From 0d4d4780af4032f614b93e4689fbdd951dc374f6 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 26 Oct 2020 06:55:42 +0100 Subject: [PATCH] Revert the last change, tolerate the first CCS in TLS 1.3 --- nss-ccs.patch | 145 +++++++++++++++++++++++++++++++++++++++++++++----- nss.spec | 5 +- 2 files changed, 136 insertions(+), 14 deletions(-) diff --git a/nss-ccs.patch b/nss-ccs.patch index 8a258f4..4841a5a 100644 --- a/nss-ccs.patch +++ b/nss-ccs.patch @@ -1,13 +1,132 @@ -Index: nss/lib/ssl/sslsock.c -=================================================================== ---- nss.orig/lib/ssl/sslsock.c -+++ nss/lib/ssl/sslsock.c -@@ -86,7 +86,7 @@ static sslOptions ssl_defaults = { - .enableSignedCertTimestamps = PR_FALSE, - .requireDHENamedGroups = PR_FALSE, - .enable0RttData = PR_FALSE, -- .enableTls13CompatMode = PR_FALSE, -+ .enableTls13CompatMode = PR_TRUE, - .enableDtls13VersionCompat = PR_FALSE, - .enableDtlsShortHeader = PR_FALSE, - .enableHelloDowngradeCheck = PR_FALSE, +# HG changeset patch +# User Daiki Ueno +# Date 1603691171 -3600 +# Mon Oct 26 06:46:11 2020 +0100 +# Node ID b03a4fc5b902498414b02640dcb2717dfef9682f +# Parent 6f79a76958129dc09c353c288f115fd9a51ab7d4 +Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt + +Summary: +This flips the meaning of the flag for checking excessive CCS +messages, so it only rejects multiple CCS messages while the first CCS +message is always accepted. + +Reviewers: mt + +Reviewed By: mt + +Bug #: 1672703 + +Differential Revision: https://phabricator.services.mozilla.com/D94603 + +diff -r 6f79a7695812 -r b03a4fc5b902 gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc Fri Oct 23 16:14:36 2020 -0700 ++++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc Mon Oct 26 06:46:11 2020 +0100 +@@ -348,8 +348,8 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + +-// The server rejects a ChangeCipherSpec if the client advertises an +-// empty session ID. ++// The server accepts a ChangeCipherSpec even if the client advertises ++// an empty session ID. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { + EnsureTlsSetup(); + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); +@@ -358,9 +358,8 @@ + client_->Handshake(); // Send ClientHello + client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS + +- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); +- server_->Handshake(); // Consume ClientHello and CCS +- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ Handshake(); ++ CheckConnected(); + } + + // The server rejects multiple ChangeCipherSpec even if the client +@@ -381,7 +380,7 @@ + server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + +-// The client rejects a ChangeCipherSpec if it advertises an empty ++// The client accepts a ChangeCipherSpec even if it advertises an empty + // session ID. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { + EnsureTlsSetup(); +@@ -398,9 +397,10 @@ + // send ServerHello..CertificateVerify + // Send CCS + server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); +- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); +- client_->Handshake(); // Consume ClientHello and CCS +- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ ++ // No alert is sent from the client. As Finished is dropped, we ++ // can't use Handshake() and CheckConnected(). ++ client_->Handshake(); + } + + // The client rejects multiple ChangeCipherSpec in a row even if the +diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c Fri Oct 23 16:14:36 2020 -0700 ++++ b/lib/ssl/ssl3con.c Mon Oct 26 06:46:11 2020 +0100 +@@ -6645,11 +6645,7 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- if (sidMatch) { +- ss->ssl3.hs.allowCcs = PR_TRUE; +- return PR_TRUE; +- } +- return PR_FALSE; ++ return sidMatch; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8696,7 +8692,6 @@ + errCode = PORT_GetError(); + goto alert_loser; + } +- ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13066,15 +13061,14 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- if (ss->ssl3.hs.allowCcs) { +- /* Ignore the first CCS. */ +- ss->ssl3.hs.allowCcs = PR_FALSE; ++ if (!ss->ssl3.hs.rejectCcs) { ++ /* Allow only the first CCS. */ ++ ss->ssl3.hs.rejectCcs = PR_TRUE; + return SECSuccess; +- } +- +- /* Compatibility mode is not negotiated. */ +- alert = unexpected_message; +- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ } else { ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++ } + } + + if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) || +diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/sslimpl.h +--- a/lib/ssl/sslimpl.h Fri Oct 23 16:14:36 2020 -0700 ++++ b/lib/ssl/sslimpl.h Mon Oct 26 06:46:11 2020 +0100 +@@ -710,10 +710,7 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ +- PRBool allowCcs; /* A server allows ChangeCipherSpec +- * as the middlebox compatibility mode +- * is explicitly indicarted by +- * legacy_session_id in TLS 1.3 ClientHello. */ ++ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def diff --git a/nss.spec b/nss.spec index 3b11c63..cb2e818 100644 --- a/nss.spec +++ b/nss.spec @@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -904,6 +904,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Oct 26 2020 Daiki Ueno - 3.58.0-3 +- Revert the last change, always tolerate the first CCS in TLS 1.3 + * Thu Oct 22 2020 Daiki Ueno - 3.58.0-2 - Enable TLS 1.3 middlebox compatibility mode by default