rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1c7a019432
nss/nss-ccs.patch
DistroBaker 7fd5097dca Merged update from upstream sources 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/nss.git#e698f2504cb957f144a0dd5dc6ae48db3d884487
2020-10-27 21:37:19 +01:00

133 lines
5.3 KiB
Diff
Raw Blame History

# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1603691171 -3600
# Mon Oct 26 06:46:11 2020 +0100
# Node ID b03a4fc5b902498414b02640dcb2717dfef9682f
# Parent 6f79a76958129dc09c353c288f115fd9a51ab7d4
Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
Summary:
This flips the meaning of the flag for checking excessive CCS
messages, so it only rejects multiple CCS messages while the first CCS
message is always accepted.
Reviewers: mt
Reviewed By: mt
Bug #: 1672703
Differential Revision: https://phabricator.services.mozilla.com/D94603
diff -r 6f79a7695812 -r b03a4fc5b902 gtests/ssl_gtest/ssl_tls13compat_unittest.cc
--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc Fri Oct 23 16:14:36 2020 -0700
+++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc Mon Oct 26 06:46:11 2020 +0100
@@ -348,8 +348,8 @@
client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}
-// The server rejects a ChangeCipherSpec if the client advertises an
-// empty session ID.
+// The server accepts a ChangeCipherSpec even if the client advertises
+// an empty session ID.
TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
EnsureTlsSetup();
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
@@ -358,9 +358,8 @@
client_->Handshake(); // Send ClientHello
client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS
- server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
- server_->Handshake(); // Consume ClientHello and CCS
- server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ Handshake();
+ CheckConnected();
}
// The server rejects multiple ChangeCipherSpec even if the client
@@ -381,7 +380,7 @@
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
}
-// The client rejects a ChangeCipherSpec if it advertises an empty
+// The client accepts a ChangeCipherSpec even if it advertises an empty
// session ID.
TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
EnsureTlsSetup();
@@ -398,9 +397,10 @@
// send ServerHello..CertificateVerify
// Send CCS
server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
- client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
- client_->Handshake(); // Consume ClientHello and CCS
- client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+
+ // No alert is sent from the client. As Finished is dropped, we
+ // can't use Handshake() and CheckConnected().
+ client_->Handshake();
}
// The client rejects multiple ChangeCipherSpec in a row even if the
diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c Fri Oct 23 16:14:36 2020 -0700
+++ b/lib/ssl/ssl3con.c Mon Oct 26 06:46:11 2020 +0100
@@ -6645,11 +6645,7 @@
/* TLS 1.3: We sent a session ID. The server's should match. */
if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
- if (sidMatch) {
- ss->ssl3.hs.allowCcs = PR_TRUE;
- return PR_TRUE;
- }
- return PR_FALSE;
+ return sidMatch;
}
/* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
@@ -8696,7 +8692,6 @@
errCode = PORT_GetError();
goto alert_loser;
}
- ss->ssl3.hs.allowCcs = PR_TRUE;
}
/* TLS 1.3 requires that compression include only null. */
@@ -13066,15 +13061,14 @@
ss->ssl3.hs.ws != idle_handshake &&
cText->buf->len == 1 &&
cText->buf->buf[0] == change_cipher_spec_choice) {
- if (ss->ssl3.hs.allowCcs) {
- /* Ignore the first CCS. */
- ss->ssl3.hs.allowCcs = PR_FALSE;
+ if (!ss->ssl3.hs.rejectCcs) {
+ /* Allow only the first CCS. */
+ ss->ssl3.hs.rejectCcs = PR_TRUE;
return SECSuccess;
- }
-
- /* Compatibility mode is not negotiated. */
- alert = unexpected_message;
- PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ } else {
+ alert = unexpected_message;
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
}
if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/sslimpl.h
--- a/lib/ssl/sslimpl.h Fri Oct 23 16:14:36 2020 -0700
+++ b/lib/ssl/sslimpl.h Mon Oct 26 06:46:11 2020 +0100
@@ -710,10 +710,7 @@
* or received. */
PRBool receivedCcs; /* A server received ChangeCipherSpec
* before the handshake started. */
- PRBool allowCcs; /* A server allows ChangeCipherSpec
- * as the middlebox compatibility mode
- * is explicitly indicarted by
- * legacy_session_id in TLS 1.3 ClientHello. */
+ PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
PRBool clientCertRequested; /* True if CertificateRequest received. */
PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
Reference in New Issue View Git Blame Copy Permalink