Bug 1336205 - Ignore TLS_FALLBACK_SCSV when negotiating TLS 1.3 r=mt

Differential Revision: https://nss-review.dev.mozaws.net/D187 --HG-- extra : amend_source : 1a25ab6ad906b808b3dcd317e443d75e8648550b
sailfishos-mirror · Feb 4, 2017 · d5f274b · d5f274b
1 parent 780cc53
commit d5f274b
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/gtests/ssl_gtest/ssl_version_unittest.cc b/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -123,6 +123,18 @@ TEST_F(TlsConnectTest, TestFallbackFromTls13) {
 }
 #endif
 
+TEST_P(TlsConnectGeneric, TestFallbackSCSVVersionMatch) {
+  client_->SetFallbackSCSVEnabled(true);
+  Connect();
+}
+
+TEST_P(TlsConnectGenericPre13, TestFallbackSCSVVersionMismatch) {
+  client_->SetFallbackSCSVEnabled(true);
+  server_->SetVersionRange(version_, version_ + 1);
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
+}
+
 // The TLS v1.3 spec section C.4 states that 'Implementations MUST NOT send or
 // accept any records with a version less than { 3, 0 }'. Thus we will not
 // allow version ranges including both SSL v3 and TLS v1.3.

diff --git a/gtests/ssl_gtest/tls_agent.cc b/gtests/ssl_gtest/tls_agent.cc
@@ -371,6 +371,14 @@ void TlsAgent::Set0RttEnabled(bool en) {
   EXPECT_EQ(SECSuccess, rv);
 }
 
+void TlsAgent::SetFallbackSCSVEnabled(bool en) {
+  EXPECT_TRUE(role_ == CLIENT && EnsureTlsSetup());
+
+  SECStatus rv =
+      SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, en ? PR_TRUE : PR_FALSE);
+  EXPECT_EQ(SECSuccess, rv);
+}
+
 void TlsAgent::SetShortHeadersEnabled() {
   EXPECT_TRUE(EnsureTlsSetup());
 

diff --git a/gtests/ssl_gtest/tls_agent.h b/gtests/ssl_gtest/tls_agent.h
@@ -131,6 +131,7 @@ class TlsAgent : public PollTarget {
   void SetSessionTicketsEnabled(bool en);
   void SetSessionCacheEnabled(bool en);
   void Set0RttEnabled(bool en);
+  void SetFallbackSCSVEnabled(bool en);
   void SetShortHeadersEnabled();
   void SetVersionRange(uint16_t minver, uint16_t maxver);
   void GetVersionRange(uint16_t* minver, uint16_t* maxver);

diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
@@ -8554,7 +8554,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 
     /* If the ClientHello version is less than our maximum version, check for a
      * TLS_FALLBACK_SCSV and reject the connection if found. */
-    if (ss->vrange.max > ss->clientHelloVersion) {
+    if (ss->vrange.max > ss->version) {
         for (i = 0; i + 1 < suites.len; i += 2) {
             PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
             if (suite_i != TLS_FALLBACK_SCSV)