File nss-TLS1.2-UAF.patch of Package mozilla-nss.6304
# HG changeset patch
# Parent ae039131ca6d978218d0640aa51294f73b239f00
date: Mon Sep 11 16:42:38 2017 +0200
Fix potential use-after-free in TLS 1.2
CVE-2017-7805
bsc#1061005
upstream changeset: 13580:d3865e2957d0
branch: NSS_3_28_BRANCH
parent: 13378:a90cd40c0174
user: Martin Thomson <martin.thomson@gmail.com>
files: lib/ssl/ssl3con.c lib/ssl/ssl3prot.h
description:
Bug 1377618 - Simplify handling of CertificateVerify, r=kaie
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -9797,23 +9797,22 @@ ssl3_HandleCertificateVerify(sslSocket *
if (rv != SECSuccess) {
errCode = PORT_GetError();
desc = decrypt_error;
goto alert_loser;
}
hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
- if (hashes->u.pointer_to_hash_input.data) {
- rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data,
- hashes->u.pointer_to_hash_input.len,
- hashAlg, &localHashes);
- } else {
- rv = SECFailure;
- }
+ /* Read from the message buffer, but we need to use only up to the end
+ * of the previous handshake message. The length of the transcript up to
+ * that point is saved in |hashes->u.transcriptLen|. */
+ rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf,
+ hashes->u.transcriptLen,
+ hashAlg, &localHashes);
if (rv == SECSuccess) {
hashesForVerify = &localHashes;
} else {
errCode = SSL_ERROR_DIGEST_FAILURE;
desc = decrypt_error;
goto alert_loser;
}
@@ -11707,25 +11706,25 @@ ssl3_HandleHandshakeMessage(sslSocket *s
* ssl3_HandleCertificateVerify, which will tell us which
* hash function we must use.
*
* (ssl3_HandleCertificateVerify cannot simply look at the
* buffer length itself, because at the time we reach it,
* additional handshake messages will have been added to the
* buffer, e.g. the certificate_verify message itself.)
*
- * Therefore, we use SSL3Hashes.u.pointer_to_hash_input
- * to signal the current state of the buffer.
+ * Therefore, we use SSL3Hashes.u.transcriptLen to save how much
+ * data there is and read directly from ss->ssl3.hs.messages
+ * when calculating the hashes.
*
* ssl3_HandleCertificateVerify will detect
* hashType == handshake_hash_record
* and use that information to calculate the hash.
*/
- hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf;
- hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len;
+ hashes.u.transcriptLen = ss->ssl3.hs.messages.len;
hashesPtr = &hashes;
} else {
computeHashes = PR_TRUE;
}
}
} else {
if (type == certificate_verify) {
computeHashes = TLS13_IN_HS_STATE(ss, wait_cert_verify);
diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h
--- a/lib/ssl/ssl3prot.h
+++ b/lib/ssl/ssl3prot.h
@@ -232,17 +232,17 @@ typedef struct {
* which, if |hashAlg==ssl_hash_none| is also a SSL3HashesIndividually
* struct. */
typedef struct {
unsigned int len;
SSLHashType hashAlg;
union {
PRUint8 raw[64];
SSL3HashesIndividually s;
- SECItem pointer_to_hash_input;
+ unsigned int transcriptLen;
} u;
} SSL3Hashes;
typedef struct {
union {
SSL3Opaque anonymous;
SSL3Hashes certified;
} u;
