net/third_party/nss/patches/fallbackscsv.patch

   1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
   2 --- a/nss/lib/ssl/ssl3con.c     2014-01-03 19:44:44.807185186 -0800
   3 +++ b/nss/lib/ssl/ssl3con.c     2014-01-03 19:44:54.857349534 -0800
   4 @@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
   5      case certificate_unknown:  error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
   6                                                                           break;
   7      case illegal_parameter:    error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
   8 +    case inappropriate_fallback:
   9 +        error = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
  10 +        break;
  11
  12      /* All alerts below are TLS only. */
  13      case unknown_ca:           error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
  14 @@ -4986,6 +4989,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  15      int              num_suites;
  16      int              actual_count = 0;
  17      PRBool           isTLS = PR_FALSE;
  18 +    PRBool           requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
  19      PRInt32          total_exten_len = 0;
  20      unsigned         paddingExtensionLen;
  21      unsigned         numCompressionMethods;
  22 @@ -5128,6 +5132,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  23      }
  24
  25      if (sid) {
  26 +       requestingResume = PR_TRUE;
  27         SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
  28
  29         PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
  30 @@ -5246,8 +5251,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  31         if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
  32         return SECFailure;      /* count_cipher_suites has set error code. */
  33      }
  34 +
  35 +    fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
  36 +                                                 ss->version < sid->version);
  37 +    /* make room for SCSV */
  38      if (ss->ssl3.hs.sendingSCSV) {
  39 -       ++num_suites;   /* make room for SCSV */
  40 +       ++num_suites;
  41 +    }
  42 +    if (fallbackSCSV) {
  43 +       ++num_suites;
  44      }
  45
  46      /* count compression methods */
  47 @@ -5353,6 +5365,15 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  48         }
  49         actual_count++;
  50      }
  51 +    if (fallbackSCSV) {
  52 +       rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
  53 +                                       sizeof(ssl3CipherSuite));
  54 +       if (rv != SECSuccess) {
  55 +           if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
  56 +           return rv;  /* err set by ssl3_AppendHandshake* */
  57 +       }
  58 +       actual_count++;
  59 +    }
  60      for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
  61         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
  62         if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
  63 @@ -5416,6 +5437,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
  64
  65         extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
  66         if (extLen < 0) {
  67 +           if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
  68             return SECFailure;
  69         }
  70         maxBytes -= extLen;
  71 @@ -8083,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS
  72         goto loser;             /* malformed */
  73      }
  74
  75 +    /* If the ClientHello version is less than our maximum version, check for a
  76 +     * TLS_FALLBACK_SCSV and reject the connection if found. */
  77 +    if (ss->vrange.max > ss->clientHelloVersion) {
  78 +       for (i = 0; i + 1 < suites.len; i += 2) {
  79 +           PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
  80 +           if (suite_i != TLS_FALLBACK_SCSV)
  81 +               continue;
  82 +           desc = inappropriate_fallback;
  83 +           errCode = SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT;
  84 +           goto alert_loser;
  85 +       }
  86 +    }
  87 +
  88      /* grab the list of compression methods. */
  89      rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
  90      if (rv != SECSuccess) {
  91 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
  92 --- a/nss/lib/ssl/ssl3prot.h    2014-01-03 19:39:28.442012014 -0800
  93 +++ b/nss/lib/ssl/ssl3prot.h    2014-01-03 19:44:54.857349534 -0800
  94 @@ -98,6 +98,7 @@ typedef enum {
  95      protocol_version        = 70,
  96      insufficient_security   = 71,
  97      internal_error          = 80,
  98 +    inappropriate_fallback  = 86,      /* could also be sent for SSLv3 */
  99      user_canceled           = 90,
 100      no_renegotiation        = 100,
 101
 102 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
 103 --- a/nss/lib/ssl/sslerr.h      2014-01-03 19:39:28.442012014 -0800
 104 +++ b/nss/lib/ssl/sslerr.h      2014-01-03 19:44:54.877349862 -0800
 105 @@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM
 106  SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
 107  SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
 108  SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
 109 +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 132),
 110
 111  SSL_ERROR_END_OF_LIST  /* let the c compiler determine the value of this. */
 112  } SSLErrorCodes;
 113 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
 114 --- a/nss/lib/ssl/SSLerrs.h     2014-01-03 19:39:28.442012014 -0800
 115 +++ b/nss/lib/ssl/SSLerrs.h     2014-01-03 19:44:54.907350351 -0800
 116 @@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S
 117
 118  ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
 119  "The application could not get a TLS Channel ID.")
 120 +
 121 +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 132),
 122 +"The connection was using a lesser TLS version as a result of a previous"
 123 +" handshake failure, but the server indicated that it should not have been"
 124 +" needed.")
 125 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
 126 --- a/nss/lib/ssl/ssl.h 2014-01-03 19:44:44.807185186 -0800
 127 +++ b/nss/lib/ssl/ssl.h 2014-01-03 19:44:54.907350351 -0800
 128 @@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
 129  #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
 130  /* Request Signed Certificate Timestamps via TLS extension (client) */
 131  #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
 132 +#define SSL_ENABLE_FALLBACK_SCSV       26 /* Send fallback SCSV in
 133 +                                           * handshakes. */
 134
 135  #ifdef SSL_DEPRECATED_FUNCTION
 136  /* Old deprecated function names */
 137 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
 138 --- a/nss/lib/ssl/sslimpl.h     2014-01-03 19:44:44.807185186 -0800
 139 +++ b/nss/lib/ssl/sslimpl.h     2014-01-03 19:44:54.907350351 -0800
 140 @@ -336,6 +336,7 @@ typedef struct sslOptionsStr {
 141      unsigned int cbcRandomIV                : 1;  /* 24 */
 142      unsigned int enableOCSPStapling        : 1;  /* 25 */
 143      unsigned int enableSignedCertTimestamps : 1;  /* 26 */
 144 +    unsigned int enableFallbackSCSV        : 1;  /* 27 */
 145  } sslOptions;
 146
 147  typedef enum { sslHandshakingUndetermined = 0,
 148 diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
 149 --- a/nss/lib/ssl/sslproto.h    2014-01-03 19:43:07.025586219 -0800
 150 +++ b/nss/lib/ssl/sslproto.h    2014-01-03 19:44:54.907350351 -0800
 151 @@ -172,6 +172,11 @@
 152   */
 153  #define TLS_EMPTY_RENEGOTIATION_INFO_SCSV      0x00FF
 154
 155 +/* TLS_FALLBACK_SCSV is a signaling cipher suite value that indicates that a
 156 + * handshake is the result of TLS version fallback. This value is not IANA
 157 + * assigned. */
 158 +#define TLS_FALLBACK_SCSV                      0x5600
 159 +
 160  /* Cipher Suite Values starting with 0xC000 are defined in informational
 161   * RFCs.
 162   */
 163 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
 164 --- a/nss/lib/ssl/sslsock.c     2014-01-03 19:44:44.807185186 -0800
 165 +++ b/nss/lib/ssl/sslsock.c     2014-01-03 19:44:54.907350351 -0800
 166 @@ -86,7 +86,8 @@ static sslOptions ssl_defaults = {
 167      PR_FALSE,   /* enableFalseStart   */
 168      PR_TRUE,    /* cbcRandomIV        */
 169      PR_FALSE,   /* enableOCSPStapling */
 170 -    PR_FALSE    /* enableSignedCertTimestamps */
 171 +    PR_FALSE,   /* enableSignedCertTimestamps */
 172 +    PR_FALSE    /* enableFallbackSCSV */
 173  };
 174
 175  /*
 176 @@ -782,6 +783,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
 177         ss->opt.enableSignedCertTimestamps = on;
 178         break;
 179
 180 +      case SSL_ENABLE_FALLBACK_SCSV:
 181 +       ss->opt.enableFallbackSCSV = on;
 182 +       break;
 183 +
 184        default:
 185         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 186         rv = SECFailure;
 187 @@ -855,6 +860,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
 188      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
 189         on = ss->opt.enableSignedCertTimestamps;
 190         break;
 191 +    case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
 192
 193      default:
 194         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 195 @@ -919,6 +925,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
 196      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
 197         on = ssl_defaults.enableSignedCertTimestamps;
 198         break;
 199 +    case SSL_ENABLE_FALLBACK_SCSV:
 200 +       on = ssl_defaults.enableFallbackSCSV;
 201 +       break;
 202
 203      default:
 204         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 205 @@ -1090,6 +1099,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
 206         ssl_defaults.enableSignedCertTimestamps = on;
 207         break;
 208
 209 +      case SSL_ENABLE_FALLBACK_SCSV:
 210 +       ssl_defaults.enableFallbackSCSV = on;
 211 +       break;
 212 +
 213        default:
 214         PORT_SetError(SEC_ERROR_INVALID_ARGS);
 215         return SECFailure;