From 97a26627f0bf520e2dc11c2c1dba3d6d586dd80d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 26 Oct 2020 06:55:42 +0100
Subject: [PATCH] Revert the last change, tolerate the first CCS in TLS 1.3

---
 nss-ccs.patch | 145 +++++++++++++++++++++++++++++++++++++++++++++-----
 nss.spec      |   5 +-
 2 files changed, 136 insertions(+), 14 deletions(-)

diff --git a/nss-ccs.patch b/nss-ccs.patch
index 8a258f4..4841a5a 100644
--- a/nss-ccs.patch
+++ b/nss-ccs.patch
@@ -1,13 +1,132 @@
-Index: nss/lib/ssl/sslsock.c
-===================================================================
---- nss.orig/lib/ssl/sslsock.c
-+++ nss/lib/ssl/sslsock.c
-@@ -86,7 +86,7 @@ static sslOptions ssl_defaults = {
-     .enableSignedCertTimestamps = PR_FALSE,
-     .requireDHENamedGroups = PR_FALSE,
-     .enable0RttData = PR_FALSE,
--    .enableTls13CompatMode = PR_FALSE,
-+    .enableTls13CompatMode = PR_TRUE,
-     .enableDtls13VersionCompat = PR_FALSE,
-     .enableDtlsShortHeader = PR_FALSE,
-     .enableHelloDowngradeCheck = PR_FALSE,
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1603691171 -3600
+#      Mon Oct 26 06:46:11 2020 +0100
+# Node ID b03a4fc5b902498414b02640dcb2717dfef9682f
+# Parent  6f79a76958129dc09c353c288f115fd9a51ab7d4
+Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
+
+Summary:
+This flips the meaning of the flag for checking excessive CCS
+messages, so it only rejects multiple CCS messages while the first CCS
+message is always accepted.
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 1672703
+
+Differential Revision: https://phabricator.services.mozilla.com/D94603
+
+diff -r 6f79a7695812 -r b03a4fc5b902 gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+--- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc	Fri Oct 23 16:14:36 2020 -0700
++++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc	Mon Oct 26 06:46:11 2020 +0100
+@@ -348,8 +348,8 @@
+   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+ }
+ 
+-// The server rejects a ChangeCipherSpec if the client advertises an
+-// empty session ID.
++// The server accepts a ChangeCipherSpec even if the client advertises
++// an empty session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+   EnsureTlsSetup();
+   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+@@ -358,9 +358,8 @@
+   client_->Handshake();  // Send ClientHello
+   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
+ 
+-  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  server_->Handshake();  // Consume ClientHello and CCS
+-  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++  Handshake();
++  CheckConnected();
+ }
+ 
+ // The server rejects multiple ChangeCipherSpec even if the client
+@@ -381,7 +380,7 @@
+   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+ 
+-// The client rejects a ChangeCipherSpec if it advertises an empty
++// The client accepts a ChangeCipherSpec even if it advertises an empty
+ // session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+   EnsureTlsSetup();
+@@ -398,9 +397,10 @@
+                          // send ServerHello..CertificateVerify
+   // Send CCS
+   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+-  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  client_->Handshake();  // Consume ClientHello and CCS
+-  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++
++  // No alert is sent from the client. As Finished is dropped, we
++  // can't use Handshake() and CheckConnected().
++  client_->Handshake();
+ }
+ 
+ // The client rejects multiple ChangeCipherSpec in a row even if the
+diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c	Fri Oct 23 16:14:36 2020 -0700
++++ b/lib/ssl/ssl3con.c	Mon Oct 26 06:46:11 2020 +0100
+@@ -6645,11 +6645,7 @@
+ 
+     /* TLS 1.3: We sent a session ID.  The server's should match. */
+     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
+-        if (sidMatch) {
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+-            return PR_TRUE;
+-        }
+-        return PR_FALSE;
++        return sidMatch;
+     }
+ 
+     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
+@@ -8696,7 +8692,6 @@
+                 errCode = PORT_GetError();
+                 goto alert_loser;
+             }
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+         }
+ 
+         /* TLS 1.3 requires that compression include only null. */
+@@ -13066,15 +13061,14 @@
+             ss->ssl3.hs.ws != idle_handshake &&
+             cText->buf->len == 1 &&
+             cText->buf->buf[0] == change_cipher_spec_choice) {
+-            if (ss->ssl3.hs.allowCcs) {
+-                /* Ignore the first CCS. */
+-                ss->ssl3.hs.allowCcs = PR_FALSE;
++            if (!ss->ssl3.hs.rejectCcs) {
++                /* Allow only the first CCS. */
++                ss->ssl3.hs.rejectCcs = PR_TRUE;
+                 return SECSuccess;
+-            }
+-
+-            /* Compatibility mode is not negotiated. */
+-            alert = unexpected_message;
+-            PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++            } else {
++                alert = unexpected_message;
++                PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++            }
+         }
+ 
+         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
+diff -r 6f79a7695812 -r b03a4fc5b902 lib/ssl/sslimpl.h
+--- a/lib/ssl/sslimpl.h	Fri Oct 23 16:14:36 2020 -0700
++++ b/lib/ssl/sslimpl.h	Mon Oct 26 06:46:11 2020 +0100
+@@ -710,10 +710,7 @@
+                                            * or received. */
+     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
+                                            * before the handshake started. */
+-    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
+-                                           * as the middlebox compatibility mode
+-                                           * is explicitly indicarted by
+-                                           * legacy_session_id in TLS 1.3 ClientHello. */
++    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
+     PRBool clientCertRequested;           /* True if CertificateRequest received. */
+     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
+     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def
diff --git a/nss.spec b/nss.spec
index 3b11c63..cb2e818 100644
--- a/nss.spec
+++ b/nss.spec
@@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -904,6 +904,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Mon Oct 26 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-3
+- Revert the last change, always tolerate the first CCS in TLS 1.3
+
 * Thu Oct 22 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-2
 - Enable TLS 1.3 middlebox compatibility mode by default