From ceb4bbe240ebe28999280d74bdd1801ec7b13707 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Wed, 7 Jul 2021 12:06:28 -0700 Subject: [PATCH] Resolves: rhbz#1933778 Fix incorrect ssl alerts on signature algorithms. --- nss-3.67-fix-ssl-alerts.patch | 122 ++++++++++++++++++++++++++++++++++ nss.spec | 8 ++- 2 files changed, 128 insertions(+), 2 deletions(-) create mode 100644 nss-3.67-fix-ssl-alerts.patch diff --git a/nss-3.67-fix-ssl-alerts.patch b/nss-3.67-fix-ssl-alerts.patch new file mode 100644 index 0000000..10cdaf5 --- /dev/null +++ b/nss-3.67-fix-ssl-alerts.patch @@ -0,0 +1,122 @@ +diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c +--- ./lib/ssl/ssl3con.c.alert-fix 2021-06-10 05:33:12.000000000 -0700 ++++ ./lib/ssl/ssl3con.c 2021-07-06 17:08:25.894018521 -0700 +@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch + if (!ssl_IsSupportedSignatureScheme(scheme)) { + return PR_FALSE; + } +- if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) { ++ /* if we are purposefully passed SEC_OID_UNKOWN, it means ++ * we not checking the scheme against a potential key, so skip ++ * the call */ ++ if ((spkiOid != SEC_OID_UNKNOWN) && ++ !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) { + return PR_FALSE; + } + if (isTls13) { +@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS + } + + /* Verify that the signature scheme matches the signing key. */ +- if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) { ++ if ((spkiOid == SEC_OID_UNKNOWN) || ++ !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) { + PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); + return SECFailure; + } +@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS + PRBool + ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme) + { ++ PRBool isSupported = PR_FALSE; + switch (scheme) { + case ssl_sig_rsa_pkcs1_sha1: + case ssl_sig_rsa_pkcs1_sha256: +@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat + case ssl_sig_dsa_sha384: + case ssl_sig_dsa_sha512: + case ssl_sig_ecdsa_sha1: +- return PR_TRUE; ++ isSupported = PR_TRUE; ++ break; + + case ssl_sig_rsa_pkcs1_sha1md5: + case ssl_sig_none: +@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat + case ssl_sig_ed448: + return PR_FALSE; + } +- return PR_FALSE; ++ if (isSupported) { ++ SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme)); ++ PRUint32 policy; ++ const PRUint32 sigSchemePolicy= ++ NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE; ++ /* check hash policy */ ++ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && ++ ((policy & sigSchemePolicy) != sigSchemePolicy)) { ++ return PR_FALSE; ++ } ++ /* check algorithm policy */ ++ } ++ return isSupported; + } + + PRBool +@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss, + } + + spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm); ++ if (spkiOid == SEC_OID_UNKNOWN) { ++ goto loser; ++ } + + /* Now we have to search based on the key type. Go through our preferred + * schemes in order and find the first that can be used. */ +@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss, + } + } + ++loser: + PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); + return SECFailure; + } +@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +- if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) { ++ if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN, ++ (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {; + schemes[numSupported++] = (SSLSignatureScheme)tmp; + } + } +@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket * + PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record); + rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); + if (rv != SECSuccess) { +- goto loser; /* malformed or unsupported. */ ++ errCode = PORT_GetError(); ++ /* unsupported == illegal_parameter, others == handshake_failure. */ ++ if (errCode == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) { ++ desc = illegal_parameter; ++ } ++ goto alert_loser; + } + rv = ssl_CheckSignatureSchemeConsistency( + ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo); +diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc +--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix 2021-07-07 11:32:11.634376932 -0700 ++++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2021-07-07 11:33:30.595841110 -0700 +@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature + } + + TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) { +- const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa ++ // make sure the test uses an algorithm that is legal for ++ // tls 1.3 (or tls 1.3 will through and illegalParameter ++ // instead of a decode error) ++ const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00}; // sha-256, rsa-pss-pss + DataBuffer extension(val, sizeof(val)); + ClientHelloErrorTest(std::make_shared( + client_, ssl_signature_algorithms_xtn, extension)); diff --git a/nss.spec b/nss.spec index 0ae5054..7baeb2a 100644 --- a/nss.spec +++ b/nss.spec @@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 6%{?dist} +Release: 7%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -148,7 +148,8 @@ Patch53: nss-3.66-no-small-primes.patch Patch54: nss-3.66-fix-gtest-parsing.patch # no upstream bug yet Patch55: nss-3.67-fix-coverity-issues.patch - +# no upstream bug yet +Patch60: nss-3.67-fix-ssl-alerts.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1071,6 +1072,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Jul 6 2021 Bob Relyea - 3.67.0-7 +- fix ssl alert regressions + * Fri Jul 2 2021 Bob Relyea - 3.67.0-6 - bump the nspr release number