Ignore out-of-order DTLS ChangeCipherSpec.

Apply Eric Rescorla's patch from upstream NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=1009227 R=agl@chromium.org,ekr@rtfm.com BUG=369855 Review URL: https://codereview.chromium.org/319573002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@275389 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-06-06 10:54:20 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-06-06 10:54:20 +0000
commit: 3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398 (patch)
tree: aed66a39ddf993f29d0640eb4d451e24ef5f1f4b /net/third_party
parent: 976606b89a7262ac0ca34b8b0d988f844bf7a9b6 (diff)
download: chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.zip
chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.tar.gz
chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.tar.bz2
3 files changed, 31 insertions, 0 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index e9b7ee8..a1c5303 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -105,6 +105,10 @@ Patches:
     intolerant to the final extension having zero length.
     patches/reorderextensions.patch
 
+  * Ignore out-of-order DTLS ChangeCipherSpec.
+    patches/ignorechangecipherspec.patch
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1009227
+
 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
 the comments at the top of patches/applypatches.sh for instructions.
 
diff --git a/net/third_party/nss/patches/ignorechangecipherspec.patch b/net/third_party/nss/patches/ignorechangecipherspec.patch
new file mode 100644
index 0000000..b8e176d
--- /dev/null
+++ b/net/third_party/nss/patches/ignorechangecipherspec.patch
@@ -0,0 +1,19 @@
+Index: ssl/ssl3con.c
+===================================================================
+--- ssl/ssl3con.c	(revision 274314)
++++ ssl/ssl3con.c	(working copy)
+@@ -3621,6 +3621,14 @@
+ 		SSL_GETPID(), ss->fd));
+ 
+     if (ws != wait_change_cipher) {
++	if (IS_DTLS(ss)) {
++	    /* Ignore this because it's out of order. */
++	    SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
++			"DTLS change_cipher_spec",
++			SSL_GETPID(), ss->fd));
++	    buf->len = 0;
++	    return SECSuccess;
++	}
+ 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+ 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
+ 	return SECFailure;
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index e96ae8c..7ff7bea 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -3621,6 +3621,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
 		SSL_GETPID(), ss->fd));
 
     if (ws != wait_change_cipher) {
+	if (IS_DTLS(ss)) {
+	    /* Ignore this because it's out of order. */
+	    SSL_TRC(3, ("%d: SSL3[%d]: discard out of order "
+			"DTLS change_cipher_spec",
+			SSL_GETPID(), ss->fd));
+	    buf->len = 0;
+	    return SECSuccess;
+	}
 	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
 	return SECFailure;
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-06-06 10:54:20 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-06-06 10:54:20 +0000
commit	3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398 (patch)
tree	aed66a39ddf993f29d0640eb4d451e24ef5f1f4b /net/third_party
parent	976606b89a7262ac0ca34b8b0d988f844bf7a9b6 (diff)
download	chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.zip chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.tar.gz chromium_src-3e1f77385a9feb89b0a52ecf5f6c50c5dbf38398.tar.bz2