From 680fd3f8fb7157432398a3552ee9c98c72bd7397 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 29 Mar 2019 13:38:14 -0400
Subject: [PATCH 1/3] NSS: Log an error message when SSL_ExportKeyingMaterial()
 fails

Diagnostic for 29241.
---
 changes/29241_diagnostic | 4 ++++
 src/lib/tls/tortls_nss.c | 8 ++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 changes/29241_diagnostic

diff --git a/changes/29241_diagnostic b/changes/29241_diagnostic
new file mode 100644
index 0000000000..1e38654957
--- /dev/null
+++ b/changes/29241_diagnostic
@@ -0,0 +1,4 @@
+  o Minor features (NSS, diagnostic):
+    - Try to log an error from NSS (if there is any) and a more useful
+      description of our situation if we are using NSS and a call to
+      SSL_ExportKeyingMaterial() fails.  Diagnostic for ticket 29241.
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
index 00c4af0e97..4e107fae7b 100644
--- a/src/lib/tls/tortls_nss.c
+++ b/src/lib/tls/tortls_nss.c
@@ -726,10 +726,18 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
   tor_assert(context_len <= UINT_MAX);
 
   SECStatus s;
+  /* Make sure that the error code is set here, so that we can be sure that
+   * any error code set after a failure was in fact caused by
+   * SSL_ExportKeyingMaterial. */
+  PR_SetError(PR_UNKNOWN_ERROR, 0);
   s = SSL_ExportKeyingMaterial(tls->ssl,
                                label, (unsigned)strlen(label),
                                PR_TRUE, context, (unsigned)context_len,
                                secrets_out, DIGEST256_LEN);
+  if (s != SECSuccess) {
+    tls_log_errors(tls, LOG_WARN, LD_CRYPTO,
+                   "exporting key material for a TLS handshake");
+  }
 
   return (s == SECSuccess) ? 0 : -1;
 }

From 5cb94cbf9d89804ea37a2f1e68d354a86edb223e Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 29 Mar 2019 13:38:48 -0400
Subject: [PATCH 2/3] NSS: disable TLS1.2 SHA-384 ciphersuites.

In current NSS versions, these ciphersuites don't work with
SSL_ExportKeyingMaterial(), which was causing relays to fail when
they tried to negotiate the v3 link protocol authentication.

Fixes bug 29241; bugfix on 0.4.0.1-alpha.
---
 changes/bug29241         |  6 ++++++
 src/lib/tls/tortls_nss.c | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 changes/bug29241

diff --git a/changes/bug29241 b/changes/bug29241
new file mode 100644
index 0000000000..13951d1162
--- /dev/null
+++ b/changes/bug29241
@@ -0,0 +1,6 @@
+  o Major bugfixes (NSS, relay):
+    - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
+      for their PRF. Due to an NSS bug, the TLS key exporters for these
+      ciphersuites don't work -- which caused relays to fail to handshake
+      with one another when these ciphersuites were enabled.
+      Fixes bug 29241; bugfix on 0.4.0.1-alpha.
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
index 4e107fae7b..3c62e98df1 100644
--- a/src/lib/tls/tortls_nss.c
+++ b/src/lib/tls/tortls_nss.c
@@ -152,6 +152,32 @@ we_like_auth_type(SSLAuthType at)
   }
 }
 
+/**
+ * Return true iff this ciphersuite will be hit by a mozilla bug 1312976,
+ * which makes TLS key exporters not work with TLS 1.2 non-SHA256
+ * ciphersuites.
+ **/
+static bool
+ciphersuite_has_nss_export_bug(const SSLCipherSuiteInfo *info)
+{
+  /* For more information on the bug, see
+     https://bugzilla.mozilla.org/show_bug.cgi?id=1312976 */
+
+  /* This bug only exists in TLS 1.2. */
+  if (info->authType == ssl_auth_tls13_any)
+    return false;
+
+  /* Sadly, there's no way to get this information from the
+   * CipherSuiteInfo object itself other than by looking at the
+   * name.  */
+  if (strstr(info->cipherSuiteName, "_SHA384") ||
+      strstr(info->cipherSuiteName, "_SHA512")) {
+    return true;
+  }
+
+  return false;
+}
+
 tor_tls_context_t *
 tor_tls_context_new(crypto_pk_t *identity,
                     unsigned int key_lifetime, unsigned flags, int is_client)
@@ -256,6 +282,12 @@ tor_tls_context_new(crypto_pk_t *identity,
         !we_like_mac_algorithm(info.macAlgorithm) ||
         !we_like_auth_type(info.authType)/* Requires NSS 3.24 */;
 
+      if (ciphersuite_has_nss_export_bug(&info)) {
+        /* SSL_ExportKeyingMaterial will fail; we can't use this cipher.
+         */
+        disable = 1;
+      }
+
       s = SSL_CipherPrefSet(ctx->ctx, ciphers[i],
                             disable ? PR_FALSE : PR_TRUE);
       if (s != SECSuccess)

From 4dd96f74444b0eeb8b3b2c36f6f129edddd464d4 Mon Sep 17 00:00:00 2001
From: teor <teor@torproject.org>
Date: Sat, 6 Apr 2019 11:07:20 +1000
Subject: [PATCH 3/3] changes: Ticket 29241 is actually a bug on NSS in
 0.3.5.1-alpha

---
 changes/bug29241 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changes/bug29241 b/changes/bug29241
index 13951d1162..7f25e154d1 100644
--- a/changes/bug29241
+++ b/changes/bug29241
@@ -3,4 +3,4 @@
       for their PRF. Due to an NSS bug, the TLS key exporters for these
       ciphersuites don't work -- which caused relays to fail to handshake
       with one another when these ciphersuites were enabled.
-      Fixes bug 29241; bugfix on 0.4.0.1-alpha.
+      Fixes bug 29241; bugfix on 0.3.5.1-alpha.