From 387bb6b467790772da7cdd4c9852d08b344faafe Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Wed, 2 Nov 2016 14:19:58 +0100 Subject: [PATCH] Disable the use of RSA-PSS with SSL/TLS. #1383809 --- disable-pss.patch | 136 ++++++++++++++++++++++++++++++++++++++++++++++ nss.spec | 7 ++- 2 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 disable-pss.patch diff --git a/disable-pss.patch b/disable-pss.patch new file mode 100644 index 0000000..8b73d90 --- /dev/null +++ b/disable-pss.patch @@ -0,0 +1,136 @@ +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -209,19 +209,25 @@ static ssl3CipherSuiteCfg cipherSuites[s + * order of signature types is based on the same rules for ordering we use for + * cipher suites just for consistency. + */ + static const SignatureScheme defaultSignatureSchemes[] = { + ssl_sig_ecdsa_secp256r1_sha256, + ssl_sig_ecdsa_secp384r1_sha384, + ssl_sig_ecdsa_secp521r1_sha512, + ssl_sig_ecdsa_sha1, ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + ssl_sig_rsa_pss_sha256, + ssl_sig_rsa_pss_sha384, + ssl_sig_rsa_pss_sha512, ++#endif + ssl_sig_rsa_pkcs1_sha256, + ssl_sig_rsa_pkcs1_sha384, + ssl_sig_rsa_pkcs1_sha512, + ssl_sig_rsa_pkcs1_sha1, + ssl_sig_dsa_sha256, + ssl_sig_dsa_sha384, + ssl_sig_dsa_sha512, + ssl_sig_dsa_sha1 +@@ -5193,19 +5199,26 @@ ssl_CheckSignatureSchemeConsistency( + PRBool + ssl_IsSupportedSignatureScheme(SignatureScheme scheme) + { + switch (scheme) { + case ssl_sig_rsa_pkcs1_sha1: + case ssl_sig_rsa_pkcs1_sha256: + case ssl_sig_rsa_pkcs1_sha384: + case ssl_sig_rsa_pkcs1_sha512: ++ return PR_TRUE; ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + case ssl_sig_rsa_pss_sha256: + case ssl_sig_rsa_pss_sha384: + case ssl_sig_rsa_pss_sha512: ++ return PR_FALSE; ++ + case ssl_sig_ecdsa_secp256r1_sha256: + case ssl_sig_ecdsa_secp384r1_sha384: + case ssl_sig_ecdsa_secp521r1_sha512: + case ssl_sig_dsa_sha1: + case ssl_sig_dsa_sha256: + case ssl_sig_dsa_sha384: + case ssl_sig_dsa_sha512: + case ssl_sig_ecdsa_sha1: +@@ -7094,16 +7107,24 @@ ssl_PickSignatureScheme(sslSocket *ss, S + SignatureScheme preferred = ss->ssl3.signatureSchemes[i]; + PRUint32 policy; + + if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group, + preferred)) { + continue; + } + ++ if (ssl_IsRsaPssSignatureScheme(preferred)) { ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ ++ continue; ++ } ++ + hashType = ssl_SignatureSchemeToHashType(preferred); + hashOID = ssl3_HashTypeToOID(hashType); + if (requireSha1 && hashOID != SEC_OID_SHA1) { + continue; + } + if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && + !(policy & NSS_USE_ALG_IN_SSL_KX)) { + /* we ignore hashes we don't support */ +diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c +--- a/lib/ssl/sslcert.c ++++ b/lib/ssl/sslcert.c +@@ -403,39 +403,51 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket + SSLExtraServerCertData *data) + { + SECStatus rv = SECFailure; + + PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE); + PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT); + + if ((data->authType == ssl_auth_rsa_sign && ku_sig) || ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + (data->authType == ssl_auth_rsa_pss && ku_sig) || ++#endif + (data->authType == ssl_auth_rsa_decrypt && ku_enc)) { + return ssl_ConfigCert(ss, cert, keyPair, data); + } + + if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (ku_sig) { + data->authType = ssl_auth_rsa_sign; + rv = ssl_ConfigCert(ss, cert, keyPair, data); + if (rv != SECSuccess) { + return rv; + } + ++#if 0 ++ /* Disable, while we are waiting for an upstream fix to ++ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 ++ * (NSS does not check if token supports RSA-PSS before using it to sign) ++ **/ + /* This certificate is RSA, assume that it's also PSS. */ + data->authType = ssl_auth_rsa_pss; + rv = ssl_ConfigCert(ss, cert, keyPair, data); + if (rv != SECSuccess) { + return rv; + } ++#endif + } + + if (ku_enc) { + /* If ku_sig=true we configure signature and encryption slots with the + * same cert. This is bad form, but there are enough dual-usage RSA + * certs that we can't really break by limiting this to one type. */ + data->authType = ssl_auth_rsa_decrypt; + rv = ssl_ConfigCert(ss, cert, keyPair, data); diff --git a/nss.spec b/nss.spec index b1221a8..31a07b4 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.27.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -99,6 +99,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch59: nss-check-policy-file.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch +Patch70: disable-pss.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -182,6 +183,7 @@ low level services. pushd nss %patch59 -p1 -b .check_policy_file %patch62 -p0 -b .skip_util_gtest +%patch70 -p1 -b .disable_pss popd ######################################################### @@ -802,6 +804,9 @@ fi %changelog +* Wed Nov 02 2016 Kai Engert - 3.27.0-4 +- Disable the use of RSA-PSS with SSL/TLS. #1383809 + * Sun Oct 2 2016 Daiki Ueno - 3.27.0-3 - Disable TLS 1.3 for now, to avoid reported regression with TLS to version intolerant servers