Bug 571797: NSS should not send the decryption_failed alert
authornelson%bolyard.com
Thu, 24 Jun 2010 09:24:18 +0000
changeset 9691 d775f608d41f4f1616b1e6ea57363a6e40ec6440
parent 9689 68a8072c421f19be028ca85507e7cb5e9ce5c4f2
child 9692 ae17f2c50385045f1dc41ba70dc87a5075779a2f
push idunknown
push userunknown
push dateunknown
bugs571797
Bug 571797: NSS should not send the decryption_failed alert Patch contributed by Brian Smith <brian@briansmith.org>, r=nelson
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslerr.h
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -2610,17 +2610,18 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
         SSL_GETPID(), ss->fd, level, desc));
 
     switch (desc) {
     case close_notify:		ss->recvdCloseNotify = 1;
 		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
     case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
 									  break;
     case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
-    case decryption_failed: 	error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
+    case decryption_failed_RESERVED:
+                                error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
     									  break;
     case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
     case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
 									  break;
     case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
 			        					  break;
     case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
     case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
@@ -8873,22 +8874,20 @@ const ssl3BulkCipherDef *cipher_def;
 
     /* decrypt from cText buf to plaintext. */
     rv = crSpec->decode(
 	crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
 	plaintext->space, cText->buf->buf, cText->buf->len);
 
     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
     if (rv != SECSuccess) {
-	int err = ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal,
-	               isTLS ? decryption_failed : bad_record_mac);
-	PORT_SetError(err);
-	return SECFailure;
+        /* All decryption failures must be treated like a bad record
+         * MAC; see RFC 5246 (TLS 1.2). 
+         */
+        padIsBad = PR_TRUE;
     }
 
     /* If it's a block cipher, check and strip the padding. */
     if (cipher_def->type == type_block) {
         PRUint8 * pPaddingLen = plaintext->buf + plaintext->len - 1;
 	padding_length = *pPaddingLen;
 	/* TLS permits padding to exceed the block size, up to 255 bytes. */
 	if (padding_length + 1 + crSpec->mac_size > plaintext->len)
@@ -8912,21 +8911,17 @@ const ssl3BulkCipherDef *cipher_def;
     	padIsBad = PR_TRUE;	/* really macIsBad */
 
     /* compute the MAC */
     rType = cText->type;
     rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
 	rType, cText->version, crSpec->read_seq_num, 
 	plaintext->buf, plaintext->len, hash, &hashBytes);
     if (rv != SECSuccess) {
-	int err = ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-	ssl_ReleaseSpecReadLock(ss);
-	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-	PORT_SetError(err);
-	return rv;
+        padIsBad = PR_TRUE;     /* really macIsBad */
     }
 
     /* Check the MAC */
     if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
 	NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash,
 	                 crSpec->mac_size) != 0) {
 	/* must not hold spec lock when calling SSL3_SendAlert. */
 	ssl_ReleaseSpecReadLock(ss);
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -103,17 +103,17 @@ typedef struct {
 } SSL3ChangeCipherSpec;
 
 typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
 
 typedef enum {
     close_notify            = 0,
     unexpected_message      = 10,
     bad_record_mac          = 20,
-    decryption_failed       = 21,	/* TLS only */
+    decryption_failed_RESERVED = 21,	/* do not send; see RFC 5246 */
     record_overflow         = 22,	/* TLS only */
     decompression_failure   = 30,
     handshake_failure       = 40,
     no_certificate          = 41,	/* SSL3 only, NOT TLS */
     bad_certificate         = 42,
     unsupported_certificate = 43,
     certificate_revoked     = 44,
     certificate_expired     = 45,
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -144,17 +144,17 @@ SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (
 
 SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
 SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
 SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
 SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
 SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
 
 SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
-SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71),
+SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71), /* don't use */
 SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
 
 SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
 SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
 SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
 SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
 SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
 SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),