diff options
author | Thomas Deutschmann <whissi@gentoo.org> | 2020-10-26 16:02:52 +0100 |
---|---|---|
committer | Thomas Deutschmann <whissi@gentoo.org> | 2020-10-26 16:02:52 +0100 |
commit | 2ea1657afa9edafc6f25a30e79dc76e377ab2d4c (patch) | |
tree | 2965caf0f125e6807ed8ccb4015121c165fc8ab0 /dev-libs/nss/files | |
parent | net-im/signal-desktop-bin: remove old version (diff) | |
download | gentoo-2ea1657afa9edafc6f25a30e79dc76e377ab2d4c.tar.gz gentoo-2ea1657afa9edafc6f25a30e79dc76e377ab2d4c.tar.bz2 gentoo-2ea1657afa9edafc6f25a30e79dc76e377ab2d4c.zip |
dev-libs/nss: update patch to what upstream merged
Package-Manager: Portage-3.0.8, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'dev-libs/nss/files')
-rw-r--r-- | dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch | 107 |
1 files changed, 98 insertions, 9 deletions
diff --git a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch index f68b65c119c9..a92c03899360 100644 --- a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch +++ b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch @@ -1,8 +1,32 @@ -https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 + +# HG changeset patch +# User Daiki Ueno <dueno@redhat.com> +# Date 1603691171 -3600 +# Node ID b03a4fc5b902498414b02640dcb2717dfef9682f +# Parent 6f79a76958129dc09c353c288f115fd9a51ab7d4 +Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt + +Summary: +This flips the meaning of the flag for checking excessive CCS +messages, so it only rejects multiple CCS messages while the first CCS +message is always accepted. + +Reviewers: mt + +Reviewed By: mt + +Bug #: 1672703 + +Differential Revision: https://phabricator.services.mozilla.com/D94603 --- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc -@@ -348,8 +348,8 @@ +@@ -343,29 +343,28 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph + // Client sends CCS before starting the handshake. + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); + ConnectExpectAlert(server_, kTlsAlertUnexpectedMessage); + server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); } @@ -13,7 +37,8 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { EnsureTlsSetup(); ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); -@@ -358,9 +358,8 @@ + + StartConnect(); client_->Handshake(); // Send ClientHello client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS @@ -25,7 +50,17 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 } // The server rejects multiple ChangeCipherSpec even if the client -@@ -381,7 +380,7 @@ + // indicates compatibility mode with non-empty session ID. + TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { + EnsureTlsSetup(); + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); + EnableCompatMode(); +@@ -376,36 +375,37 @@ TEST_F(Tls13CompatTest, ChangeCipherSpec + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); + + server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); + server_->Handshake(); // Consume ClientHello and CCS. server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); } @@ -34,7 +69,16 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 // session ID. TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { EnsureTlsSetup(); -@@ -398,9 +397,10 @@ + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); + + // To replace Finished with a CCS below + auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); + filter->SetHandshakeTypes({kTlsHandshakeFinished}); + filter->EnableDecryption(); + + StartConnect(); + client_->Handshake(); // Send ClientHello + server_->Handshake(); // Consume ClientHello, and // send ServerHello..CertificateVerify // Send CCS server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); @@ -48,9 +92,19 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 } // The client rejects multiple ChangeCipherSpec in a row even if the + // client indicates compatibility mode with non-empty session ID. + TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { + EnsureTlsSetup(); + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); + EnableCompatMode(); --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c -@@ -6645,11 +6645,7 @@ +@@ -6640,21 +6640,17 @@ ssl_CheckServerSessionIdCorrectness(sslS + if (sentFakeSid) { + return !sidMatch; + } + return PR_TRUE; + } /* TLS 1.3: We sent a session ID. The server's should match. */ if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { @@ -63,7 +117,17 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 } /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ -@@ -8696,7 +8692,6 @@ + return sidBytes->len == 0; + } + + static SECStatus + ssl_CheckServerRandom(sslSocket *ss) +@@ -8691,17 +8687,16 @@ ssl3_HandleClientHello(sslSocket *ss, PR + if (sidBytes.len > 0 && !IS_DTLS(ss)) { + SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE); + rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.fakeSid, &sidBytes); + if (rv != SECSuccess) { + desc = internal_error; errCode = PORT_GetError(); goto alert_loser; } @@ -71,7 +135,17 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 } /* TLS 1.3 requires that compression include only null. */ -@@ -13066,15 +13061,14 @@ + if (comps.len != 1 || comps.data[0] != ssl_compression_null) { + goto alert_loser; + } + + /* If there is a cookie, then this is a second ClientHello (TLS 1.3). */ +@@ -13061,25 +13056,24 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip + * will fail if the server fails to negotiate compatibility mode in a + * 0-RTT session that is resumed from a session that did negotiate it. + * We don't care about that corner case right now. */ + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 && + cText->hdr[0] == ssl_ct_change_cipher_spec && ss->ssl3.hs.ws != idle_handshake && cText->buf->len == 1 && cText->buf->buf[0] == change_cipher_spec_choice) { @@ -94,9 +168,19 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 } if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) || + (!IS_DTLS(ss) && ss->sec.isServer && + ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_trial)) { + /* Silently drop the packet unless we sent a fatal alert. */ + if (ss->ssl3.fatalAlertSent) { + return SECFailure; --- a/lib/ssl/sslimpl.h +++ b/lib/ssl/sslimpl.h -@@ -710,10 +710,7 @@ +@@ -705,20 +705,17 @@ typedef struct SSL3HandshakeStateStr { + sslZeroRttIgnore zeroRttIgnore; /* Are we ignoring 0-RTT? */ + ssl3CipherSuite zeroRttSuite; /* The cipher suite we used for 0-RTT. */ + PRCList bufferedEarlyData; /* Buffered TLS 1.3 early data + * on server.*/ + PRBool helloRetry; /* True if HelloRetryRequest has been sent * or received. */ PRBool receivedCcs; /* A server received ChangeCipherSpec * before the handshake started. */ @@ -108,4 +192,9 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 PRBool clientCertRequested; /* True if CertificateRequest received. */ PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ + PRUint16 ticketNonce; /* A counter we use for tickets. */ + SECItem fakeSid; /* ... (server) the SID the client used. */ + + /* rttEstimate is used to guess the round trip time between server and client. |