Add new test-tls13-multiple-ccs-messages.py

This is a test that checks for NSS's CCS flood DoS CVE-2020-25648.
The test script currently fails on LibreSSL and OpenSSL 1.1.1j because
it sends invalid records with version 0x0300 instead of 0x0303.
We have the ccs_seen logic corresponding to NSS's fix:
https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
but we do allow up to two CCS due to an interop issue with Fizz, so
at least one of the tests will likey be broken once the record version
is fixed.

1 files changed, 8 insertions, 1 deletions

diff --git a/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 9053ec71ef8..0a5bc0a870f 100644
--- a/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.22 2021/01/27 20:16:58 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.23 2021/03/20 08:12:53 tb Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -243,6 +243,13 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
         '-e', 'x448 - right-truncated key_share',
     ]),
 
+    # The test sends records with protocol version 0x0300 instead of 0x0303
+    # and currently fails with OpenSSL and LibreSSL for theis reason.
+    # We have the logic corresponding to NSS's fix for CVE-2020-25648
+    # https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
+    # so should not be affected by this issue.
+    Test("test-tls13-multiple-ccs-messages.py"),
+
     # https://github.com/openssl/openssl/issues/8369
     Test("test-tls13-obsolete-curves.py"),