Unverified Commit 955cf962 authored by teor's avatar teor
Browse files

Merge remote-tracking branch 'tor-github/pr/911' into maint-0.3.5

parents 3287cae6 4dd96f74
o Minor features (NSS, diagnostic):
- Try to log an error from NSS (if there is any) and a more useful
description of our situation if we are using NSS and a call to
SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.
o Major bugfixes (NSS, relay):
- When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
for their PRF. Due to an NSS bug, the TLS key exporters for these
ciphersuites don't work -- which caused relays to fail to handshake
with one another when these ciphersuites were enabled.
Fixes bug 29241; bugfix on
......@@ -152,6 +152,32 @@ we_like_auth_type(SSLAuthType at)
* Return true iff this ciphersuite will be hit by a mozilla bug 1312976,
* which makes TLS key exporters not work with TLS 1.2 non-SHA256
* ciphersuites.
static bool
ciphersuite_has_nss_export_bug(const SSLCipherSuiteInfo *info)
/* For more information on the bug, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1312976 */
/* This bug only exists in TLS 1.2. */
if (info->authType == ssl_auth_tls13_any)
return false;
/* Sadly, there's no way to get this information from the
* CipherSuiteInfo object itself other than by looking at the
* name. */
if (strstr(info->cipherSuiteName, "_SHA384") ||
strstr(info->cipherSuiteName, "_SHA512")) {
return true;
return false;
tor_tls_context_t *
tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client)
......@@ -256,6 +282,12 @@ tor_tls_context_new(crypto_pk_t *identity,
!we_like_mac_algorithm(info.macAlgorithm) ||
!we_like_auth_type(info.authType)/* Requires NSS 3.24 */;
if (ciphersuite_has_nss_export_bug(&info)) {
/* SSL_ExportKeyingMaterial will fail; we can't use this cipher.
disable = 1;
s = SSL_CipherPrefSet(ctx->ctx, ciphers[i],
disable ? PR_FALSE : PR_TRUE);
if (s != SECSuccess)
......@@ -726,10 +758,18 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
tor_assert(context_len <= UINT_MAX);
SECStatus s;
/* Make sure that the error code is set here, so that we can be sure that
* any error code set after a failure was in fact caused by
* SSL_ExportKeyingMaterial. */
s = SSL_ExportKeyingMaterial(tls->ssl,
label, (unsigned)strlen(label),
PR_TRUE, context, (unsigned)context_len,
secrets_out, DIGEST256_LEN);
if (s != SECSuccess) {
tls_log_errors(tls, LOG_WARN, LD_CRYPTO,
"exporting key material for a TLS handshake");
return (s == SECSuccess) ? 0 : -1;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment