Revert the previous fix for RSA-PSS and use the upstream fix instead
This commit is contained in:
parent
adcc8fa311
commit
9f02c9e77f
|
@ -1,136 +0,0 @@
|
||||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
|
||||||
--- a/lib/ssl/ssl3con.c
|
|
||||||
+++ b/lib/ssl/ssl3con.c
|
|
||||||
@@ -209,19 +209,25 @@ static ssl3CipherSuiteCfg cipherSuites[s
|
|
||||||
* order of signature types is based on the same rules for ordering we use for
|
|
||||||
* cipher suites just for consistency.
|
|
||||||
*/
|
|
||||||
static const SignatureScheme defaultSignatureSchemes[] = {
|
|
||||||
ssl_sig_ecdsa_secp256r1_sha256,
|
|
||||||
ssl_sig_ecdsa_secp384r1_sha384,
|
|
||||||
ssl_sig_ecdsa_secp521r1_sha512,
|
|
||||||
ssl_sig_ecdsa_sha1,
|
|
||||||
+#if 0
|
|
||||||
+ /* Disable, while we are waiting for an upstream fix to
|
|
||||||
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
||||||
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
||||||
+ **/
|
|
||||||
ssl_sig_rsa_pss_sha256,
|
|
||||||
ssl_sig_rsa_pss_sha384,
|
|
||||||
ssl_sig_rsa_pss_sha512,
|
|
||||||
+#endif
|
|
||||||
ssl_sig_rsa_pkcs1_sha256,
|
|
||||||
ssl_sig_rsa_pkcs1_sha384,
|
|
||||||
ssl_sig_rsa_pkcs1_sha512,
|
|
||||||
ssl_sig_rsa_pkcs1_sha1,
|
|
||||||
ssl_sig_dsa_sha256,
|
|
||||||
ssl_sig_dsa_sha384,
|
|
||||||
ssl_sig_dsa_sha512,
|
|
||||||
ssl_sig_dsa_sha1
|
|
||||||
@@ -5193,19 +5199,26 @@ ssl_CheckSignatureSchemeConsistency(
|
|
||||||
PRBool
|
|
||||||
ssl_IsSupportedSignatureScheme(SignatureScheme scheme)
|
|
||||||
{
|
|
||||||
switch (scheme) {
|
|
||||||
case ssl_sig_rsa_pkcs1_sha1:
|
|
||||||
case ssl_sig_rsa_pkcs1_sha256:
|
|
||||||
case ssl_sig_rsa_pkcs1_sha384:
|
|
||||||
case ssl_sig_rsa_pkcs1_sha512:
|
|
||||||
+ return PR_TRUE;
|
|
||||||
+ /* Disable, while we are waiting for an upstream fix to
|
|
||||||
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
||||||
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
||||||
+ **/
|
|
||||||
case ssl_sig_rsa_pss_sha256:
|
|
||||||
case ssl_sig_rsa_pss_sha384:
|
|
||||||
case ssl_sig_rsa_pss_sha512:
|
|
||||||
+ return PR_FALSE;
|
|
||||||
+
|
|
||||||
case ssl_sig_ecdsa_secp256r1_sha256:
|
|
||||||
case ssl_sig_ecdsa_secp384r1_sha384:
|
|
||||||
case ssl_sig_ecdsa_secp521r1_sha512:
|
|
||||||
case ssl_sig_dsa_sha1:
|
|
||||||
case ssl_sig_dsa_sha256:
|
|
||||||
case ssl_sig_dsa_sha384:
|
|
||||||
case ssl_sig_dsa_sha512:
|
|
||||||
case ssl_sig_ecdsa_sha1:
|
|
||||||
@@ -7094,16 +7107,24 @@ ssl_PickSignatureScheme(sslSocket *ss, S
|
|
||||||
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
|
|
||||||
PRUint32 policy;
|
|
||||||
|
|
||||||
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
|
|
||||||
preferred)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (ssl_IsRsaPssSignatureScheme(preferred)) {
|
|
||||||
+ /* Disable, while we are waiting for an upstream fix to
|
|
||||||
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
||||||
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
||||||
+ **/
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
hashType = ssl_SignatureSchemeToHashType(preferred);
|
|
||||||
hashOID = ssl3_HashTypeToOID(hashType);
|
|
||||||
if (requireSha1 && hashOID != SEC_OID_SHA1) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
|
||||||
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
|
||||||
/* we ignore hashes we don't support */
|
|
||||||
diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c
|
|
||||||
--- a/lib/ssl/sslcert.c
|
|
||||||
+++ b/lib/ssl/sslcert.c
|
|
||||||
@@ -403,39 +403,51 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
|
|
||||||
SSLExtraServerCertData *data)
|
|
||||||
{
|
|
||||||
SECStatus rv = SECFailure;
|
|
||||||
|
|
||||||
PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE);
|
|
||||||
PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
|
|
||||||
|
|
||||||
if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
|
|
||||||
+#if 0
|
|
||||||
+ /* Disable, while we are waiting for an upstream fix to
|
|
||||||
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
||||||
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
||||||
+ **/
|
|
||||||
(data->authType == ssl_auth_rsa_pss && ku_sig) ||
|
|
||||||
+#endif
|
|
||||||
(data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
|
|
||||||
return ssl_ConfigCert(ss, cert, keyPair, data);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) {
|
|
||||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ku_sig) {
|
|
||||||
data->authType = ssl_auth_rsa_sign;
|
|
||||||
rv = ssl_ConfigCert(ss, cert, keyPair, data);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if 0
|
|
||||||
+ /* Disable, while we are waiting for an upstream fix to
|
|
||||||
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
||||||
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
||||||
+ **/
|
|
||||||
/* This certificate is RSA, assume that it's also PSS. */
|
|
||||||
data->authType = ssl_auth_rsa_pss;
|
|
||||||
rv = ssl_ConfigCert(ss, cert, keyPair, data);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ku_enc) {
|
|
||||||
/* If ku_sig=true we configure signature and encryption slots with the
|
|
||||||
* same cert. This is bad form, but there are enough dual-usage RSA
|
|
||||||
* certs that we can't really break by limiting this to one type. */
|
|
||||||
data->authType = ssl_auth_rsa_decrypt;
|
|
||||||
rv = ssl_ConfigCert(ss, cert, keyPair, data);
|
|
|
@ -0,0 +1,167 @@
|
||||||
|
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||||
|
--- a/lib/ssl/ssl3con.c
|
||||||
|
+++ b/lib/ssl/ssl3con.c
|
||||||
|
@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
|
||||||
|
|
||||||
|
loser:
|
||||||
|
if (serverKey)
|
||||||
|
SECKEY_DestroyPublicKey(serverKey);
|
||||||
|
return rv; /* err code already set. */
|
||||||
|
}
|
||||||
|
|
||||||
|
static SECStatus
|
||||||
|
-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
|
||||||
|
+ssl_PickSignatureScheme(sslSocket *ss,
|
||||||
|
+ SECKEYPublicKey *pubKey,
|
||||||
|
+ SECKEYPrivateKey *privKey,
|
||||||
|
const SignatureScheme *peerSchemes,
|
||||||
|
unsigned int peerSchemeCount,
|
||||||
|
PRBool requireSha1)
|
||||||
|
{
|
||||||
|
unsigned int i, j;
|
||||||
|
const namedGroupDef *group = NULL;
|
||||||
|
KeyType keyType;
|
||||||
|
+ PK11SlotInfo *slot;
|
||||||
|
+ PRBool slotDoesPss;
|
||||||
|
PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
|
||||||
|
|
||||||
|
- if (!key) {
|
||||||
|
+ if (!pubKey || !privKey) {
|
||||||
|
PORT_Assert(0);
|
||||||
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
- keyType = SECKEY_GetPublicKeyType(key);
|
||||||
|
+ slot = PK11_GetSlotFromPrivateKey(privKey);
|
||||||
|
+ if (!slot) {
|
||||||
|
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
|
||||||
|
+ PK11_FreeSlot(slot);
|
||||||
|
+
|
||||||
|
+ keyType = SECKEY_GetPublicKeyType(pubKey);
|
||||||
|
+
|
||||||
|
if (keyType == ecKey) {
|
||||||
|
- group = ssl_ECPubKey2NamedGroup(key);
|
||||||
|
+ group = ssl_ECPubKey2NamedGroup(pubKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Here we look for the first local preference that the client has
|
||||||
|
* indicated support for in their signature_algorithms extension. */
|
||||||
|
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||||
|
SSLHashType hashType;
|
||||||
|
SECOidTag hashOID;
|
||||||
|
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
|
||||||
|
PRUint32 policy;
|
||||||
|
|
||||||
|
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
|
||||||
|
preferred)) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Skip RSA-PSS schemes when the certificate's private key slot does
|
||||||
|
+ * not support this signature mechanism. */
|
||||||
|
+ if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
hashType = ssl_SignatureSchemeToHashType(preferred);
|
||||||
|
hashOID = ssl3_HashTypeToOID(hashType);
|
||||||
|
if (requireSha1 && hashOID != SEC_OID_SHA1) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
||||||
|
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||||
|
/* we ignore hashes we don't support */
|
||||||
|
@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
|
||||||
|
PORT_Assert(0);
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Sets error code, if needed. */
|
||||||
|
- return ssl_PickSignatureScheme(ss, keyPair->pubKey,
|
||||||
|
+ return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
|
||||||
|
ss->ssl3.hs.clientSigSchemes,
|
||||||
|
ss->ssl3.hs.numClientSigScheme,
|
||||||
|
- PR_FALSE);
|
||||||
|
+ PR_FALSE /* requireSha1 */);
|
||||||
|
}
|
||||||
|
|
||||||
|
static SECStatus
|
||||||
|
ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
|
||||||
|
unsigned int numSchemes)
|
||||||
|
{
|
||||||
|
- SECKEYPublicKey *key;
|
||||||
|
+ SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
|
||||||
|
+ SECKEYPublicKey *pubKey;
|
||||||
|
SECStatus rv;
|
||||||
|
|
||||||
|
- key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||||
|
- PORT_Assert(key);
|
||||||
|
+ pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
|
||||||
|
+ PORT_Assert(pubKey);
|
||||||
|
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||||
|
- (SECKEY_GetPublicKeyType(key) == rsaKey ||
|
||||||
|
- SECKEY_GetPublicKeyType(key) == dsaKey) &&
|
||||||
|
- SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
|
||||||
|
+ (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
|
||||||
|
+ SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
|
||||||
|
+ SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
|
||||||
|
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
|
||||||
|
* it may be unable to sign SHA-256 hashes. This is the case for older
|
||||||
|
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
|
||||||
|
* older, DSA key size is at most 1024 bits and the hash function must
|
||||||
|
* be SHA-1.
|
||||||
|
*/
|
||||||
|
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
|
||||||
|
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||||
|
+ PR_TRUE /* requireSha1 */);
|
||||||
|
if (rv == SECSuccess) {
|
||||||
|
- SECKEY_DestroyPublicKey(key);
|
||||||
|
+ SECKEY_DestroyPublicKey(pubKey);
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
/* If this fails, that's because the peer doesn't advertise SHA-1,
|
||||||
|
* so fall back to the full negotiation. */
|
||||||
|
}
|
||||||
|
- rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
|
||||||
|
- SECKEY_DestroyPublicKey(key);
|
||||||
|
+ rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
|
||||||
|
+ PR_FALSE /* requireSha1 */);
|
||||||
|
+ SECKEY_DestroyPublicKey(pubKey);
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Called from ssl3_HandleServerHelloDone(). */
|
||||||
|
static SECStatus
|
||||||
|
ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
|
||||||
|
{
|
||||||
|
SECStatus rv = SECFailure;
|
||||||
|
@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||||
|
PRUint32 policy = 0;
|
||||||
|
SSLHashType hashType = ssl_SignatureSchemeToHashType(
|
||||||
|
ss->ssl3.signatureSchemes[i]);
|
||||||
|
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||||
|
+
|
||||||
|
+ /* Skip RSA-PSS schemes if there are no tokens to verify them. */
|
||||||
|
+ if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||||
|
+ !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
|
||||||
|
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||||
|
p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (p == buf) {
|
||||||
|
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
9
nss.spec
9
nss.spec
|
@ -21,7 +21,7 @@ Name: nss
|
||||||
Version: 3.27.0
|
Version: 3.27.0
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 1.2%{?dist}
|
Release: 1.3%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
|
@ -99,7 +99,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
Patch59: nss-check-policy-file.patch
|
Patch59: nss-check-policy-file.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||||
Patch62: nss-skip-util-gtest.patch
|
Patch62: nss-skip-util-gtest.patch
|
||||||
Patch70: disable-pss.patch
|
Patch70: nss-check-pss.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
|
@ -183,7 +183,7 @@ low level services.
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch59 -p1 -b .check_policy_file
|
%patch59 -p1 -b .check_policy_file
|
||||||
%patch62 -p0 -b .skip_util_gtest
|
%patch62 -p0 -b .skip_util_gtest
|
||||||
%patch70 -p1 -b .disable_pss
|
%patch70 -p1 -b .check_pss
|
||||||
popd
|
popd
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
|
@ -804,6 +804,9 @@ fi
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.3
|
||||||
|
- Revert the previous fix for RSA-PSS and use the upstream fix instead
|
||||||
|
|
||||||
* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-1.2
|
* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-1.2
|
||||||
- Disable the use of RSA-PSS with SSL/TLS. #1383809
|
- Disable the use of RSA-PSS with SSL/TLS. #1383809
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue