OLD | NEW |
| (Empty) |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | |
2 --- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:51.999581198 -0800 | |
3 +++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:47:05.509804656 -0800 | |
4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe | |
5 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT; | |
6 break; | |
7 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break; | |
8 + case inappropriate_fallback: | |
9 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; | |
10 + break; | |
11 | |
12 /* All alerts below are TLS only. */ | |
13 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break; | |
14 @@ -4986,6 +4989,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo | |
15 int num_suites; | |
16 int actual_count = 0; | |
17 PRBool isTLS = PR_FALSE; | |
18 + PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE; | |
19 PRInt32 total_exten_len = 0; | |
20 unsigned paddingExtensionLen; | |
21 unsigned numCompressionMethods; | |
22 @@ -5128,6 +5132,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo | |
23 } | |
24 | |
25 if (sid) { | |
26 + requestingResume = PR_TRUE; | |
27 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits ); | |
28 | |
29 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID, | |
30 @@ -5246,8 +5251,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo | |
31 if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } | |
32 return SECFailure; /* count_cipher_suites has set error code. */ | |
33 } | |
34 + | |
35 + fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume || | |
36 + ss->version < sid->version); | |
37 + /* make room for SCSV */ | |
38 if (ss->ssl3.hs.sendingSCSV) { | |
39 - ++num_suites; /* make room for SCSV */ | |
40 + ++num_suites; | |
41 + } | |
42 + if (fallbackSCSV) { | |
43 + ++num_suites; | |
44 } | |
45 | |
46 /* count compression methods */ | |
47 @@ -5389,11 +5389,21 @@ ssl3_SendClientHello(sslSocket *ss, PRBo | |
48 if (rv != SECSuccess) { | |
49 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock);
} | |
50 return rv; /* err set by ssl3_AppendHandshake* */ | |
51 } | |
52 } | |
53 } | |
54 | |
55 + if (fallbackSCSV) { | |
56 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV, | |
57 + sizeof(ssl3CipherSuite)); | |
58 + if (rv != SECSuccess) { | |
59 + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); } | |
60 + return rv; /* err set by ssl3_AppendHandshake* */ | |
61 + } | |
62 + actual_count++; | |
63 + } | |
64 + | |
65 /* if cards were removed or inserted between count_cipher_suites and | |
66 * generating our list, detect the error here rather than send it off to | |
67 * the server.. */ | |
68 if (actual_count != num_suites) { | |
69 @@ -8084,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS | |
70 goto loser; /* malformed */ | |
71 } | |
72 | |
73 + /* If the ClientHello version is less than our maximum version, check for a | |
74 + * TLS_FALLBACK_SCSV and reject the connection if found. */ | |
75 + if (ss->vrange.max > ss->clientHelloVersion) { | |
76 + for (i = 0; i + 1 < suites.len; i += 2) { | |
77 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1]; | |
78 + if (suite_i != TLS_FALLBACK_SCSV) | |
79 + continue; | |
80 + desc = inappropriate_fallback; | |
81 + errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT; | |
82 + goto alert_loser; | |
83 + } | |
84 + } | |
85 + | |
86 /* grab the list of compression methods. */ | |
87 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length); | |
88 if (rv != SECSuccess) { | |
89 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h | |
90 --- a/nss/lib/ssl/ssl3prot.h 2014-01-17 17:59:03.242109996 -0800 | |
91 +++ b/nss/lib/ssl/ssl3prot.h 2014-01-17 18:47:05.509804656 -0800 | |
92 @@ -98,6 +98,7 @@ typedef enum { | |
93 protocol_version = 70, | |
94 insufficient_security = 71, | |
95 internal_error = 80, | |
96 + inappropriate_fallback = 86, /* could also be sent for SSLv3 */ | |
97 user_canceled = 90, | |
98 no_renegotiation = 100, | |
99 | |
100 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h | |
101 --- a/nss/lib/ssl/sslerr.h 2014-01-17 17:59:03.242109996 -0800 | |
102 +++ b/nss/lib/ssl/sslerr.h 2014-01-17 18:47:05.509804656 -0800 | |
103 @@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM | |
104 SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), | |
105 SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), | |
106 SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), | |
107 +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 132), | |
108 | |
109 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ | |
110 } SSLErrorCodes; | |
111 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h | |
112 --- a/nss/lib/ssl/SSLerrs.h 2014-01-17 17:59:03.242109996 -0800 | |
113 +++ b/nss/lib/ssl/SSLerrs.h 2014-01-17 18:47:05.509804656 -0800 | |
114 @@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S | |
115 | |
116 ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), | |
117 "The application could not get a TLS Channel ID.") | |
118 + | |
119 +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132), | |
120 +"The connection was using a lesser TLS version as a result of a previous" | |
121 +" handshake failure, but the server indicated that it should not have been" | |
122 +" needed.") | |
123 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h | |
124 --- a/nss/lib/ssl/ssl.h 2014-01-17 18:46:51.999581198 -0800 | |
125 +++ b/nss/lib/ssl/ssl.h 2014-01-17 18:48:54.971613341 -0800 | |
126 @@ -183,6 +183,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF | |
127 | |
128 /* Request Signed Certificate Timestamps via TLS extension (client) */ | |
129 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27 | |
130 +#define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in | |
131 + * handshakes. */ | |
132 | |
133 #ifdef SSL_DEPRECATED_FUNCTION | |
134 /* Old deprecated function names */ | |
135 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | |
136 --- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:46:51.999581198 -0800 | |
137 +++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:51:17.963962287 -0800 | |
138 @@ -338,6 +338,7 @@ typedef struct sslOptionsStr { | |
139 unsigned int enableNPN : 1; /* 26 */ | |
140 unsigned int enableALPN : 1; /* 27 */ | |
141 unsigned int enableSignedCertTimestamps : 1; /* 28 */ | |
142 + unsigned int enableFallbackSCSV : 1; /* 29 */ | |
143 } sslOptions; | |
144 | |
145 typedef enum { sslHandshakingUndetermined = 0, | |
146 diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h | |
147 --- a/nss/lib/ssl/sslproto.h 2014-01-17 18:10:16.793281867 -0800 | |
148 +++ b/nss/lib/ssl/sslproto.h 2014-01-17 18:47:05.509804656 -0800 | |
149 @@ -172,6 +172,11 @@ | |
150 */ | |
151 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF | |
152 | |
153 +/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a | |
154 + * handshake is the result of TLS version fallback. This value is not IANA | |
155 + * assigned. */ | |
156 +#define TLS_FALLBACK_SCSV 0x5600 | |
157 + | |
158 /* Cipher Suite Values starting with 0xC000 are defined in informational | |
159 * RFCs. | |
160 */ | |
161 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | |
162 --- a/nss/lib/ssl/sslsock.c 2014-01-17 18:46:52.009581364 -0800 | |
163 +++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:59:17.931852364 -0800 | |
164 @@ -88,7 +88,8 @@ static sslOptions ssl_defaults = { | |
165 PR_FALSE, /* enableOCSPStapling */ | |
166 PR_TRUE, /* enableNPN */ | |
167 PR_FALSE, /* enableALPN */ | |
168 - PR_FALSE /* enableSignedCertTimestamps */ | |
169 + PR_FALSE, /* enableSignedCertTimestamps */ | |
170 + PR_FALSE /* enableFallbackSCSV */ | |
171 }; | |
172 | |
173 /* | |
174 @@ -792,6 +793,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | |
175 ss->opt.enableSignedCertTimestamps = on; | |
176 break; | |
177 | |
178 + case SSL_ENABLE_FALLBACK_SCSV: | |
179 + ss->opt.enableFallbackSCSV = on; | |
180 + break; | |
181 + | |
182 default: | |
183 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
184 rv = SECFailure; | |
185 @@ -867,6 +872,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | |
186 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
187 on = ss->opt.enableSignedCertTimestamps; | |
188 break; | |
189 + case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break; | |
190 | |
191 default: | |
192 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
193 @@ -933,6 +939,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | |
194 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
195 on = ssl_defaults.enableSignedCertTimestamps; | |
196 break; | |
197 + case SSL_ENABLE_FALLBACK_SCSV: | |
198 + on = ssl_defaults.enableFallbackSCSV; | |
199 + break; | |
200 | |
201 default: | |
202 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
203 @@ -1112,6 +1121,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | |
204 ssl_defaults.enableSignedCertTimestamps = on; | |
205 break; | |
206 | |
207 + case SSL_ENABLE_FALLBACK_SCSV: | |
208 + ssl_defaults.enableFallbackSCSV = on; | |
209 + break; | |
210 + | |
211 default: | |
212 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
213 return SECFailure; | |
OLD | NEW |