- Allow use of session tickets when there is no ticket wrapping key

(boo#1015499, bmo#1320695) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=238
2017-04-12 21:26:25 +00:00 · 2017-04-12 21:26:25 +00:00 · c072bb869b
commit c072bb869b
parent 32ecde7ac4
3 changed files with 80 additions and 9 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,10 +1,12 @@
 -------------------------------------------------------------------
-Sun Apr  9 08:16:21 UTC 2017 - wr@rosenauer.org
+Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org

 - update to NSS 3.29.5
  * Rare crashes in the base 64 decoder and encoder were fixed.
    (bmo#1344380)
  * A carry over bug in the RNG was fixed. (bmo#1345089)
+- Allow use of session tickets when there is no ticket wrapping key
+  (boo#1015499, bmo#1320695)

 -------------------------------------------------------------------
 Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -51,12 +51,13 @@ Source9:        pkcs11.txt
 Source99:       %{name}.changes
 Patch1:         nss-opt.patch
 Patch2:         system-nspr.patch
-Patch4:         nss-no-rpath.patch
-Patch5:         renegotiate-transitional.patch
-Patch6:         malloc.patch
-Patch7:         nss-disable-ocsp-test.patch
-Patch8:         nss-sqlitename.patch
-Patch9:         nss-fix-hash.patch
+Patch3:         nss-no-rpath.patch
+Patch4:         renegotiate-transitional.patch
+Patch5:         malloc.patch
+Patch6:         nss-disable-ocsp-test.patch
+Patch7:         nss-sqlitename.patch
+Patch8:         nss-fix-hash.patch
+Patch9:         nss-bmo1320695.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@ -170,11 +171,12 @@ Mozilla project.
 cd nss
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 %patch4 -p1
-%patch5 -p1
 %if %suse_version > 1110
-%patch6 -p1
+%patch5 -p1
 %endif
+%patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
--- a/nss-bmo1320695.patch
+++ b/nss-bmo1320695.patch
@ -0,0 +1,67 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1481108447 -3600
+#      Wed Dec 07 12:00:47 2016 +0100
+# Branch wip/dueno/ec-session-ticket
+# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
+# Parent  5796201e791e6cbffc3615cb0c894cf1b0fc09a1
+Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
+
+When session ticket is used and wrapping key pair (for caching
+generated keys at server side) is not available, disable caching
+instead of returning an error.
+
+diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
+--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
+@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
+     sslSocket *ss = (sslSocket *)data;
+     sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
+     const sslServerCert *sc;
+-    SECKEYPrivateKey *svrPrivKey;
+-    SECKEYPublicKey *svrPubKey;
+    SECKEYPrivateKey *svrPrivKey = NULL;
+    SECKEYPublicKey *svrPubKey = NULL;
+ 
+     sc = ssl_FindServerCert(ss, &certType);
+     if (!sc || !sc->serverKeyPair) {
+         SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
+                  SSL_GETPID(), ss->fd));
+-        goto loser;
+-    }
+-    svrPrivKey = sc->serverKeyPair->privKey;
+-    svrPubKey = sc->serverKeyPair->pubKey;
+-    if (svrPrivKey == NULL || svrPubKey == NULL) {
+-        SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+-                 SSL_GETPID(), ss->fd));
+-        goto loser;
+    } else {
+        svrPrivKey = sc->serverKeyPair->privKey;
+        svrPubKey = sc->serverKeyPair->pubKey;
+        if (svrPrivKey == NULL || svrPubKey == NULL) {
+            SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+                     SSL_GETPID(), ss->fd));
+            svrPrivKey = NULL;
+            svrPubKey = NULL;
+        }
+     }
+ 
+     /* Get a copy of the session keys from shared memory. */
+diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
+--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
+@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
+     PRBool keysGenerated = PR_FALSE;
+     cacheDesc *cache = &globalCache;
+ 
+-    if (!cache->cacheMem) {
+-        /* cache is uninitialized. Generate keys and return them
+-         * without caching. */
+    if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+        /* Generated keys cannot be cached, because:
+         * - the cache is not initialized, or
+         * - key pairs to wrap them are not available
+         * Generate keys and return them without caching. */
+         return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
+     }
+