svn commit: r553536 - in branches/2020Q4/security/nss: . files

Jan Beich jbeich at
Wed Oct 28 10:50:54 UTC 2020

Author: jbeich
Date: Wed Oct 28 10:50:53 2020
New Revision: 553536

  MFH: r553535
  security/nss: unbreak non-gecko consumers after r552532
  Pidgin failed with "nss: Handshake failed (-12251)" i.e.,
  SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER -12251 "SSL received a malformed Change Cipher Spec record."
  PR:		250665
  Submitted by:	yamagi at
  Approved by:	ports-secteam blanket

     - copied unchanged from r553535, head/security/nss/files/patch-bug1672703
Directory Properties:
  branches/2020Q4/   (props changed)

Modified: branches/2020Q4/security/nss/Makefile
--- branches/2020Q4/security/nss/Makefile	Wed Oct 28 10:50:29 2020	(r553535)
+++ branches/2020Q4/security/nss/Makefile	Wed Oct 28 10:50:53 2020	(r553536)
@@ -3,6 +3,7 @@
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/${PORTNAME}/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src

Copied: branches/2020Q4/security/nss/files/patch-bug1672703 (from r553535, head/security/nss/files/patch-bug1672703)
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q4/security/nss/files/patch-bug1672703	Wed Oct 28 10:50:53 2020	(r553536, copy of r553535, head/security/nss/files/patch-bug1672703)
@@ -0,0 +1,137 @@
+commit b03a4fc5b902498414b02640dcb2717dfef9682f
+Author: Daiki Ueno <dueno at>
+Date:   Mon Oct 26 06:46:11 2020 +0100
+    Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
+    Summary:
+    This flips the meaning of the flag for checking excessive CCS
+    messages, so it only rejects multiple CCS messages while the first CCS
+    message is always accepted.
+    Reviewers: mt
+    Reviewed By: mt
+    Bug #: 1672703
+    Differential Revision:
+ gtests/ssl_gtest/ | 18 +++++++++---------
+ lib/ssl/ssl3con.c                            | 20 +++++++-------------
+ lib/ssl/sslimpl.h                            |  5 +----
+ 3 files changed, 17 insertions(+), 26 deletions(-)
+diff --git gtests/ssl_gtest/ gtests/ssl_gtest/
+index dcede798cc..645f84ff02 100644
+--- gtests/ssl_gtest/
++++ gtests/ssl_gtest/
+@@ -348,8 +348,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHelloTwice) {
+ }
+-// The server rejects a ChangeCipherSpec if the client advertises an
+-// empty session ID.
++// The server accepts a ChangeCipherSpec even if the client advertises
++// an empty session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+   EnsureTlsSetup();
+   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+@@ -358,9 +358,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+   client_->Handshake();  // Send ClientHello
+   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
+-  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  server_->Handshake();  // Consume ClientHello and CCS
++  Handshake();
++  CheckConnected();
+ }
+ // The server rejects multiple ChangeCipherSpec even if the client
+@@ -381,7 +380,7 @@ TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) {
+ }
+-// The client rejects a ChangeCipherSpec if it advertises an empty
++// The client accepts a ChangeCipherSpec even if it advertises an empty
+ // session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+   EnsureTlsSetup();
+@@ -398,9 +397,10 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+                          // send ServerHello..CertificateVerify
+   // Send CCS
+   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+-  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  client_->Handshake();  // Consume ClientHello and CCS
++  // No alert is sent from the client. As Finished is dropped, we
++  // can't use Handshake() and CheckConnected().
++  client_->Handshake();
+ }
+ // The client rejects multiple ChangeCipherSpec in a row even if the
+diff --git lib/ssl/ssl3con.c lib/ssl/ssl3con.c
+index 767ffc30f1..b652dcea34 100644
+--- lib/ssl/ssl3con.c
++++ lib/ssl/ssl3con.c
+@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
+     /* TLS 1.3: We sent a session ID.  The server's should match. */
+     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
+-        if (sidMatch) {
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+-            return PR_TRUE;
+-        }
+-        return PR_FALSE;
++        return sidMatch;
+     }
+     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
+@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
+                 errCode = PORT_GetError();
+                 goto alert_loser;
+             }
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+         }
+         /* TLS 1.3 requires that compression include only null. */
+@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
+             ss-> != idle_handshake &&
+             cText->buf->len == 1 &&
+             cText->buf->buf[0] == change_cipher_spec_choice) {
+-            if (ss->ssl3.hs.allowCcs) {
+-                /* Ignore the first CCS. */
+-                ss->ssl3.hs.allowCcs = PR_FALSE;
++            if (!ss->ssl3.hs.rejectCcs) {
++                /* Allow only the first CCS. */
++                ss->ssl3.hs.rejectCcs = PR_TRUE;
+                 return SECSuccess;
++            } else {
++                alert = unexpected_message;
+             }
+-            /* Compatibility mode is not negotiated. */
+-            alert = unexpected_message;
+         }
+         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
+diff --git lib/ssl/sslimpl.h lib/ssl/sslimpl.h
+index 44c43a0e6c..35d0c2d6bc 100644
+--- lib/ssl/sslimpl.h
++++ lib/ssl/sslimpl.h
+@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
+                                            * or received. */
+     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
+                                            * before the handshake started. */
+-    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
+-                                           * as the middlebox compatibility mode
+-                                           * is explicitly indicarted by
+-                                           * legacy_session_id in TLS 1.3 ClientHello. */
++    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
+     PRBool clientCertRequested;           /* True if CertificateRequest received. */
+     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
+     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def

