Fix for CVE-2020-25648 in nss

[Sean Whitton <spwhitton@spwhitton.name>]

Hello,

I am trying to backport the fix for CVE-2020-25648 to nss version 3.42.1
in Debian 10, "buster".  Unfortunately, the four tests added by the fix
do not pass.

Would someone be able to take a look at the test output, please?
Perhaps the failed test does not indicate that the fix is ineffective.
As all the other tests pass, I'm not too concerned about introducing any
regressions.

I'm including the failed test output below.  My patched version of nss
is here: <https://salsa.debian.org/lts-team/packages/nss>.
More specifically, the backported patch is here:
<https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2020-25648.patch>.

Thank you.

-- 
Sean Whitton

[ RUN      ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid
Version: TLS 1.3
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
client: Send Direct [6] 140303000101
tls_agent.cc:658: Failure
Expected equality of these values:
  STATE_ERROR
    Which is: ERROR
  state_
    Which is: CONNECTING
tls_agent.cc:659: Failure
Expected equality of these values:
  expected
    Which is: -12251
  error_code_
    Which is: 0
Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER

tls_agent.cc:115: Failure
Failed
Wrong expected_sent_alert status: server
[  FAILED  ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid (3 ms)
[ RUN      ] TlsConnectStreamTls13.ChangeCipherSpecAfterServerHelloEmptySid
Version: TLS 1.3
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
handshake drop: [32] 1b8a089d138d6e39406bf8976a32005454bc4a5b2297f721f558948f42980a63
record old: [657] 080000240022000a00140012001d00170018001901000101010201030104001c...
record new: [621] 080000240022000a00140012001d00170018001901000101010201030104001c...
server: Original packet: [774] 160303005a020000560303cce13fc9d25beeda4816ae0df6c3fcfc6b075b524d...
server: Filtered packet: [738] 160303005a020000560303cce13fc9d25beeda4816ae0df6c3fcfc6b075b524d...
server: Send Direct [6] 140303000101
tls_agent.cc:658: Failure
Expected equality of these values:
  STATE_ERROR
    Which is: ERROR
  state_
    Which is: CONNECTING
tls_agent.cc:659: Failure
Expected equality of these values:
  expected
    Which is: -12251
  error_code_
    Which is: 0
Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER

tls_agent.cc:115: Failure
Failed
Wrong expected_sent_alert status: client
[  FAILED  ] TlsConnectStreamTls13.ChangeCipherSpecAfterServerHelloEmptySid (3 ms)
[ RUN      ] Tls13CompatTest.ChangeCipherSpecAfterClientHelloTwice
Version: TLS 1.3
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
client: Send Direct [6] 140303000101
client: Send Direct [6] 140303000101
tls_agent.cc:658: Failure
Expected equality of these values:
  STATE_ERROR
    Which is: ERROR
  state_
    Which is: CONNECTING
tls_agent.cc:659: Failure
Expected equality of these values:
  expected
    Which is: -12251
  error_code_
    Which is: 0
Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER

tls_agent.cc:115: Failure
Failed
Wrong expected_sent_alert status: server
[  FAILED  ] Tls13CompatTest.ChangeCipherSpecAfterClientHelloTwice (3 ms)
[ RUN      ] Tls13CompatTest.ChangeCipherSpecAfterServerHelloTwice
Version: TLS 1.3
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
handshake drop: [32] 9fa4dd3997d365493264eb198d69844aa6090fdbe2d6d198df14cc020f20fd99
record old: [657] 080000240022000a00140012001d00170018001901000101010201030104001c...
record new: [621] 080000240022000a00140012001d00170018001901000101010201030104001c...
server: Original packet: [812] 160303007a0200007603031819fcfd8fd325cb2a943632a50c27846ad67629c4...
server: Filtered packet: [776] 160303007a0200007603031819fcfd8fd325cb2a943632a50c27846ad67629c4...
server: Send Direct [6] 140303000101
tls_agent.cc:658: Failure
Expected equality of these values:
  STATE_ERROR
    Which is: ERROR
  state_
    Which is: CONNECTING
tls_agent.cc:659: Failure
Expected equality of these values:
  expected
    Which is: -12251
  error_code_
    Which is: 0
Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER

tls_agent.cc:115: Failure
Failed
Wrong expected_sent_alert status: client
[  FAILED  ] Tls13CompatTest.ChangeCipherSpecAfterServerHelloTwice (3 ms)

Attachment: signature.asc
Description: PGP signature