Bug 1397410

Summary: Ensure NSS doesn't crash when attempting to use session tickets in a server that doesn't have an RSA key [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Frantisek Sumsal <fsumsal>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.3CC: dueno, hkario, huzaifas, kengert, nmavrogi, rrelyea, szidek
Target Milestone: rcKeywords: Reopened, Reproducer
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.28.3-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1397482 1426182 (view as bug list) Environment:
Last Closed: 2017-08-01 16:47:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1397482, 1426182, 1455876    

Description Frantisek Sumsal 2016-11-22 13:26:51 UTC 
Description of problem:
selfserv segfaults during handshake while using SessionTicket extension for session resumption. This issue although does not occur when using client certificates.

Version-Release number of selected component (if applicable):
nss-3.21.0-17.el7.x86_64
nss-util-3.21.0-2.2.el7_2.x86_64

How reproducible:
always

Steps to Reproduce:
# NSS_CIPHER="C00A"
# OPENSSL_CIPHER="ECDHE-ECDSA-AES256-SHA"
# ulimit -c unlimited
# openssl ecparam -genkey -name prime256v1 -out ec.key
# openssl req -new -x509 -key ec.key -out ec-cert.pem -days 3650 -subj "/CN=localhost" -nodes
# openssl pkcs12 -name ec -export -inkey ec.key -out ec.p12 -in ec-cert.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ec -t ',,' -a -i ec-cert.pem
# pk12util -i ec.p12 -d sql:./nssdb -W ''
# /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER -u &
# sleep 3
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_out sess.pem > full.log < /dev/null
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_in sess.pem > resumption.log < /dev/null
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"

Actual results:
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_out sess.pem > full.log < /dev/null
depth=0 CN = localhost
verify return:1
140699908630432:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_in sess.pem > resumption.log < /dev/null
Can't open session file sess.pem
140226465114016:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('sess.pem','r')
140226465114016:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"
[1]+  Segmentation fault      (core dumped) /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER -u
ERROR: RESUMPTION EXPECTED

Expected results:
Handshake and session resumption should finish successfully.
SessionID example:
# /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER &
[1] 14341
# sleep 3
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -no_ticket -sess_out sess.pem > full.log < /dev/null
depth=0 CN = localhost
verify return:1
DONE
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -no_ticket -sess_in sess.pem > resumption.log < /dev/null
DONE
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA

Additional info:
Offending ciphersuites (openssl/nss):
ECDHE-ECDSA-AES256-SHA/C00A
ECDHE-ECDSA-AES128-SHA256/C023
ECDHE-ECDSA-AES128-GCM-SHA256/C02B
ECDHE-ECDSA-AES256-GCM-SHA384/C02C

Backtrace:
#0  0x00007f7deb81f42e in ssl3_GenerateSessionTicketKeysPKCS11 () from /lib64/libssl3.so
#1  0x00007f7deaa57c95 in PR_CallOnceWithArg () from /lib64/libnspr4.so
#2  0x00007f7deb81e672 in ssl3_GetSessionTicketKeysPKCS11 () from /lib64/libssl3.so
#3  0x00007f7deb8206c2 in ssl3_SendNewSessionTicket () from /lib64/libssl3.so
#4  0x00007f7deb8159c6 in ssl3_HandleHandshakeMessage () from /lib64/libssl3.so
#5  0x00007f7deb818051 in ssl3_HandleRecord () from /lib64/libssl3.so
#6  0x00007f7deb8194a2 in ssl3_GatherCompleteHandshake () from /lib64/libssl3.so
#7  0x00007f7deb81a285 in ssl_GatherRecord1stHandshake () from /lib64/libssl3.so
#8  0x00007f7deb822925 in ssl_Do1stHandshake () from /lib64/libssl3.so
#9  0x00007f7deb823e6f in ssl_SecureRecv () from /lib64/libssl3.so
#10 0x00007f7deb827fe8 in ssl_Read () from /lib64/libssl3.so
#11 0x0000000000408512 in handle_connection ()
#12 0x0000000000409004 in jobLoop ()
#13 0x0000000000407641 in thread_wrapper ()
#14 0x00007f7deaa6596b in _pt_root () from /lib64/libnspr4.so
#15 0x00007f7dea5eadc5 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f7dea11573d in clone () from /lib64/libc.so.6
Comment 1 Kai Engert (:kaie) (inactive account) 2017-01-30 10:17:08 UTC 
fixed upstream, we must pick up the fix.

Might require backporting.

We must investigate how difficult to backport, because Daiki said, it might depend on recent upstream refactoring after 3.28, and we currently intend to rebase to 3.28, only.

Maybe we must change the plan, and rebase 7.4.0 to something newer?
Comment 2 Alicja Kario 2017-01-30 14:06:27 UTC 
given problems with ecdsa signatures in 3.28 (see bug 1417644), we'll probably need to rebase to something later for 7.3.z anyway, let alone 7.4.0
Comment 3 Kai Engert (:kaie) (inactive account) 2017-01-30 15:46:58 UTC 
(a)
This bug was reported against 3.21 

Why is urgent and is required for 7.3.z ?

If the bug was known with old NSS, why can't the fix wait until the next y-stream 7.4.0 ?


(b)
We shouldn't rebase 7.3.z to NSS 3.29, that's not even released yet, and hasn't been tested anywhere in production.

Daiki, what is your recommendation, if a fix to 7.3.z is required?


(c)
For the other bug 1417644 you mentioned, the fix is a minimal downstream patch that changes a bool parameter.
Comment 4 Kai Engert (:kaie) (inactive account) 2017-02-08 17:29:36 UTC 
-> should get fixed for 7.4.0

-> not immediately required for z-stream
Comment 5 Kai Engert (:kaie) (inactive account) 2017-02-08 17:31:51 UTC 
Daiki, could you please recommend how we should fix this for NSS 3.28.x in RHEL 7.4.0
Comment 6 Daiki Ueno 2017-02-20 12:45:48 UTC 
There are two distinct issues discussed here (linked to the upstream bugs), which seem to be causing a confusion:

- with 3.21.x, the steps cause segmentation fault
- with 3.28.x, the steps doesn't cause segmentation fault, but session ticket doesn't work

The former should be fixed with our rebase to 3.28.x.  Also, while the former might be a security issue, I don't think the latter is.

So, I would suggest to close this bug and open a new bug for the latter (with a lower severity), if we want to track it.
Comment 7 Kai Engert (:kaie) (inactive account) 2017-02-22 20:44:58 UTC 
I agree to split the issues into two separate bugs.

If anyone thinks we must track support for sessions-tickets-with-EC-key-only-configuration with a RHEL bug, which will be supported by upstream NSS 3.30, then please go ahead and file a bug.

Let's keep the focus of this bug on the crash.

Because we know we will fix the crash bug with the rebase, maybe we should keep this bug open, until the rebase and crash fix is actually completed?
Comment 23 errata-xmlrpc 2017-08-01 16:47:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977