Date: Saturday, November 14, 2020 @ 22:37:51 Author: heftig Revision: 401126
3.59-1 Modified: nss/trunk/PKGBUILD Deleted: nss/trunk/0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch -----------------------------------------------------------------+ 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch | 159 ---------- PKGBUILD | 11 2 files changed, 3 insertions(+), 167 deletions(-) Deleted: 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch =================================================================== --- 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch 2020-11-14 21:58:49 UTC (rev 401125) +++ 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch 2020-11-14 22:37:51 UTC (rev 401126) @@ -1,159 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno <[email protected]> -Date: Mon, 26 Oct 2020 06:46:11 +0100 -Subject: [PATCH] Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt - -Summary: -This flips the meaning of the flag for checking excessive CCS -messages, so it only rejects multiple CCS messages while the first CCS -message is always accepted. - -Reviewers: mt - -Reviewed By: mt - -Bug #: 1672703 - -Differential Revision: https://phabricator.services.mozilla.com/D94603 ---- - gtests/ssl_gtest/ssl_tls13compat_unittest.cc | 18 +++++++++--------- - lib/ssl/ssl3con.c | 20 +++++++------------- - lib/ssl/sslimpl.h | 5 +---- - 3 files changed, 17 insertions(+), 26 deletions(-) - -diff --git a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc -index dcede798cc..645f84ff02 100644 ---- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc -+++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc -@@ -348,59 +348,59 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHelloTwice) { - client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); - } - --// The server rejects a ChangeCipherSpec if the client advertises an --// empty session ID. -+// The server accepts a ChangeCipherSpec even if the client advertises -+// an empty session ID. - TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - - StartConnect(); - client_->Handshake(); // Send ClientHello - client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS - -- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); -- server_->Handshake(); // Consume ClientHello and CCS -- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); -+ Handshake(); -+ CheckConnected(); - } - - // The server rejects multiple ChangeCipherSpec even if the client - // indicates compatibility mode with non-empty session ID. - TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - EnableCompatMode(); - - StartConnect(); - client_->Handshake(); // Send ClientHello - // Send CCS twice in a row - client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); - client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); - - server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); - server_->Handshake(); // Consume ClientHello and CCS. - server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); - } - --// The client rejects a ChangeCipherSpec if it advertises an empty -+// The client accepts a ChangeCipherSpec even if it advertises an empty - // session ID. - TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { - EnsureTlsSetup(); - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - - // To replace Finished with a CCS below - auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); - filter->SetHandshakeTypes({kTlsHandshakeFinished}); - filter->EnableDecryption(); - - StartConnect(); - client_->Handshake(); // Send ClientHello - server_->Handshake(); // Consume ClientHello, and - // send ServerHello..CertificateVerify - // Send CCS - server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); -- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); -- client_->Handshake(); // Consume ClientHello and CCS -- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); -+ -+ // No alert is sent from the client. As Finished is dropped, we -+ // can't use Handshake() and CheckConnected(). -+ client_->Handshake(); - } - - // The client rejects multiple ChangeCipherSpec in a row even if the -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c -index 767ffc30f1..b652dcea34 100644 ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes) - - /* TLS 1.3: We sent a session ID. The server's should match. */ - if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { -- if (sidMatch) { -- ss->ssl3.hs.allowCcs = PR_TRUE; -- return PR_TRUE; -- } -- return PR_FALSE; -+ return sidMatch; - } - - /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ -@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length) - errCode = PORT_GetError(); - goto alert_loser; - } -- ss->ssl3.hs.allowCcs = PR_TRUE; - } - - /* TLS 1.3 requires that compression include only null. */ -@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText) - ss->ssl3.hs.ws != idle_handshake && - cText->buf->len == 1 && - cText->buf->buf[0] == change_cipher_spec_choice) { -- if (ss->ssl3.hs.allowCcs) { -- /* Ignore the first CCS. */ -- ss->ssl3.hs.allowCcs = PR_FALSE; -+ if (!ss->ssl3.hs.rejectCcs) { -+ /* Allow only the first CCS. */ -+ ss->ssl3.hs.rejectCcs = PR_TRUE; - return SECSuccess; -+ } else { -+ alert = unexpected_message; -+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); - } -- -- /* Compatibility mode is not negotiated. */ -- alert = unexpected_message; -- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); - } - - if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) || -diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h -index 44c43a0e6c..35d0c2d6bc 100644 ---- a/lib/ssl/sslimpl.h -+++ b/lib/ssl/sslimpl.h -@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr { - * or received. */ - PRBool receivedCcs; /* A server received ChangeCipherSpec - * before the handshake started. */ -- PRBool allowCcs; /* A server allows ChangeCipherSpec -- * as the middlebox compatibility mode -- * is explicitly indicarted by -- * legacy_session_id in TLS 1.3 ClientHello. */ -+ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */ - PRBool clientCertRequested; /* True if CertificateRequest received. */ - PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ - ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-11-14 21:58:49 UTC (rev 401125) +++ PKGBUILD 2020-11-14 22:37:51 UTC (rev 401126) @@ -3,8 +3,8 @@ pkgbase=nss pkgname=(nss ca-certificates-mozilla) -pkgver=3.58 -pkgrel=2 +pkgver=3.59 +pkgrel=1 pkgdesc="Network Security Services" url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"; arch=(x86_64) @@ -12,10 +12,8 @@ depends=(nspr sqlite zlib sh 'p11-kit>=0.23.19') makedepends=(perl python gyp) source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"; - 0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch certdata2pem.py bundle.sh) -sha256sums=('9f73cf789b5f109b978e5239551b609b0cafa88d18f0bc8ce3f976cb629353c0' - '62ec84bbd366f8431b70430082306f78a4f8510c301f14494391d1fd3a173f4a' +sha256sums=('e6298174caa8527beacdc2858f77ed098d7047c1792846040e27e420fed0ce24' 'd2a1579dae05fd16175fac27ef08b54731ecefdf414085c610179afcf62b096c' '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd') @@ -24,9 +22,6 @@ mkdir "$srcdir/certs" ln -srt "$srcdir/certs" lib/ckfw/builtins/{certdata.txt,nssckbi.h} - - # https://bugs.archlinux.org/task/68357 - patch -Np1 -i "$srcdir/0001-Bug-1672703-always-tolerate-the-first-CCS-in-TLS-1.3.patch" } build() {
