597028 - SSL_ImportFD does not copy all information from model

Status: NEW

(NSS :: Libraries, defect, P2)

Description

[Wolter Eldering]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Build Identifier: 3.6.12

According to documentation:
SSL_ImportFD imports an existing NSPR file descriptor into SSL and returns a new SSL socket file descriptor. If the model parameter is not NULL, the configuration of the new file descriptor is copied from the model. If the model parameter is NULL, then the default SSL configuration is used.

It seems that the ca_list is not copied from the model. The SSL_ReconfigFD however is including the ca_list.

    /* copy trust anchor names */
    if (sm->ssl3.ca_list) {
        if (ss->ssl3.ca_list) {
            CERT_FreeDistNames(ss->ssl3.ca_list);
        }
        ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list);
        if (!ss->ssl3.ca_list) {
            goto loser;
        }
    }


Reproducible: Always

Steps to Reproduce:
1. SSL_SetTrustAnchors(model, calist)
2. ssl = SSL_ImportFD(model, ssl);
3.
Actual Results:  
all config except the ca_list seems to be copied, this results in all CA's in the certdb  accepted

Expected Results:  
only the CA's in calists will be accepted

Comment 1

[Rob Crittenden]

It also doesn't copy nextProtoCallback and nextProtoArg which means you can't set an ALPN callback on a model.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last months and this bug has priority 'P2'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 3

[Marco Castelluccio [:marco]]

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.