| blob | 005132c59e6b18374fc84dbf3ddb7b2e31562a2e |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
2 --- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:51.999581198 -0800
3 +++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:47:05.509804656 -0800
4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
5 case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
6 break;
7 case illegal_parameter: error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
8 + case inappropriate_fallback:
9 + error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
10 + break;
12 /* All alerts below are TLS only. */
13 case unknown_ca: error = SSL_ERROR_UNKNOWN_CA_ALERT; break;
14 @@ -4986,6 +4989,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
15 int num_suites;
16 int actual_count = 0;
17 PRBool isTLS = PR_FALSE;
18 + PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
19 PRInt32 total_exten_len = 0;
20 unsigned paddingExtensionLen;
21 unsigned numCompressionMethods;
22 @@ -5128,6 +5132,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
23 }
25 if (sid) {
26 + requestingResume = PR_TRUE;
27 SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
29 PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
30 @@ -5246,8 +5251,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
31 if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
32 return SECFailure; /* count_cipher_suites has set error code. */
33 }
34 +
35 + fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
36 + ss->version < sid->version);
37 + /* make room for SCSV */
38 if (ss->ssl3.hs.sendingSCSV) {
39 - ++num_suites; /* make room for SCSV */
40 + ++num_suites;
41 + }
42 + if (fallbackSCSV) {
43 + ++num_suites;
44 }
46 /* count compression methods */
47 @@ -5353,6 +5365,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
48 }
49 actual_count++;
50 }
51 + if (fallbackSCSV) {
52 + rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
53 + sizeof(ssl3CipherSuite));
54 + if (rv != SECSuccess) {
55 + if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
56 + return rv; /* err set by ssl3_AppendHandshake* */
57 + }
58 + actual_count++;
59 + }
60 for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
61 ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
62 if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
63 @@ -8084,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS
64 goto loser; /* malformed */
65 }
67 + /* If the ClientHello version is less than our maximum version, check for a
68 + * TLS_FALLBACK_SCSV and reject the connection if found. */
69 + if (ss->vrange.max > ss->clientHelloVersion) {
70 + for (i = 0; i + 1 < suites.len; i += 2) {
71 + PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
72 + if (suite_i != TLS_FALLBACK_SCSV)
73 + continue;
74 + desc = inappropriate_fallback;
75 + errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
76 + goto alert_loser;
77 + }
78 + }
79 +
80 /* grab the list of compression methods. */
81 rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
82 if (rv != SECSuccess) {
83 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
84 --- a/nss/lib/ssl/ssl3prot.h 2014-01-17 17:59:03.242109996 -0800
85 +++ b/nss/lib/ssl/ssl3prot.h 2014-01-17 18:47:05.509804656 -0800
86 @@ -98,6 +98,7 @@ typedef enum {
87 protocol_version = 70,
88 insufficient_security = 71,
89 internal_error = 80,
90 + inappropriate_fallback = 86, /* could also be sent for SSLv3 */
91 user_canceled = 90,
92 no_renegotiation = 100,
94 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
95 --- a/nss/lib/ssl/sslerr.h 2014-01-17 17:59:03.242109996 -0800
96 +++ b/nss/lib/ssl/sslerr.h 2014-01-17 18:47:05.509804656 -0800
97 @@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM
98 SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
99 SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
100 SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
101 +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 132),
103 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
104 } SSLErrorCodes;
105 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
106 --- a/nss/lib/ssl/SSLerrs.h 2014-01-17 17:59:03.242109996 -0800
107 +++ b/nss/lib/ssl/SSLerrs.h 2014-01-17 18:47:05.509804656 -0800
108 @@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S
110 ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
111 "The application could not get a TLS Channel ID.")
112 +
113 +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132),
114 +"The connection was using a lesser TLS version as a result of a previous"
115 +" handshake failure, but the server indicated that it should not have been"
116 +" needed.")
117 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
118 --- a/nss/lib/ssl/ssl.h 2014-01-17 18:46:51.999581198 -0800
119 +++ b/nss/lib/ssl/ssl.h 2014-01-17 18:48:54.971613341 -0800
120 @@ -183,6 +183,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
122 /* Request Signed Certificate Timestamps via TLS extension (client) */
123 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
124 +#define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in
125 + * handshakes. */
127 #ifdef SSL_DEPRECATED_FUNCTION
128 /* Old deprecated function names */
129 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
130 --- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:46:51.999581198 -0800
131 +++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:51:17.963962287 -0800
132 @@ -338,6 +338,7 @@ typedef struct sslOptionsStr {
133 unsigned int enableNPN : 1; /* 26 */
134 unsigned int enableALPN : 1; /* 27 */
135 unsigned int enableSignedCertTimestamps : 1; /* 28 */
136 + unsigned int enableFallbackSCSV : 1; /* 29 */
137 } sslOptions;
139 typedef enum { sslHandshakingUndetermined = 0,
140 diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
141 --- a/nss/lib/ssl/sslproto.h 2014-01-17 18:10:16.793281867 -0800
142 +++ b/nss/lib/ssl/sslproto.h 2014-01-17 18:47:05.509804656 -0800
143 @@ -172,6 +172,11 @@
144 */
145 #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
147 +/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a
148 + * handshake is the result of TLS version fallback. This value is not IANA
149 + * assigned. */
150 +#define TLS_FALLBACK_SCSV 0x5600
151 +
152 /* Cipher Suite Values starting with 0xC000 are defined in informational
153 * RFCs.
154 */
155 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
156 --- a/nss/lib/ssl/sslsock.c 2014-01-17 18:46:52.009581364 -0800
157 +++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:59:17.931852364 -0800
158 @@ -88,7 +88,8 @@ static sslOptions ssl_defaults = {
159 PR_FALSE, /* enableOCSPStapling */
160 PR_TRUE, /* enableNPN */
161 PR_FALSE, /* enableALPN */
162 - PR_FALSE /* enableSignedCertTimestamps */
163 + PR_FALSE, /* enableSignedCertTimestamps */
164 + PR_FALSE /* enableFallbackSCSV */
165 };
167 /*
168 @@ -792,6 +793,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
169 ss->opt.enableSignedCertTimestamps = on;
170 break;
172 + case SSL_ENABLE_FALLBACK_SCSV:
173 + ss->opt.enableFallbackSCSV = on;
174 + break;
175 +
176 default:
177 PORT_SetError(SEC_ERROR_INVALID_ARGS);
178 rv = SECFailure;
179 @@ -867,6 +872,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
180 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
181 on = ss->opt.enableSignedCertTimestamps;
182 break;
183 + case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
185 default:
186 PORT_SetError(SEC_ERROR_INVALID_ARGS);
187 @@ -933,6 +939,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
188 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
189 on = ssl_defaults.enableSignedCertTimestamps;
190 break;
191 + case SSL_ENABLE_FALLBACK_SCSV:
192 + on = ssl_defaults.enableFallbackSCSV;
193 + break;
195 default:
196 PORT_SetError(SEC_ERROR_INVALID_ARGS);
197 @@ -1112,6 +1121,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
198 ssl_defaults.enableSignedCertTimestamps = on;
199 break;
201 + case SSL_ENABLE_FALLBACK_SCSV:
202 + ssl_defaults.enableFallbackSCSV = on;
203 + break;
204 +
205 default:
206 PORT_SetError(SEC_ERROR_INVALID_ARGS);
207 return SECFailure;