1773374 - CERTCertificate leak in ssl3_FillInCachedSID when using a client certificate with TLS 1.3

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P3)

Description

[Dana Keeler (she/her) [:keeler]]

ssl3_FillInCachedSID assigns to sid->localCert without first checking if it has a value. It turns out, when using a client authentication certificate and TLS 1.3, it will already be set, which means this leaks a CERTCertificate. I found a similar situation with tls13_HandleClientHelloPart2 and ss->sec.localCert, but I don't know if it's possible to reach that point and have ss->sec.localCert have a value.

Comment 1

[Dana Keeler (she/her) [:keeler]]

Attachment: Bug 1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID r?mt

Comment 2

[Dennis Jackson]

Attachment: Bug 1773374: WIP: Add test for Client Auth with external cache and multiple tickets. r=mt

This patch adds a test for connecting with client auth to a server which sends multiple
session tickets.

TODO: Investigate why setting the (unused) callback is necessary to hit the bug.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The following patch is waiting for review from an inactive reviewer:

ID	Title	Author	Reviewer Status
D148687	Bug 1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID r?mt	keeler	mt: Inactive

:keeler, could you please find another reviewer?

For more information, please visit auto_nag documentation.

Comment 4

[Suhaib Mujahid [:suhaib]]

Sorry for the noise, there was a problem with a Bugzilla API that caused the bot to think more people were inactive than normal (bug 1789646).

Comment 5

[Dana Keeler (she/her) [:keeler]]

https://hg-edge.mozilla.org/projects/nss/rev/3b593379d88e198caf999c6e32c5fdf8ea438501
NSS 3.111