From 680fd3f8fb7157432398a3552ee9c98c72bd7397 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 29 Mar 2019 13:38:14 -0400 Subject: NSS: Log an error message when SSL_ExportKeyingMaterial() fails Diagnostic for 29241. --- src/lib/tls/tortls_nss.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/lib') diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 00c4af0e97..4e107fae7b 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -726,10 +726,18 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out, tor_assert(context_len <= UINT_MAX); SECStatus s; + /* Make sure that the error code is set here, so that we can be sure that + * any error code set after a failure was in fact caused by + * SSL_ExportKeyingMaterial. */ + PR_SetError(PR_UNKNOWN_ERROR, 0); s = SSL_ExportKeyingMaterial(tls->ssl, label, (unsigned)strlen(label), PR_TRUE, context, (unsigned)context_len, secrets_out, DIGEST256_LEN); + if (s != SECSuccess) { + tls_log_errors(tls, LOG_WARN, LD_CRYPTO, + "exporting key material for a TLS handshake"); + } return (s == SECSuccess) ? 0 : -1; } -- cgit v1.2.3-54-g00ecf From 5cb94cbf9d89804ea37a2f1e68d354a86edb223e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 29 Mar 2019 13:38:48 -0400 Subject: NSS: disable TLS1.2 SHA-384 ciphersuites. In current NSS versions, these ciphersuites don't work with SSL_ExportKeyingMaterial(), which was causing relays to fail when they tried to negotiate the v3 link protocol authentication. Fixes bug 29241; bugfix on 0.4.0.1-alpha. --- changes/bug29241 | 6 ++++++ src/lib/tls/tortls_nss.c | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 changes/bug29241 (limited to 'src/lib') diff --git a/changes/bug29241 b/changes/bug29241 new file mode 100644 index 0000000000..13951d1162 --- /dev/null +++ b/changes/bug29241 @@ -0,0 +1,6 @@ + o Major bugfixes (NSS, relay): + - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384 + for their PRF. Due to an NSS bug, the TLS key exporters for these + ciphersuites don't work -- which caused relays to fail to handshake + with one another when these ciphersuites were enabled. + Fixes bug 29241; bugfix on 0.4.0.1-alpha. diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 4e107fae7b..3c62e98df1 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -152,6 +152,32 @@ we_like_auth_type(SSLAuthType at) } } +/** + * Return true iff this ciphersuite will be hit by a mozilla bug 1312976, + * which makes TLS key exporters not work with TLS 1.2 non-SHA256 + * ciphersuites. + **/ +static bool +ciphersuite_has_nss_export_bug(const SSLCipherSuiteInfo *info) +{ + /* For more information on the bug, see + https://bugzilla.mozilla.org/show_bug.cgi?id=1312976 */ + + /* This bug only exists in TLS 1.2. */ + if (info->authType == ssl_auth_tls13_any) + return false; + + /* Sadly, there's no way to get this information from the + * CipherSuiteInfo object itself other than by looking at the + * name. */ + if (strstr(info->cipherSuiteName, "_SHA384") || + strstr(info->cipherSuiteName, "_SHA512")) { + return true; + } + + return false; +} + tor_tls_context_t * tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client) @@ -256,6 +282,12 @@ tor_tls_context_new(crypto_pk_t *identity, !we_like_mac_algorithm(info.macAlgorithm) || !we_like_auth_type(info.authType)/* Requires NSS 3.24 */; + if (ciphersuite_has_nss_export_bug(&info)) { + /* SSL_ExportKeyingMaterial will fail; we can't use this cipher. + */ + disable = 1; + } + s = SSL_CipherPrefSet(ctx->ctx, ciphers[i], disable ? PR_FALSE : PR_TRUE); if (s != SECSuccess) -- cgit v1.2.3-54-g00ecf