diff options
| author |   Thomas Deutschmann <whissi@gentoo.org> | 2020-10-23 18:19:06 +0200 |
|---|---|---|
| committer | Thomas Deutschmann <whissi@gentoo.org> | 2020-10-23 18:19:06 +0200 |
| commit | 0b684bfbdff41cbaab1a6c1969c931a1670395d7 (patch) | |
| tree | 3b7391d1c8437aab5a4ae84e237c38367128748e /dev-libs | |
| parent | profiles: Mask media-libs/webvfx, media-video/shotcut for removal (diff) | |
| download | gentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.tar.gz gentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.tar.bz2 gentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.zip | |
dev-libs/nss: always tolerate the first CCS in TLS 1.3
Bug: https://bugs.gentoo.org/750746
Package-Manager: Portage-3.0.8, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'dev-libs')
| -rw-r--r-- | dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch | 111 | ||||
| -rw-r--r-- | dev-libs/nss/nss-3.58-r1.ebuild (renamed from dev-libs/nss/nss-3.58.ebuild) | 1 |
2 files changed, 112 insertions, 0 deletions
diff --git a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch new file mode 100644 index 000000000000..f68b65c119c9 --- /dev/null +++ b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch @@ -0,0 +1,111 @@ +https://bugzilla.mozilla.org/show_bug.cgi?id=1672703 + +--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc ++++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +@@ -348,8 +348,8 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + +-// The server rejects a ChangeCipherSpec if the client advertises an +-// empty session ID. ++// The server accepts a ChangeCipherSpec even if the client advertises ++// an empty session ID. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { + EnsureTlsSetup(); + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); +@@ -358,9 +358,8 @@ + client_->Handshake(); // Send ClientHello + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS + +- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); +- server_->Handshake(); // Consume ClientHello and CCS +- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ Handshake(); ++ CheckConnected(); + } + + // The server rejects multiple ChangeCipherSpec even if the client +@@ -381,7 +380,7 @@ + server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + +-// The client rejects a ChangeCipherSpec if it advertises an empty ++// The client accepts a ChangeCipherSpec even if it advertises an empty + // session ID. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { + EnsureTlsSetup(); +@@ -398,9 +397,10 @@ + // send ServerHello..CertificateVerify + // Send CCS + server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); +- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); +- client_->Handshake(); // Consume ClientHello and CCS +- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ ++ // No alert is sent from the client. As Finished is dropped, we ++ // can't use Handshake() and CheckConnected(). ++ client_->Handshake(); + } + + // The client rejects multiple ChangeCipherSpec in a row even if the +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -6645,11 +6645,7 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- if (sidMatch) { +- ss->ssl3.hs.allowCcs = PR_TRUE; +- return PR_TRUE; +- } +- return PR_FALSE; ++ return sidMatch; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8696,7 +8692,6 @@ + errCode = PORT_GetError(); + goto alert_loser; + } +- ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13066,15 +13061,14 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- if (ss->ssl3.hs.allowCcs) { +- /* Ignore the first CCS. */ +- ss->ssl3.hs.allowCcs = PR_FALSE; ++ if (!ss->ssl3.hs.rejectCcs) { ++ /* Allow only the first CCS. */ ++ ss->ssl3.hs.rejectCcs = PR_TRUE; + return SECSuccess; +- } +- +- /* Compatibility mode is not negotiated. */ +- alert = unexpected_message; +- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ } else { ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ } + } + + if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) || +--- a/lib/ssl/sslimpl.h ++++ b/lib/ssl/sslimpl.h +@@ -710,10 +710,7 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ +- PRBool allowCcs; /* A server allows ChangeCipherSpec +- * as the middlebox compatibility mode +- * is explicitly indicarted by +- * legacy_session_id in TLS 1.3 ClientHello. */ ++ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + diff --git a/dev-libs/nss/nss-3.58.ebuild b/dev-libs/nss/nss-3.58-r1.ebuild index 37ab7c58696f..9fd661309555 100644 --- a/dev-libs/nss/nss-3.58.ebuild +++ b/dev-libs/nss/nss-3.58-r1.ebuild @@ -40,6 +40,7 @@ PATCHES=( "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch" "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch" "${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch" + "${FILESDIR}/${PN}-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch" ) src_prepare() { |