# HG changeset patch # User Martin Thomson # Date 1535720767 -7200 # Node ID 46f9a1f40c3dd53cf4627e007429530fe989f592 # Parent 93108979390d163ae97d73db5a2df883d2bf8c62 Bug 1483128, backported fix for CVE-2018-12384 to the NSS_3_36_BRANCH diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c --- a/nss/lib/ssl/ssl3con.c +++ b/nss/lib/ssl/ssl3con.c @@ -8077,24 +8077,16 @@ ssl3_HandleClientHello(sslSocket *ss, PR rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.fakeSid, &sidBytes); if (rv != SECSuccess) { desc = internal_error; errCode = PORT_GetError(); goto alert_loser; } } - /* Generate the Server Random now so it is available - * when we process the ClientKeyShare in TLS 1.3 */ - rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); - if (rv != SECSuccess) { - errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE; - goto loser; - } - #ifndef TLS_1_3_DRAFT_VERSION /* * [draft-ietf-tls-tls13-11 Section 6.3.1.1]. * TLS 1.3 server implementations which respond to a ClientHello with a * client_version indicating TLS 1.2 or below MUST set the last eight * bytes of their Random value to the bytes: * * 44 4F 57 4E 47 52 44 01 @@ -8873,30 +8865,39 @@ loser: SECStatus ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry, const sslBuffer *extensionBuf, sslBuffer *messageBuf) { SECStatus rv; SSL3ProtocolVersion version; sslSessionID *sid = ss->sec.ci.sid; + const PRUint8 *random; if (IS_DTLS(ss) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { version = dtls_TLSVersionToDTLSVersion(ss->version); } else { version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2); } rv = sslBuffer_AppendNumber(messageBuf, version, 2); if (rv != SECSuccess) { return SECFailure; } - /* Random already generated in ssl3_HandleClientHello */ - rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random, - SSL3_RANDOM_LENGTH); + + if (helloRetry) { + random = ssl_hello_retry_random; + } else { + rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); + if (rv != SECSuccess) { + return SECFailure; + } + random = ss->ssl3.hs.server_random; + } + rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH); if (rv != SECSuccess) { return SECFailure; } if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { if (sid) { rv = sslBuffer_AppendVariable(messageBuf, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);