summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Deutschmann <whissi@gentoo.org>2020-10-23 18:19:06 +0200
committerThomas Deutschmann <whissi@gentoo.org>2020-10-23 18:19:06 +0200
commit0b684bfbdff41cbaab1a6c1969c931a1670395d7 (patch)
tree3b7391d1c8437aab5a4ae84e237c38367128748e /dev-libs
parentprofiles: Mask media-libs/webvfx, media-video/shotcut for removal (diff)
downloadgentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.tar.gz
gentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.tar.bz2
gentoo-0b684bfbdff41cbaab1a6c1969c931a1670395d7.zip
dev-libs/nss: always tolerate the first CCS in TLS 1.3
Bug: https://bugs.gentoo.org/750746 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'dev-libs')
-rw-r--r--dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch111
-rw-r--r--dev-libs/nss/nss-3.58-r1.ebuild (renamed from dev-libs/nss/nss-3.58.ebuild)1
2 files changed, 112 insertions, 0 deletions
diff --git a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch
new file mode 100644
index 000000000000..f68b65c119c9
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch
@@ -0,0 +1,111 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=1672703
+
+--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
++++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+@@ -348,8 +348,8 @@
+ client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+ }
+
+-// The server rejects a ChangeCipherSpec if the client advertises an
+-// empty session ID.
++// The server accepts a ChangeCipherSpec even if the client advertises
++// an empty session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+@@ -358,9 +358,8 @@
+ client_->Handshake(); // Send ClientHello
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS
+
+- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+- server_->Handshake(); // Consume ClientHello and CCS
+- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++ Handshake();
++ CheckConnected();
+ }
+
+ // The server rejects multiple ChangeCipherSpec even if the client
+@@ -381,7 +380,7 @@
+ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+
+-// The client rejects a ChangeCipherSpec if it advertises an empty
++// The client accepts a ChangeCipherSpec even if it advertises an empty
+ // session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+ EnsureTlsSetup();
+@@ -398,9 +397,10 @@
+ // send ServerHello..CertificateVerify
+ // Send CCS
+ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+- client_->Handshake(); // Consume ClientHello and CCS
+- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++
++ // No alert is sent from the client. As Finished is dropped, we
++ // can't use Handshake() and CheckConnected().
++ client_->Handshake();
+ }
+
+ // The client rejects multiple ChangeCipherSpec in a row even if the
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -6645,11 +6645,7 @@
+
+ /* TLS 1.3: We sent a session ID. The server's should match. */
+ if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
+- if (sidMatch) {
+- ss->ssl3.hs.allowCcs = PR_TRUE;
+- return PR_TRUE;
+- }
+- return PR_FALSE;
++ return sidMatch;
+ }
+
+ /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
+@@ -8696,7 +8692,6 @@
+ errCode = PORT_GetError();
+ goto alert_loser;
+ }
+- ss->ssl3.hs.allowCcs = PR_TRUE;
+ }
+
+ /* TLS 1.3 requires that compression include only null. */
+@@ -13066,15 +13061,14 @@
+ ss->ssl3.hs.ws != idle_handshake &&
+ cText->buf->len == 1 &&
+ cText->buf->buf[0] == change_cipher_spec_choice) {
+- if (ss->ssl3.hs.allowCcs) {
+- /* Ignore the first CCS. */
+- ss->ssl3.hs.allowCcs = PR_FALSE;
++ if (!ss->ssl3.hs.rejectCcs) {
++ /* Allow only the first CCS. */
++ ss->ssl3.hs.rejectCcs = PR_TRUE;
+ return SECSuccess;
+- }
+-
+- /* Compatibility mode is not negotiated. */
+- alert = unexpected_message;
+- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++ } else {
++ alert = unexpected_message;
++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++ }
+ }
+
+ if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
+--- a/lib/ssl/sslimpl.h
++++ b/lib/ssl/sslimpl.h
+@@ -710,10 +710,7 @@
+ * or received. */
+ PRBool receivedCcs; /* A server received ChangeCipherSpec
+ * before the handshake started. */
+- PRBool allowCcs; /* A server allows ChangeCipherSpec
+- * as the middlebox compatibility mode
+- * is explicitly indicarted by
+- * legacy_session_id in TLS 1.3 ClientHello. */
++ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
+ PRBool clientCertRequested; /* True if CertificateRequest received. */
+ PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
+ ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
+
diff --git a/dev-libs/nss/nss-3.58.ebuild b/dev-libs/nss/nss-3.58-r1.ebuild
index 37ab7c58696f..9fd661309555 100644
--- a/dev-libs/nss/nss-3.58.ebuild
+++ b/dev-libs/nss/nss-3.58-r1.ebuild
@@ -40,6 +40,7 @@ PATCHES=(
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
+ "${FILESDIR}/${PN}-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch"
)
src_prepare() {