diff --git a/disable-pss.patch b/disable-pss.patch deleted file mode 100644 index 8b73d90..0000000 --- a/disable-pss.patch +++ /dev/null @@ -1,136 +0,0 @@ -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -209,19 +209,25 @@ static ssl3CipherSuiteCfg cipherSuites[s - * order of signature types is based on the same rules for ordering we use for - * cipher suites just for consistency. - */ - static const SignatureScheme defaultSignatureSchemes[] = { - ssl_sig_ecdsa_secp256r1_sha256, - ssl_sig_ecdsa_secp384r1_sha384, - ssl_sig_ecdsa_secp521r1_sha512, - ssl_sig_ecdsa_sha1, -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - ssl_sig_rsa_pss_sha256, - ssl_sig_rsa_pss_sha384, - ssl_sig_rsa_pss_sha512, -+#endif - ssl_sig_rsa_pkcs1_sha256, - ssl_sig_rsa_pkcs1_sha384, - ssl_sig_rsa_pkcs1_sha512, - ssl_sig_rsa_pkcs1_sha1, - ssl_sig_dsa_sha256, - ssl_sig_dsa_sha384, - ssl_sig_dsa_sha512, - ssl_sig_dsa_sha1 -@@ -5193,19 +5199,26 @@ ssl_CheckSignatureSchemeConsistency( - PRBool - ssl_IsSupportedSignatureScheme(SignatureScheme scheme) - { - switch (scheme) { - case ssl_sig_rsa_pkcs1_sha1: - case ssl_sig_rsa_pkcs1_sha256: - case ssl_sig_rsa_pkcs1_sha384: - case ssl_sig_rsa_pkcs1_sha512: -+ return PR_TRUE; -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - case ssl_sig_rsa_pss_sha256: - case ssl_sig_rsa_pss_sha384: - case ssl_sig_rsa_pss_sha512: -+ return PR_FALSE; -+ - case ssl_sig_ecdsa_secp256r1_sha256: - case ssl_sig_ecdsa_secp384r1_sha384: - case ssl_sig_ecdsa_secp521r1_sha512: - case ssl_sig_dsa_sha1: - case ssl_sig_dsa_sha256: - case ssl_sig_dsa_sha384: - case ssl_sig_dsa_sha512: - case ssl_sig_ecdsa_sha1: -@@ -7094,16 +7107,24 @@ ssl_PickSignatureScheme(sslSocket *ss, S - SignatureScheme preferred = ss->ssl3.signatureSchemes[i]; - PRUint32 policy; - - if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group, - preferred)) { - continue; - } - -+ if (ssl_IsRsaPssSignatureScheme(preferred)) { -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ -+ continue; -+ } -+ - hashType = ssl_SignatureSchemeToHashType(preferred); - hashOID = ssl3_HashTypeToOID(hashType); - if (requireSha1 && hashOID != SEC_OID_SHA1) { - continue; - } - if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && - !(policy & NSS_USE_ALG_IN_SSL_KX)) { - /* we ignore hashes we don't support */ -diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c ---- a/lib/ssl/sslcert.c -+++ b/lib/ssl/sslcert.c -@@ -403,39 +403,51 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket - SSLExtraServerCertData *data) - { - SECStatus rv = SECFailure; - - PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE); - PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT); - - if ((data->authType == ssl_auth_rsa_sign && ku_sig) || -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - (data->authType == ssl_auth_rsa_pss && ku_sig) || -+#endif - (data->authType == ssl_auth_rsa_decrypt && ku_enc)) { - return ssl_ConfigCert(ss, cert, keyPair, data); - } - - if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (ku_sig) { - data->authType = ssl_auth_rsa_sign; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } - -+#if 0 -+ /* Disable, while we are waiting for an upstream fix to -+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950 -+ * (NSS does not check if token supports RSA-PSS before using it to sign) -+ **/ - /* This certificate is RSA, assume that it's also PSS. */ - data->authType = ssl_auth_rsa_pss; - rv = ssl_ConfigCert(ss, cert, keyPair, data); - if (rv != SECSuccess) { - return rv; - } -+#endif - } - - if (ku_enc) { - /* If ku_sig=true we configure signature and encryption slots with the - * same cert. This is bad form, but there are enough dual-usage RSA - * certs that we can't really break by limiting this to one type. */ - data->authType = ssl_auth_rsa_decrypt; - rv = ssl_ConfigCert(ss, cert, keyPair, data); diff --git a/nss-check-pss.patch b/nss-check-pss.patch new file mode 100644 index 0000000..e65e530 --- /dev/null +++ b/nss-check-pss.patch @@ -0,0 +1,167 @@ +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss + + loser: + if (serverKey) + SECKEY_DestroyPublicKey(serverKey); + return rv; /* err code already set. */ + } + + static SECStatus +-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key, ++ssl_PickSignatureScheme(sslSocket *ss, ++ SECKEYPublicKey *pubKey, ++ SECKEYPrivateKey *privKey, + const SignatureScheme *peerSchemes, + unsigned int peerSchemeCount, + PRBool requireSha1) + { + unsigned int i, j; + const namedGroupDef *group = NULL; + KeyType keyType; ++ PK11SlotInfo *slot; ++ PRBool slotDoesPss; + PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3; + +- if (!key) { ++ if (!pubKey || !privKey) { + PORT_Assert(0); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +- keyType = SECKEY_GetPublicKeyType(key); ++ slot = PK11_GetSlotFromPrivateKey(privKey); ++ if (!slot) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++ } ++ slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]); ++ PK11_FreeSlot(slot); ++ ++ keyType = SECKEY_GetPublicKeyType(pubKey); ++ + if (keyType == ecKey) { +- group = ssl_ECPubKey2NamedGroup(key); ++ group = ssl_ECPubKey2NamedGroup(pubKey); + } + + /* Here we look for the first local preference that the client has + * indicated support for in their signature_algorithms extension. */ + for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) { + SSLHashType hashType; + SECOidTag hashOID; + SignatureScheme preferred = ss->ssl3.signatureSchemes[i]; + PRUint32 policy; + + if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group, + preferred)) { + continue; + } + ++ /* Skip RSA-PSS schemes when the certificate's private key slot does ++ * not support this signature mechanism. */ ++ if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) { ++ continue; ++ } ++ + hashType = ssl_SignatureSchemeToHashType(preferred); + hashOID = ssl3_HashTypeToOID(hashType); + if (requireSha1 && hashOID != SEC_OID_SHA1) { + continue; + } + if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && + !(policy & NSS_USE_ALG_IN_SSL_KX)) { + /* we ignore hashes we don't support */ +@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket + PORT_Assert(0); + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + return SECSuccess; + } + + /* Sets error code, if needed. */ +- return ssl_PickSignatureScheme(ss, keyPair->pubKey, ++ return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey, + ss->ssl3.hs.clientSigSchemes, + ss->ssl3.hs.numClientSigScheme, +- PR_FALSE); ++ PR_FALSE /* requireSha1 */); + } + + static SECStatus + ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes, + unsigned int numSchemes) + { +- SECKEYPublicKey *key; ++ SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey; ++ SECKEYPublicKey *pubKey; + SECStatus rv; + +- key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); +- PORT_Assert(key); ++ pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate); ++ PORT_Assert(pubKey); + if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 && +- (SECKEY_GetPublicKeyType(key) == rsaKey || +- SECKEY_GetPublicKeyType(key) == dsaKey) && +- SECKEY_PublicKeyStrengthInBits(key) <= 1024) { ++ (SECKEY_GetPublicKeyType(pubKey) == rsaKey || ++ SECKEY_GetPublicKeyType(pubKey) == dsaKey) && ++ SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) { + /* If the key is a 1024-bit RSA or DSA key, assume conservatively that + * it may be unable to sign SHA-256 hashes. This is the case for older + * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and + * older, DSA key size is at most 1024 bits and the hash function must + * be SHA-1. + */ +- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE); ++ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes, ++ PR_TRUE /* requireSha1 */); + if (rv == SECSuccess) { +- SECKEY_DestroyPublicKey(key); ++ SECKEY_DestroyPublicKey(pubKey); + return SECSuccess; + } + /* If this fails, that's because the peer doesn't advertise SHA-1, + * so fall back to the full negotiation. */ + } +- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE); +- SECKEY_DestroyPublicKey(key); ++ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes, ++ PR_FALSE /* requireSha1 */); ++ SECKEY_DestroyPublicKey(pubKey); + return rv; + } + + /* Called from ssl3_HandleServerHelloDone(). */ + static SECStatus + ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey) + { + SECStatus rv = SECFailure; +@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint + return SECFailure; + } + + for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) { + PRUint32 policy = 0; + SSLHashType hashType = ssl_SignatureSchemeToHashType( + ss->ssl3.signatureSchemes[i]); + SECOidTag hashOID = ssl3_HashTypeToOID(hashType); ++ ++ /* Skip RSA-PSS schemes if there are no tokens to verify them. */ ++ if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) && ++ !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) { ++ continue; ++ } ++ + if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) || + (policy & NSS_USE_ALG_IN_SSL_KX)) { + p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p); + } + } + + if (p == buf) { + PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); diff --git a/nss.spec b/nss.spec index 7703d03..311e5f1 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.27.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.2%{?dist} +Release: 1.3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -99,7 +99,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch59: nss-check-policy-file.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch -Patch70: disable-pss.patch +Patch70: nss-check-pss.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -183,7 +183,7 @@ low level services. pushd nss %patch59 -p1 -b .check_policy_file %patch62 -p0 -b .skip_util_gtest -%patch70 -p1 -b .disable_pss +%patch70 -p1 -b .check_pss popd ######################################################### @@ -804,6 +804,9 @@ fi %changelog +* Tue Nov 15 2016 Daiki Ueno - 3.27.0-1.3 +- Revert the previous fix for RSA-PSS and use the upstream fix instead + * Wed Nov 02 2016 Kai Engert - 3.27.0-1.2 - Disable the use of RSA-PSS with SSL/TLS. #1383809