From a79c4fc17f39242945d156bd886ed7e9c406b8ad Mon Sep 17 00:00:00 2001 From: tb <> Date: Sat, 20 Mar 2021 08:12:53 +0000 Subject: Add new test-tls13-multiple-ccs-messages.py This is a test that checks for NSS's CCS flood DoS CVE-2020-25648. The test script currently fails on LibreSSL and OpenSSL 1.1.1j because it sends invalid records with version 0x0300 instead of 0x0303. We have the ccs_seen logic corresponding to NSS's fix: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 but we do allow up to two CCS due to an interop issue with Fizz, so at least one of the tests will likey be broken once the record version is fixed. --- src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py index 9053ec71ef..0a5bc0a870 100644 --- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py +++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py @@ -1,4 +1,4 @@ -# $OpenBSD: tlsfuzzer.py,v 1.22 2021/01/27 20:16:58 tb Exp $ +# $OpenBSD: tlsfuzzer.py,v 1.23 2021/03/20 08:12:53 tb Exp $ # # Copyright (c) 2020 Theo Buehler # @@ -243,6 +243,13 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [ '-e', 'x448 - right-truncated key_share', ]), + # The test sends records with protocol version 0x0300 instead of 0x0303 + # and currently fails with OpenSSL and LibreSSL for theis reason. + # We have the logic corresponding to NSS's fix for CVE-2020-25648 + # https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 + # so should not be affected by this issue. + Test("test-tls13-multiple-ccs-messages.py"), + # https://github.com/openssl/openssl/issues/8369 Test("test-tls13-obsolete-curves.py"), -- cgit v1.2.3-55-g6feb