Issue #1338 - Part 2: Update NSS to 3.48-RTM

1 files changed, 36 insertions, 0 deletions

diff --git a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
index f1e85e898..86783b86e 100644
--- a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
@@ -205,6 +205,42 @@ TEST_F(TlsConnectDatagram13, ShortHeadersServer) {
   SendReceive();
 }
 
+TEST_F(TlsConnectStreamTls13, UnencryptedFinishedMessage) {
+  StartConnect();
+  client_->Handshake();  // Send ClientHello
+  server_->Handshake();  // Send first server flight
+
+  // Record and drop the first record, which is the Finished.
+  auto recorder = std::make_shared<TlsRecordRecorder>(client_);
+  recorder->EnableDecryption();
+  auto dropper = std::make_shared<SelectiveDropFilter>(1);
+  client_->SetFilter(std::make_shared<ChainedPacketFilter>(
+      ChainedPacketFilterInit({recorder, dropper})));
+  client_->Handshake();  // Save and drop CFIN.
+  EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
+
+  ASSERT_EQ(1U, recorder->count());
+  auto& finished = recorder->record(0);
+
+  DataBuffer d;
+  size_t offset = d.Write(0, ssl_ct_handshake, 1);
+  offset = d.Write(offset, SSL_LIBRARY_VERSION_TLS_1_2, 2);
+  offset = d.Write(offset, finished.buffer.len(), 2);
+  d.Append(finished.buffer);
+  client_->SendDirect(d);
+
+  // Now process the message.
+  ExpectAlert(server_, kTlsAlertUnexpectedMessage);
+  // The server should generate an alert.
+  server_->Handshake();
+  EXPECT_EQ(TlsAgent::STATE_ERROR, server_->state());
+  server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
+  // Have the client consume the alert.
+  client_->Handshake();
+  EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
+  client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+}
+
 const static size_t kContentSizesArr[] = {
     1, kMacSize - 1, kMacSize, 30, 31, 32, 36, 256, 257, 287, 288};