Hello, I am trying to backport the fix for CVE-2020-25648 to nss version 3.42.1 in Debian 10, "buster". Unfortunately, the four tests added by the fix do not pass. Would someone be able to take a look at the test output, please? Perhaps the failed test does not indicate that the fix is ineffective. As all the other tests pass, I'm not too concerned about introducing any regressions. I'm including the failed test output below. My patched version of nss is here: <https://salsa.debian.org/lts-team/packages/nss>. More specifically, the backported patch is here: <https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2020-25648.patch>. Thank you. -- Sean Whitton
[ RUN ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid Version: TLS 1.3 server: Changing state from INIT to CONNECTING client: Changing state from INIT to CONNECTING client: Send Direct [6] 140303000101 tls_agent.cc:658: Failure Expected equality of these values: STATE_ERROR Which is: ERROR state_ Which is: CONNECTING tls_agent.cc:659: Failure Expected equality of these values: expected Which is: -12251 error_code_ Which is: 0 Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER tls_agent.cc:115: Failure Failed Wrong expected_sent_alert status: server [ FAILED ] TlsConnectStreamTls13.ChangeCipherSpecAfterClientHelloEmptySid (3 ms) [ RUN ] TlsConnectStreamTls13.ChangeCipherSpecAfterServerHelloEmptySid Version: TLS 1.3 server: Changing state from INIT to CONNECTING client: Changing state from INIT to CONNECTING handshake drop: [32] 1b8a089d138d6e39406bf8976a32005454bc4a5b2297f721f558948f42980a63 record old: [657] 080000240022000a00140012001d00170018001901000101010201030104001c... record new: [621] 080000240022000a00140012001d00170018001901000101010201030104001c... server: Original packet: [774] 160303005a020000560303cce13fc9d25beeda4816ae0df6c3fcfc6b075b524d... server: Filtered packet: [738] 160303005a020000560303cce13fc9d25beeda4816ae0df6c3fcfc6b075b524d... server: Send Direct [6] 140303000101 tls_agent.cc:658: Failure Expected equality of these values: STATE_ERROR Which is: ERROR state_ Which is: CONNECTING tls_agent.cc:659: Failure Expected equality of these values: expected Which is: -12251 error_code_ Which is: 0 Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER tls_agent.cc:115: Failure Failed Wrong expected_sent_alert status: client [ FAILED ] TlsConnectStreamTls13.ChangeCipherSpecAfterServerHelloEmptySid (3 ms) [ RUN ] Tls13CompatTest.ChangeCipherSpecAfterClientHelloTwice Version: TLS 1.3 server: Changing state from INIT to CONNECTING client: Changing state from INIT to CONNECTING client: Send Direct [6] 140303000101 client: Send Direct [6] 140303000101 tls_agent.cc:658: Failure Expected equality of these values: STATE_ERROR Which is: ERROR state_ Which is: CONNECTING tls_agent.cc:659: Failure Expected equality of these values: expected Which is: -12251 error_code_ Which is: 0 Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER tls_agent.cc:115: Failure Failed Wrong expected_sent_alert status: server [ FAILED ] Tls13CompatTest.ChangeCipherSpecAfterClientHelloTwice (3 ms) [ RUN ] Tls13CompatTest.ChangeCipherSpecAfterServerHelloTwice Version: TLS 1.3 server: Changing state from INIT to CONNECTING client: Changing state from INIT to CONNECTING handshake drop: [32] 9fa4dd3997d365493264eb198d69844aa6090fdbe2d6d198df14cc020f20fd99 record old: [657] 080000240022000a00140012001d00170018001901000101010201030104001c... record new: [621] 080000240022000a00140012001d00170018001901000101010201030104001c... server: Original packet: [812] 160303007a0200007603031819fcfd8fd325cb2a943632a50c27846ad67629c4... server: Filtered packet: [776] 160303007a0200007603031819fcfd8fd325cb2a943632a50c27846ad67629c4... server: Send Direct [6] 140303000101 tls_agent.cc:658: Failure Expected equality of these values: STATE_ERROR Which is: ERROR state_ Which is: CONNECTING tls_agent.cc:659: Failure Expected equality of these values: expected Which is: -12251 error_code_ Which is: 0 Got error code (null) expecting SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER tls_agent.cc:115: Failure Failed Wrong expected_sent_alert status: client [ FAILED ] Tls13CompatTest.ChangeCipherSpecAfterServerHelloTwice (3 ms)
Attachment:
signature.asc
Description: PGP signature