1253175 - Using NSSSessionTickets causes segfault in nss lib if used with ECC Cipher Suite

Status: UNCONFIRMED

(NSS :: Libraries, defect, P3)

Description

[Oliver Graute]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Steps to reproduce:

I tried to configure Apache/2.4.16 with module mod_nss (1.0.12) and enable a ECC CipherSuite and the Session Ticket Feature (RFC 5077). I'am using nss lib (3.21)
All these is a crossbuild on a ARM arch (imx6) in a Yocto Build Environment.   

NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha_256
NSSSessionTickets on

Then I start apache and perfom a https request with the Chrome Browser on Port 443.

This Issue was allready discussed here.

http://article.gmane.org/gmane.comp.apache.mod-nss/31
http://article.gmane.org/gmane.comp.apache.mod-nss/54



Actual results:

In the Chrome Browser I got a ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
In the Apache logs I see a segfaults in my apache error log:

[Fri Feb 19 10:12:15.338660 2016] [mpm_prefork:notice] [pid 413] AH00163: Apache/2.4.16 (Unix)
mod_nss/1.0.12 NSS/3.19.2 Basic ECC PHP/5.5.10 configured -- resuming normal operations
[Fri Feb 19 10:12:15.338843 2016] [mpm_prefork:info] [pid 413] AH00164: Server built: Feb 22 2016 12:44:38
[Fri Feb 19 10:12:15.339046 2016] [core:notice] [pid 413] AH00094: Command line: '/usr/sbin/httpd -D
FOREGROUND -D SSL -D PHP5'
[Fri Feb 19 10:12:15.339160 2016] [mpm_prefork:debug] [pid 413] prefork.c(995): AH00165: Accept
mutex: sysvsem (default: sysvsem)
[Fri Feb 19 10:12:15.386483 2016] [:debug] [pid 416] nss_engine_init.c(286): SNI is enabled
[Fri Feb 19 10:12:15.386853 2016] [:info] [pid 416] Init: Seeding PRNG with 136 bytes of entropy
[Fri Feb 19 10:12:40.374175 2016] [core:notice] [pid 413] AH00052: child pid 416 exit signal
Segmentation fault (11)
[Fri Feb 19 10:12:41.496820 2016] [:debug] [pid 423] nss_engine_init.c(286): SNI is enabled
[Fri Feb 19 10:12:41.497224 2016] [:info] [pid 423] Init: Seeding PRNG with 136 bytes of entropy
[Fri Feb 19 10:12:42.388948 2016] [core:notice] [pid 413] AH00052: child pid 423 exit signal
Segmentation fault (11)
[Fri Feb 19 10:12:43.508779 2016] [:debug] [pid 424] nss_engine_init.c(286): SNI is enabled
[Fri Feb 19 10:12:43.509217 2016] [:info] [pid 424] Init: Seeding PRNG with 136 bytes of entropy
[Fri Feb 19 10:12:44.404130 2016] [core:notice] [pid 413] AH00052: child pid 424 exit signal
Segmentation fault (11)

I tested it with nss lib in Version 3.19 and 3.21 both behave the same.

after lot of debugging this gdb trace shows the cause of the crash in the nss lib: 

gdb httpd
GNU gdb (GDB) 7.9.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-poky-linux-gnueabi".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from httpd...done.
(gdb) run -X -e debug -k start
Starting program: /usr/sbin/httpd -X -e debug -k start
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
[Wed Mar 02 14:44:57.512652 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authn_file_module from /usr/lib/apache2/modules/mod_authn_file.so
[Wed Mar 02 14:44:57.568812 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authn_core_module from /usr/lib/apache2/modules/mod_authn_core.so
[Wed Mar 02 14:44:57.624501 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authz_host_module from /usr/lib/apache2/modules/mod_authz_host.so
[Wed Mar 02 14:44:57.685207 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authz_groupfile_module from /usr/lib/apache2/modules/mod_authz_groupfile.so
[Wed Mar 02 14:44:57.742440 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authz_user_module from /usr/lib/apache2/modules/mod_authz_user.so
[Wed Mar 02 14:44:57.807374 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
authz_core_module from /usr/lib/apache2/modules/mod_authz_core.so
[Wed Mar 02 14:44:57.868316 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
access_compat_module from /usr/lib/apache2/modules/mod_access_compat.so
[Wed Mar 02 14:44:57.932376 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
auth_basic_module from /usr/lib/apache2/modules/mod_auth_basic.so
[Wed Mar 02 14:44:58.000811 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
socache_shmcb_module from /usr/lib/apache2/modules/mod_socache_shmcb.so
[Wed Mar 02 14:44:58.069304 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
reqtimeout_module from /usr/lib/apache2/modules/mod_reqtimeout.so
[Wed Mar 02 14:44:58.138680 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
filter_module from /usr/lib/apache2/modules/mod_filter.so
[Wed Mar 02 14:44:58.247928 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
deflate_module from /usr/lib/apache2/modules/mod_deflate.so
[Wed Mar 02 14:44:58.322509 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
mime_module from /usr/lib/apache2/modules/mod_mime.so
[Wed Mar 02 14:44:58.408413 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
log_config_module from /usr/lib/apache2/modules/mod_log_config.so
[Wed Mar 02 14:44:58.481900 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
env_module from /usr/lib/apache2/modules/mod_env.so
[Wed Mar 02 14:44:58.564765 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
headers_module from /usr/lib/apache2/modules/mod_headers.so
[Wed Mar 02 14:44:58.643176 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
setenvif_module from /usr/lib/apache2/modules/mod_setenvif.so
[Wed Mar 02 14:44:58.723306 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
version_module from /usr/lib/apache2/modules/mod_version.so
[Wed Mar 02 14:45:00.884109 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
nss_module from /usr/lib/apache2/modules/libmodnss.so
[Wed Mar 02 14:45:00.987275 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
mpm_prefork_module from /usr/lib/apache2/modules/mod_mpm_prefork.so
[Wed Mar 02 14:45:01.079230 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
unixd_module from /usr/lib/apache2/modules/mod_unixd.so
[Wed Mar 02 14:45:01.177941 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
status_module from /usr/lib/apache2/modules/mod_status.so
[Wed Mar 02 14:45:01.281979 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
autoindex_module from /usr/lib/apache2/modules/mod_autoindex.so
[Wed Mar 02 14:45:01.378092 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
dir_module from /usr/lib/apache2/modules/mod_dir.so
[Wed Mar 02 14:45:01.476646 2016] [so:debug] [pid 460] mod_so.c(266): AH01575: loaded module
alias_module from /usr/lib/apache2/modules/mod_alias.so
[ 2985.141330] TCP: request_sock_TCP: Possible SYN flooding on port 443. Dropping request.  Check SNMP counters.

Program received signal SIGSEGV, Segmentation fault.
ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166
166     ssl3ext.c: No such file or directory.

(gdb) backtrace
#0  ssl3_GenerateSessionTicketKeysPKCS11 (data=0x17b040) at ssl3ext.c:166
#1  0x769ac830 in PR_CallOnceWithArg (
    once=0x76b5e04c <generate_session_keys_once>,
    func=0x76b366d0 <ssl3_GenerateSessionTicketKeysPKCS11>,
    arg=arg <at> entry=0x17b040)
    at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/nspr/4.10.8-r1/nspr-4.10.8/nspr/pr/src/misc/prinit.c:804
#2  0x76b359ac in ssl3_GetSessionTicketKeysPKCS11 (ss=ss <at> entry=0x17b040,
    aes_key=0x7effea44, aes_key <at> entry=0x7effea3c, mac_key=0x7effea48,
    mac_key <at> entry=0x7effea40) at ssl3ext.c:197
#3  0x76b37980 in ssl3_SendNewSessionTicket (ss=ss <at> entry=0x17b040)
    at ssl3ext.c:1132
#4  0x76b2d5bc in ssl3_HandleFinished (hashes=<optimized out>,
    length=<optimized out>,
    b=0x18284c
")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!", ss=0x17b040)
    at ssl3con.c:11293
#5  ssl3_HandleHandshakeMessage (ss=ss <at> entry=0x17b040,
    b=0x18284c ")|\217\266\373f\216\206vq?\r\004\254\250\254\301\344\373\037\261}*d\252\027\022\005\035\202\240\340\065v\214\225M\036^p\002!",
    length=<optimized out>) at ssl3con.c:11649
#6  0x76b2f914 in ssl3_HandleHandshake (origBuf=0xd, ss=0x17b040)
    at ssl3con.c:11723
---Type <return> to continue, or q <return> to quit---
#7  ssl3_HandleRecord (ss=ss <at> entry=0x17b040, cText=cText <at> entry=0x7efff7ec,
    databuf=0xd, databuf <at> entry=0x17b2c0) at ssl3con.c:12392
#8  0x76b30be8 in ssl3_GatherCompleteHandshake (ss=0x17b040, flags=0)
    at ssl3gthr.c:378
#9  0x76b31764 in ssl_GatherRecord1stHandshake (ss=0x17b040) at sslcon.c:1213
#10 0x76b39d28 in ssl_Do1stHandshake (ss=ss <at> entry=0x17b040) at sslsecur.c:109
#11 0x76b3afc0 in ssl_SecureRecv (ss=0x17b040, buf=0x187088 "", len=8192,
    flags=0) at sslsecur.c:1227
#12 0x76b3ea50 in ssl_Read (fd=<optimized out>, buf=0x187088, len=8192)
    at sslsock.c:2397
#13 0x76b6c4e4 in nss_io_input_read (inctx=inctx <at> entry=0x187068,
    buf=buf <at> entry=0x187088 "", len=len <at> entry=0x7efff8c4)
    at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:353
#14 0x76b6d190 in nss_io_input_getline (len=0x7efff8b8, buf=0x187088 "",
    inctx=0x187068)
    at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:460
#15 nss_io_filter_input (f=0x189090, bb=0x18df58, mode=<optimized out>,
    block=<optimized out>, readbytes=0)
    at /home/graute/5411_IBIS/yocto/build-imx6ulevk/tmp/work/cortexa7hf-vfp-neon-poky-linux-gnueabi/modnss/1.0.12-r0/mod_nss-1.0.12/nss_engine_io.c:790
#16 0x0002d9a0 in ap_rgetline_core (s=s <at> entry=0x18d0d0, n=20, read=0x18d0b8,

according to the gdb output the SegFault is located in:

nss/lib/ssl/ssl3ext.c:166

static PRStatus
ssl3_GenerateSessionTicketKeysPKCS11(void *data)
 {
     SECStatus rv;
     sslSocket *ss = (sslSocket *)data;
     SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
     SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;


it looks for me that the access to the array goes wrong here (kt_rsa) because no rsa key exist. I wonder why the nss lib tries to access a rsa cert here, instead of some ECC certs.

If i'am using a RSA cipher suite instead of a ECC cipher suite the Session Ticket Feature works (no segfault).
 
Probably a fix is to replace kt_rsa with kt_ecdh here. I am not sure what side effects such a changes would have.



Expected results:

The apache server should provide a SessionTicket to the client browser instead of crashing in his nss lib.
The ECC cipher suite should work like any other cipher suite regarding Session Tickets.

Comment 1

[Eric Rescorla (:ekr)]

MT and I have been looking at this and wondering if we could radically simplify the key schedule here so it's not cipher-suite dependent. Bob, do you have any thoughts on the design constraints that motivate that design.

Comment 2

[Robert Relyea]

The main motivator is servers need to share the master secret keys in the cache, so servers need a way to generate the secret key that wraps the master secrets in a way that is guaranteed to work for all servers sharing this cache.

Clients don't need this since they aren't sharing keys across multiple processes.

Comment 3

[Oliver Graute]

Is it possible to create a patch that allows me to use ECC Cipher Suite together with Session Tickets?
Do you have some proposals for a such patch? I could try it out then.

Comment 4

[Oliver Graute]

Do you have any suggestions to solve this issue? I would appreciate a quickfix or a workaround :-)
Some idea where I have to start to fix it myself?

Comment 5

[Oliver Graute]

Attachment: 0002-nss-fix-crash-on-session-ticket.patch

To fix the observed Segfault I replaced kt_rsa with kt_ecdh. Then the TLS Session Ticket generation failured because of some Public Key Wrapping. (see next patch)

Comment 6

[Oliver Graute]

Attachment: 0003-nss-fix-Session-Tickets-ignore-Key-Wrap-Error.patch

this little hack allow us to use TLS Session Tickets with ECC.  I'am not sure why we need the wrapping of PubKey here. So we ignore a failure here to use TLS Session Tickets sucessfully with ECC. Please Review and comment if this a feasible solution.

Comment 7

[Oliver Graute]

Attachment: 0003-nss-sessionticket-symetric-enc-for-cache.patch

This patch adds a symetric encryption for the SessionTicket Cache. We modified WrapTicketKey and UnwrapCachedTicketKeys to use CKM_AES_ECB.
Please feel free to review and comment this patch. 

For us the Session Ticket problem is solved with this two applied patches.