Disable the use of RSA-PSS with SSL/TLS. #1383809

disable-pss.patch

@@ -0,0 +1,136 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -209,19 +209,25 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  * order of signature types is based on the same rules for ordering we use for
+  * cipher suites just for consistency.
+  */
+ static const SignatureScheme defaultSignatureSchemes[] = {
+     ssl_sig_ecdsa_secp256r1_sha256,
+     ssl_sig_ecdsa_secp384r1_sha384,
+     ssl_sig_ecdsa_secp521r1_sha512,
+     ssl_sig_ecdsa_sha1,
++#if 0
++    /* Disable, while we are waiting for an upstream fix to
++     * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++     * (NSS does not check if token supports RSA-PSS before using it to sign)
++     **/
+     ssl_sig_rsa_pss_sha256,
+     ssl_sig_rsa_pss_sha384,
+     ssl_sig_rsa_pss_sha512,
++#endif
+     ssl_sig_rsa_pkcs1_sha256,
+     ssl_sig_rsa_pkcs1_sha384,
+     ssl_sig_rsa_pkcs1_sha512,
+     ssl_sig_rsa_pkcs1_sha1,
+     ssl_sig_dsa_sha256,
+     ssl_sig_dsa_sha384,
+     ssl_sig_dsa_sha512,
+     ssl_sig_dsa_sha1
+@@ -5193,19 +5199,26 @@ ssl_CheckSignatureSchemeConsistency(
+ PRBool
+ ssl_IsSupportedSignatureScheme(SignatureScheme scheme)
+ {
+     switch (scheme) {
+         case ssl_sig_rsa_pkcs1_sha1:
+         case ssl_sig_rsa_pkcs1_sha256:
+         case ssl_sig_rsa_pkcs1_sha384:
+         case ssl_sig_rsa_pkcs1_sha512:
++            return PR_TRUE;
++    /* Disable, while we are waiting for an upstream fix to
++     * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++     * (NSS does not check if token supports RSA-PSS before using it to sign)
++     **/
+         case ssl_sig_rsa_pss_sha256:
+         case ssl_sig_rsa_pss_sha384:
+         case ssl_sig_rsa_pss_sha512:
++            return PR_FALSE;
++
+         case ssl_sig_ecdsa_secp256r1_sha256:
+         case ssl_sig_ecdsa_secp384r1_sha384:
+         case ssl_sig_ecdsa_secp521r1_sha512:
+         case ssl_sig_dsa_sha1:
+         case ssl_sig_dsa_sha256:
+         case ssl_sig_dsa_sha384:
+         case ssl_sig_dsa_sha512:
+         case ssl_sig_ecdsa_sha1:
+@@ -7094,16 +7107,24 @@ ssl_PickSignatureScheme(sslSocket *ss, S
+         SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
+         PRUint32 policy;
+ 
+         if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
+                                             preferred)) {
+             continue;
+         }
+ 
++        if (ssl_IsRsaPssSignatureScheme(preferred)) {
++            /* Disable, while we are waiting for an upstream fix to
++             * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++             * (NSS does not check if token supports RSA-PSS before using it to sign)
++             **/
++            continue;
++        }
++
+         hashType = ssl_SignatureSchemeToHashType(preferred);
+         hashOID = ssl3_HashTypeToOID(hashType);
+         if (requireSha1 && hashOID != SEC_OID_SHA1) {
+             continue;
+         }
+         if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+             !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+             /* we ignore hashes we don't support */
+diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c
+--- a/lib/ssl/sslcert.c
++++ b/lib/ssl/sslcert.c
+@@ -403,39 +403,51 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket 
+                               SSLExtraServerCertData *data)
+ {
+     SECStatus rv = SECFailure;
+ 
+     PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE);
+     PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
+ 
+     if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
++#if 0
++    /* Disable, while we are waiting for an upstream fix to
++     * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++     * (NSS does not check if token supports RSA-PSS before using it to sign)
++     **/
+         (data->authType == ssl_auth_rsa_pss && ku_sig) ||
++#endif
+         (data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
+         return ssl_ConfigCert(ss, cert, keyPair, data);
+     }
+ 
+     if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+ 
+     if (ku_sig) {
+         data->authType = ssl_auth_rsa_sign;
+         rv = ssl_ConfigCert(ss, cert, keyPair, data);
+         if (rv != SECSuccess) {
+             return rv;
+         }
+ 
++#if 0
++    /* Disable, while we are waiting for an upstream fix to
++     * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
++     * (NSS does not check if token supports RSA-PSS before using it to sign)
++     **/
+         /* This certificate is RSA, assume that it's also PSS. */
+         data->authType = ssl_auth_rsa_pss;
+         rv = ssl_ConfigCert(ss, cert, keyPair, data);
+         if (rv != SECSuccess) {
+             return rv;
+         }
++#endif
+     }
+ 
+     if (ku_enc) {
+         /* If ku_sig=true we configure signature and encryption slots with the
+          * same cert. This is bad form, but there are enough dual-usage RSA
+          * certs that we can't really break by limiting this to one type. */
+         data->authType = ssl_auth_rsa_decrypt;
+         rv = ssl_ConfigCert(ss, cert, keyPair, data);

nss.spec

@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.27.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -99,6 +99,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch59: nss-check-policy-file.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
+Patch70: disable-pss.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -182,6 +183,7 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p0 -b .skip_util_gtest
+%patch70 -p1 -b .disable_pss
 popd
 
 #########################################################
@@ -802,6 +804,9 @@ fi
 
 
 %changelog
+* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-4
+- Disable the use of RSA-PSS with SSL/TLS. #1383809
+
 * Sun Oct  2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-3
 - Disable TLS 1.3 for now, to avoid reported regression with TLS to
   version intolerant servers