[arch-commits] Commit in lib32-nss/trunk (2 files)
Jan Steffens
heftig at archlinux.org
Mon Nov 2 15:41:23 UTC 2020
Date: Monday, November 2, 2020 @ 15:41:22
Author: heftig
Revision: 739891
3.58-2: FS#68357
Added:
lib32-nss/trunk/0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch
Modified:
lib32-nss/trunk/PKGBUILD
-----------------------------------------------------------------+
0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch | 159 ++++++++++
PKGBUILD | 11
2 files changed, 167 insertions(+), 3 deletions(-)
Added: 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch
===================================================================
--- 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch (rev 0)
+++ 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch 2020-11-02 15:41:22 UTC (rev 739891)
@@ -0,0 +1,159 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno at redhat.com>
+Date: Mon, 26 Oct 2020 06:46:11 +0100
+Subject: [PATCH] Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
+
+Summary:
+This flips the meaning of the flag for checking excessive CCS
+messages, so it only rejects multiple CCS messages while the first CCS
+message is always accepted.
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 1672703
+
+Differential Revision: https://phabricator.services.mozilla.com/D94603
+---
+ gtests/ssl_gtest/ssl_tls13compat_unittest.cc | 18 +++++++++---------
+ lib/ssl/ssl3con.c | 20 +++++++-------------
+ lib/ssl/sslimpl.h | 5 +----
+ 3 files changed, 17 insertions(+), 26 deletions(-)
+
+diff --git a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+index dcede798cc..645f84ff02 100644
+--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
++++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+@@ -348,59 +348,59 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHelloTwice) {
+ client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+ }
+
+-// The server rejects a ChangeCipherSpec if the client advertises an
+-// empty session ID.
++// The server accepts a ChangeCipherSpec even if the client advertises
++// an empty session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS
+
+- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+- server_->Handshake(); // Consume ClientHello and CCS
+- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++ Handshake();
++ CheckConnected();
+ }
+
+ // The server rejects multiple ChangeCipherSpec even if the client
+ // indicates compatibility mode with non-empty session ID.
+ TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+ EnableCompatMode();
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+ // Send CCS twice in a row
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+
+ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+ server_->Handshake(); // Consume ClientHello and CCS.
+ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+
+-// The client rejects a ChangeCipherSpec if it advertises an empty
++// The client accepts a ChangeCipherSpec even if it advertises an empty
+ // session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+ // To replace Finished with a CCS below
+ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_);
+ filter->SetHandshakeTypes({kTlsHandshakeFinished});
+ filter->EnableDecryption();
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+ server_->Handshake(); // Consume ClientHello, and
+ // send ServerHello..CertificateVerify
+ // Send CCS
+ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+- client_->Handshake(); // Consume ClientHello and CCS
+- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++
++ // No alert is sent from the client. As Finished is dropped, we
++ // can't use Handshake() and CheckConnected().
++ client_->Handshake();
+ }
+
+ // The client rejects multiple ChangeCipherSpec in a row even if the
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+index 767ffc30f1..b652dcea34 100644
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
+
+ /* TLS 1.3: We sent a session ID. The server's should match. */
+ if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
+- if (sidMatch) {
+- ss->ssl3.hs.allowCcs = PR_TRUE;
+- return PR_TRUE;
+- }
+- return PR_FALSE;
++ return sidMatch;
+ }
+
+ /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
+@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
+ errCode = PORT_GetError();
+ goto alert_loser;
+ }
+- ss->ssl3.hs.allowCcs = PR_TRUE;
+ }
+
+ /* TLS 1.3 requires that compression include only null. */
+@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
+ ss->ssl3.hs.ws != idle_handshake &&
+ cText->buf->len == 1 &&
+ cText->buf->buf[0] == change_cipher_spec_choice) {
+- if (ss->ssl3.hs.allowCcs) {
+- /* Ignore the first CCS. */
+- ss->ssl3.hs.allowCcs = PR_FALSE;
++ if (!ss->ssl3.hs.rejectCcs) {
++ /* Allow only the first CCS. */
++ ss->ssl3.hs.rejectCcs = PR_TRUE;
+ return SECSuccess;
++ } else {
++ alert = unexpected_message;
++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+-
+- /* Compatibility mode is not negotiated. */
+- alert = unexpected_message;
+- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+
+ if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
+diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
+index 44c43a0e6c..35d0c2d6bc 100644
+--- a/lib/ssl/sslimpl.h
++++ b/lib/ssl/sslimpl.h
+@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
+ * or received. */
+ PRBool receivedCcs; /* A server received ChangeCipherSpec
+ * before the handshake started. */
+- PRBool allowCcs; /* A server allows ChangeCipherSpec
+- * as the middlebox compatibility mode
+- * is explicitly indicarted by
+- * legacy_session_id in TLS 1.3 ClientHello. */
++ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
+ PRBool clientCertRequested; /* True if CertificateRequest received. */
+ PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
+ ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-11-02 15:40:17 UTC (rev 739890)
+++ PKGBUILD 2020-11-02 15:41:22 UTC (rev 739891)
@@ -5,7 +5,7 @@
pkgname=lib32-nss
pkgver=3.58
-pkgrel=1
+pkgrel=2
pkgdesc="Network Security Services (32-bit)"
url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
arch=(x86_64)
@@ -13,15 +13,20 @@
depends=(lib32-nspr lib32-sqlite lib32-zlib 'lib32-p11-kit>=0.23.19')
makedepends=(perl python gyp)
source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+ 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch
no-plt.diff)
sha256sums=('9f73cf789b5f109b978e5239551b609b0cafa88d18f0bc8ce3f976cb629353c0'
+ '62ec84bbd366f8431b70430082306f78a4f8510c301f14494391d1fd3a173f4a'
'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
prepare() {
- cd nss-$pkgver
+ cd nss-$pkgver/nss
+ # https://bugs.archlinux.org/task/68357
+ patch -Np1 -i "$srcdir/0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch"
+
# https://bugzilla.mozilla.org/show_bug.cgi?id=1382942
- patch -Np2 -i ../no-plt.diff
+ patch -Np3 -i "$srcdir/no-plt.diff"
}
build() {
More information about the arch-commits
mailing list