|
 |
5f1c2b |
diff -up nss/lib/ssl/ssl3con.c.disable_pss nss/lib/ssl/ssl3con.c
|
|
|
5f1c2b |
--- nss/lib/ssl/ssl3con.c.disable_pss 2017-02-17 11:44:34.969825045 +0100
|
|
|
5f1c2b |
+++ nss/lib/ssl/ssl3con.c 2017-02-17 11:44:34.973824961 +0100
|
|
|
5f1c2b |
@@ -177,9 +177,15 @@ static const SSLSignatureScheme defaultS
|
|
|
5f1c2b |
ssl_sig_ecdsa_secp384r1_sha384,
|
|
|
5f1c2b |
ssl_sig_ecdsa_secp521r1_sha512,
|
|
|
5f1c2b |
ssl_sig_ecdsa_sha1,
|
|
|
5f1c2b |
+#if 0
|
|
|
5f1c2b |
+ /* Disable, while we are waiting for an upstream fix to
|
|
|
5f1c2b |
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
|
5f1c2b |
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
|
5f1c2b |
+ **/
|
|
|
5f1c2b |
ssl_sig_rsa_pss_sha256,
|
|
|
5f1c2b |
ssl_sig_rsa_pss_sha384,
|
|
|
5f1c2b |
ssl_sig_rsa_pss_sha512,
|
|
|
5f1c2b |
+#endif
|
|
|
5f1c2b |
ssl_sig_rsa_pkcs1_sha256,
|
|
|
5f1c2b |
ssl_sig_rsa_pkcs1_sha384,
|
|
|
5f1c2b |
ssl_sig_rsa_pkcs1_sha512,
|
|
|
5f1c2b |
@@ -4622,9 +4628,16 @@ ssl_IsSupportedSignatureScheme(SSLSignat
|
|
|
5f1c2b |
case ssl_sig_rsa_pkcs1_sha256:
|
|
|
5f1c2b |
case ssl_sig_rsa_pkcs1_sha384:
|
|
|
5f1c2b |
case ssl_sig_rsa_pkcs1_sha512:
|
|
|
5f1c2b |
+ return PR_TRUE;
|
|
|
5f1c2b |
+ /* Disable, while we are waiting for an upstream fix to
|
|
|
5f1c2b |
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
|
5f1c2b |
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
|
5f1c2b |
+ **/
|
|
|
5f1c2b |
case ssl_sig_rsa_pss_sha256:
|
|
|
5f1c2b |
case ssl_sig_rsa_pss_sha384:
|
|
|
5f1c2b |
case ssl_sig_rsa_pss_sha512:
|
|
|
5f1c2b |
+ return PR_FALSE;
|
|
|
5f1c2b |
+
|
|
|
5f1c2b |
case ssl_sig_ecdsa_secp256r1_sha256:
|
|
|
5f1c2b |
case ssl_sig_ecdsa_secp384r1_sha384:
|
|
|
5f1c2b |
case ssl_sig_ecdsa_secp521r1_sha512:
|
|
|
5f1c2b |
diff -up nss/lib/ssl/sslcert.c.disable_pss nss/lib/ssl/sslcert.c
|
|
|
5f1c2b |
--- nss/lib/ssl/sslcert.c.disable_pss 2017-01-30 02:06:08.000000000 +0100
|
|
|
5f1c2b |
+++ nss/lib/ssl/sslcert.c 2017-02-17 11:44:34.973824961 +0100
|
|
|
5f1c2b |
@@ -399,7 +399,13 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
|
|
|
5f1c2b |
PRBool ku_enc = (PRBool)(cert->keyUsage & KU_KEY_ENCIPHERMENT);
|
|
|
5f1c2b |
|
|
|
5f1c2b |
if ((data->authType == ssl_auth_rsa_sign && ku_sig) ||
|
|
|
5f1c2b |
+#if 0
|
|
|
5f1c2b |
+ /* Disable, while we are waiting for an upstream fix to
|
|
|
5f1c2b |
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
|
5f1c2b |
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
|
5f1c2b |
+ **/
|
|
|
5f1c2b |
(data->authType == ssl_auth_rsa_pss && ku_sig) ||
|
|
|
5f1c2b |
+#endif
|
|
|
5f1c2b |
(data->authType == ssl_auth_rsa_decrypt && ku_enc)) {
|
|
|
5f1c2b |
return ssl_ConfigCert(ss, cert, keyPair, data);
|
|
|
5f1c2b |
}
|
|
|
5f1c2b |
@@ -416,12 +422,18 @@ ssl_ConfigRsaPkcs1CertByUsage(sslSocket
|
|
|
5f1c2b |
return rv;
|
|
|
5f1c2b |
}
|
|
|
5f1c2b |
|
|
|
5f1c2b |
+#if 0
|
|
|
5f1c2b |
+ /* Disable, while we are waiting for an upstream fix to
|
|
|
5f1c2b |
+ * https://bugzilla.mozilla.org/show_bug.cgi?id=1311950
|
|
|
5f1c2b |
+ * (NSS does not check if token supports RSA-PSS before using it to sign)
|
|
|
5f1c2b |
+ **/
|
|
|
5f1c2b |
/* This certificate is RSA, assume that it's also PSS. */
|
|
|
5f1c2b |
data->authType = ssl_auth_rsa_pss;
|
|
|
5f1c2b |
rv = ssl_ConfigCert(ss, cert, keyPair, data);
|
|
|
5f1c2b |
if (rv != SECSuccess) {
|
|
|
5f1c2b |
return rv;
|
|
|
5f1c2b |
}
|
|
|
5f1c2b |
+#endif
|
|
|
5f1c2b |
}
|
|
|
5f1c2b |
|
|
|
5f1c2b |
if (ku_enc) {
|