diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index 729d4184d0..ee7ff69d86 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -528,6 +528,7 @@ tls13_HandleKeyShare(sslSocket *ss, CK_MECHANISM_TYPE mechanism; PRErrorCode errorCode; SECStatus rv; + int keySize = 0; PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE); peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey); @@ -552,6 +553,7 @@ tls13_HandleKeyShare(sslSocket *ss, entry->key_exchange.len, keyPair->pubKey); mechanism = CKM_DH_PKCS_DERIVE; + keySize = peerKey->u.dh.publicValue.len; break; default: PORT_Assert(0); @@ -563,7 +565,7 @@ tls13_HandleKeyShare(sslSocket *ss, ss->ssl3.hs.dheSecret = PK11_PubDeriveWithKDF( keyPair->privKey, peerKey, PR_FALSE, NULL, NULL, mechanism, - tls13_GetHkdfMechanism(ss), CKA_DERIVE, 0, CKD_NULL, NULL, NULL); + tls13_GetHkdfMechanism(ss), CKA_DERIVE, keySize, CKD_NULL, NULL, NULL); if (!ss->ssl3.hs.dheSecret) { ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); goto loser; diff --git a/tests/tlsfuzzer/config.json.in b/tests/tlsfuzzer/config.json.in index 0cb6fa3bc8..051bae2beb 100644 --- a/tests/tlsfuzzer/config.json.in +++ b/tests/tlsfuzzer/config.json.in @@ -23,6 +23,14 @@ "-p", "@PORT@", "-t", "1" ] }, + { + "name" : "test-tls13-dhe-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243", + "arguments": [ + "-p", "@PORT@", + "-e", "TLS 1.3 with x448" + ] + }, { "name" : "test-tls13-empty-alert.py", "arguments": [ @@ -31,6 +39,12 @@ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656", "exp_pass": false }, + { + "name" : "test-tls13-ffdhe-sanity.py", + "arguments": [ + "-p", "@PORT@" + ] + }, { "name" : "test-tls13-finished.py", "arguments": [ @@ -115,6 +129,12 @@ "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386", "exp_pass": false }, + { + "name" : "test-tls13-unrecognised-groups.py", + "arguments": [ + "-p", "@PORT@", "--cookie" + ] + }, { "name" : "test-tls13-version-negotiation.py", "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452", @@ -128,6 +148,18 @@ "arguments": [ "-p", "@PORT@" ] + }, + { + "name" : "test-dhe-no-shared-secret-padding.py", + "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server", + "arguments": [ + "-p", "@PORT@", + "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 0)" + ] } ] } diff --git a/tests/tlsfuzzer/tlsfuzzer.sh b/tests/tlsfuzzer/tlsfuzzer.sh index 000f1b6397..ecc146c240 100644 --- a/tests/tlsfuzzer/tlsfuzzer.sh +++ b/tests/tlsfuzzer/tlsfuzzer.sh @@ -44,7 +44,7 @@ tlsfuzzer_init() if [ ! -d "$TLSFUZZER" ]; then # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER" - git -C "$TLSFUZZER" checkout fc8fd0128643d6b2bcba344e276ba5f902445913 + git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6 # We could use tlslite-ng from pip, but the pip command installed # on TC is too old to support --pre