File nss-bmo1320695.patch of Package mozilla-nss.7325

# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1481108447 -3600
#      Wed Dec 07 12:00:47 2016 +0100
# Branch wip/dueno/ec-session-ticket
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
# Parent  5796201e791e6cbffc3615cb0c894cf1b0fc09a1
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable

When session ticket is used and wrapping key pair (for caching
generated keys at server side) is not available, disable caching
instead of returning an error.

diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
     sslSocket *ss = (sslSocket *)data;
     sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
     const sslServerCert *sc;
-    SECKEYPrivateKey *svrPrivKey;
-    SECKEYPublicKey *svrPubKey;
+    SECKEYPrivateKey *svrPrivKey = NULL;
+    SECKEYPublicKey *svrPubKey = NULL;
 
     sc = ssl_FindServerCert(ss, &certType);
     if (!sc || !sc->serverKeyPair) {
         SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
                  SSL_GETPID(), ss->fd));
-        goto loser;
-    }
-    svrPrivKey = sc->serverKeyPair->privKey;
-    svrPubKey = sc->serverKeyPair->pubKey;
-    if (svrPrivKey == NULL || svrPubKey == NULL) {
-        SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
-                 SSL_GETPID(), ss->fd));
-        goto loser;
+    } else {
+        svrPrivKey = sc->serverKeyPair->privKey;
+        svrPubKey = sc->serverKeyPair->pubKey;
+        if (svrPrivKey == NULL || svrPubKey == NULL) {
+            SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+                     SSL_GETPID(), ss->fd));
+            svrPrivKey = NULL;
+            svrPubKey = NULL;
+        }
     }
 
     /* Get a copy of the session keys from shared memory. */
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
     PRBool keysGenerated = PR_FALSE;
     cacheDesc *cache = &globalCache;
 
-    if (!cache->cacheMem) {
-        /* cache is uninitialized. Generate keys and return them
-         * without caching. */
+    if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+        /* Generated keys cannot be cached, because:
+         * - the cache is not initialized, or
+         * - key pairs to wrap them are not available
+         * Generate keys and return them without caching. */
         return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
     }