Disable the use of RSA-PSS with SSL/TLS. #1383809

This commit is contained in:
Kai Engert 2016-11-02 14:19:58 +01:00
parent 74f302809f
commit 387bb6b467
2 changed files with 142 additions and 1 deletions

136
disable-pss.patch Normal file
View File

@ -0,0 +1,136 @@
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -209,19 +209,25 @@ static ssl3CipherSuiteCfg cipherSuites[s
* order of signature types is based on the same rules for ordering we use for
* cipher suites just for consistency.
*/
static const SignatureScheme defaultSignatureSchemes[] = {
ssl_sig_ecdsa_secp256r1_sha256,
ssl_sig_ecdsa_secp384r1_sha384,
ssl_sig_ecdsa_secp521r1_sha512,
ssl_sig_ecdsa_sha1,
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
ssl_sig_rsa_pss_sha256,
ssl_sig_rsa_pss_sha384,
ssl_sig_rsa_pss_sha512,
+#endif
ssl_sig_rsa_pkcs1_sha256,
ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512,
ssl_sig_rsa_pkcs1_sha1,
ssl_sig_dsa_sha256,
ssl_sig_dsa_sha384,
ssl_sig_dsa_sha512,
ssl_sig_dsa_sha1
@@ -5193,19 +5199,26 @@ ssl_CheckSignatureSchemeConsistency(
PRBool
ssl_IsSupportedSignatureScheme(SignatureScheme scheme)
{
switch (scheme) {
case ssl_sig_rsa_pkcs1_sha1:
case ssl_sig_rsa_pkcs1_sha256:
case ssl_sig_rsa_pkcs1_sha384:
case ssl_sig_rsa_pkcs1_sha512:
+ return PR_TRUE;
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
case ssl_sig_rsa_pss_sha256:
case ssl_sig_rsa_pss_sha384:
case ssl_sig_rsa_pss_sha512:
+ return PR_FALSE;
+
case ssl_sig_ecdsa_secp256r1_sha256:
case ssl_sig_ecdsa_secp384r1_sha384:
case ssl_sig_ecdsa_secp521r1_sha512:
case ssl_sig_dsa_sha1:
case ssl_sig_dsa_sha256:
case ssl_sig_dsa_sha384:
case ssl_sig_dsa_sha512:
case ssl_sig_ecdsa_sha1:
@@ -7094,16 +7107,24 @@ ssl_PickSignatureScheme(sslSocket *ss, S
SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
PRUint32 policy;
if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
preferred)) {
continue;
}
+ if (ssl_IsRsaPssSignatureScheme(preferred)) {
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
+ continue;
+ }
+
hashType = ssl_SignatureSchemeToHashType(preferred);
hashOID = ssl3_HashTypeToOID(hashType);
if (requireSha1 && hashOID != SEC_OID_SHA1) {
continue;
}
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
/* we ignore hashes we don't support */
diff --git a/lib/ssl/sslcert.c b/lib/ssl/sslcert.c
--- a/lib/ssl/sslcert.c
+++ b/lib/ssl/sslcert.c
@@ -403,39 +403,51 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
SSLExtraServerCertData *data)
{
SECStatus rv = SECFailure;
PRBool ku_sig = (PRBool)(cert->keyUsage & KU_DIGITAL_SIGNATURE);
PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
(data->authType == ssl_auth_rsa_pss && ku_sig) ||
+#endif
(data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
return ssl_ConfigCert(ss, cert, keyPair, data);
}
if (data->authType != ssl_auth_null || !(ku_sig || ku_enc)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (ku_sig) {
data->authType = ssl_auth_rsa_sign;
rv = ssl_ConfigCert(ss, cert, keyPair, data);
if (rv != SECSuccess) {
return rv;
}
+#if 0
+ /* Disable, while we are waiting for an upstream fix to
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
+ **/
/* This certificate is RSA, assume that it's also PSS. */
data->authType = ssl_auth_rsa_pss;
rv = ssl_ConfigCert(ss, cert, keyPair, data);
if (rv != SECSuccess) {
return rv;
}
+#endif
}
if (ku_enc) {
/* If ku_sig=true we configure signature and encryption slots with the
* same cert. This is bad form, but there are enough dual-usage RSA
* certs that we can't really break by limiting this to one type. */
data->authType = ssl_auth_rsa_decrypt;
rv = ssl_ConfigCert(ss, cert, keyPair, data);

View File

@ -21,7 +21,7 @@ Name: nss
Version: 3.27.0
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 3%{?dist}
Release: 4%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@ -99,6 +99,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
Patch59: nss-check-policy-file.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
Patch62: nss-skip-util-gtest.patch
Patch70: disable-pss.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -182,6 +183,7 @@ low level services.
pushd nss
%patch59 -p1 -b .check_policy_file
%patch62 -p0 -b .skip_util_gtest
%patch70 -p1 -b .disable_pss
popd
#########################################################
@ -802,6 +804,9 @@ fi
%changelog
* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-4
- Disable the use of RSA-PSS with SSL/TLS. #1383809
* Sun Oct 2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-3
- Disable TLS 1.3 for now, to avoid reported regression with TLS to
version intolerant servers