_ERROR_MISSING_ESNI_EXTENSION = (SSL_ERROR_BASE + 178), + SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE = (SSL_ERROR_BASE + 179), SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ } SSLErrorCodes; #endif /* NO_SECURITY_ERROR_ENUM */ diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index c0cfa5e5a..461cd2eb9 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -5016,16 +5016,6 @@ tls13_UnprotectRecord(sslSocket *ss, SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase, cText->seqNum, cText->buf->len)); - /* We can perform this test in variable time because the record's total - * length and the ciphersuite are both public knowledge. */ - if (cText->buf->len < cipher_def->tag_size) { - SSL_TRC(3, - ("%d: TLS13[%d]: record too short to contain valid AEAD data", - SSL_GETPID(), ss->fd)); - PORT_SetError(SSL_ERROR_BAD_MAC_READ); - return SECFailure; - } - /* Verify that the content type is right, even though we overwrite it. * Also allow the DTLS short header in TLS 1.3. */ if (!(cText->hdr[0] == ssl_ct_application_data || @@ -5035,7 +5025,17 @@ tls13_UnprotectRecord(sslSocket *ss, SSL_TRC(3, ("%d: TLS13[%d]: record has invalid exterior type=%2.2x", SSL_GETPID(), ss->fd, cText->hdr[0])); - /* Do we need a better error here? */ + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE); + *alert = unexpected_message; + return SECFailure; + } + + /* We can perform this test in variable time because the record's total + * length and the ciphersuite are both public knowledge. */ + if (cText->buf->len < cipher_def->tag_size) { + SSL_TRC(3, + ("%d: TLS13[%d]: record too short to contain valid AEAD data", + SSL_GETPID(), ss->fd)); PORT_SetError(SSL_ERROR_BAD_MAC_READ); return SECFailure; } |