321161 - crash occurs if no RSA key is present [@ ssl2_BeginServerHandshake]

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Rob Crittenden]

If only an ECC cipher is configured then the SSL handshake will crash since there is no RSA cert or key.

The relevent portion of the backtrace is:

#0  0x001dabdd in ssl2_BeginServerHandshake (ss=0x97718f0) at sslcon.c:3745
3745        if (!rsaAuth->SERVERKEY || !rsaAuth->serverCert) {
(gdb) where
#0  0x001dabdd in ssl2_BeginServerHandshake (ss=0x97718f0) at sslcon.c:3745
#1  0x001dc000 in ssl_Do1stHandshake (ss=0x97718f0) at sslsecur.c:149
#2  0x001dd34e in ssl_SecureRecv (ss=0x97718f0, buf=0x977d510 "", len=8192,
    flags=0) at sslsecur.c:1035
#3  0x001dd5c9 in ssl_SecureRead (ss=0x97718f0, buf=0x977d510 "", len=8192)
    at sslsecur.c:1054
#4  0x001e0cfa in ssl_Read (fd=0x0, buf=0x977d510, len=8192) at sslsock.c:1380
#5  0x00202395 in PR_Read () from /usr/lib/libnspr4.so 

(gdb) print *rsaAuth
$1 = {serverCert = 0x0, serverCertChain = 0x0, serverKeyPair = 0x0,
  serverKeyBits = 0} 

A possible fix, provided by Nelson, is:

Index: sslcon.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslcon.c,v
retrieving revision 1.28
diff -u -r1.28 sslcon.c
--- sslcon.c    9 Sep 2005 03:02:16 -0000       1.28
+++ sslcon.c    22 Dec 2005 02:29:30 -0000
@@ -3742,7 +3742,7 @@
     ss->sec.rcvSequence = 0;
 
     /* don't turn on SSL2 if we don't have an RSA key and cert */
-    if (!rsaAuth->SERVERKEY || !rsaAuth->serverCert) {
+    if (!rsaAuth->serverKeyPair || !rsaAuth->SERVERKEY || !rsaAuth->serverCert) {
        ss->opt.enableSSL2 = PR_FALSE;
     }

This removes the crash in my testing. I used the cipher TLS_ECDH_ECDSA_RC4_128_SHA.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

A trivial workaround is to disable SSL2, including SSL2 client hellos,
through the existing SSL API functions, when attempting to use ECC.
In practice, this is going to be necessary when attempting to use ECC,
even when RSA keys are present, because SSL2 client hellos cannot 
send the hello extension(s) used to negotiate ECC curves and other 
relevant stuff.  

Comment 2

[Wan-Teh Chang]

Rob:

mod_nss (for Apache) already disables SSL2.  Could you find out
if you also disable SSL2 client hellos?

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

FWIW, the SSL socket option SSL_V2_COMPATIBLE_HELLO presently only affects
the behavior of SSL sockets acting as clients.  It controls whether they 
attempt to send client hellos in ssl2 format or ssl3 format.  It has no 
effect (presently) on libSSL server sockets, AFAIK.  (maybe that's a bug.)

Enabling SSL_ENABLE_SSL2 also enables SSL_V2_COMPATIBLE_HELLO.
Disabling SSL_V2_COMPATIBLE_HELLO also disables SSL_ENABLE_SSL2.
IOW, of the 4 possible combinations of those 2 boolean socket configuration 
variables, one combination is not permitted, namely, 
    SSL_ENABLE_SSL2 && !SSL_V2_COMPATIBLE_HELLO

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Attachment: proposed patch

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 208961 [details] [diff] [review]
proposed patch

Checked in on trunk.
Seeking SR for checkin on 3.11 branch.

Checking in ssl/sslcon.c; new revision: 1.29; previous revision: 1.28

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

We need this for 3.11.1 or whatever release (if any) first enables ECC in TLS.

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

Checked in on 3.11 branch.
Checking in sslcon.c; new revision: 1.28.2.1; previous revision: 1.28