|
 |
3d912a |
# HG changeset patch
|
|
|
3d912a |
# User Daiki Ueno <dueno@redhat.com>
|
|
|
3d912a |
# Date 1559031046 -7200
|
|
|
3d912a |
# Tue May 28 10:10:46 2019 +0200
|
|
|
3d912a |
# Node ID 0a4e8b72a92e144663c2f35d3836f7828cfc97f2
|
|
|
3d912a |
# Parent 370a9e85f216f5f4ff277995a997c5c9b23a819f
|
|
|
3d912a |
Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3, r=mt
|
|
|
3d912a |
|
|
|
3d912a |
Reviewers: mt
|
|
|
3d912a |
|
|
|
3d912a |
Reviewed By: mt
|
|
|
3d912a |
|
|
|
3d912a |
Subscribers: mt, jcj, ueno, rrelyea, HubertKario, KevinJacobs
|
|
|
3d912a |
|
|
|
3d912a |
Tags: #secure-revision, #bmo-crypto-core-security
|
|
|
3d912a |
|
|
|
3d912a |
Bug #: 1552208
|
|
|
3d912a |
|
|
|
3d912a |
Differential Revision: https://phabricator.services.mozilla.com/D32454
|
|
|
3d912a |
|
|
|
3d912a |
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
|
|
3d912a |
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
|
|
|
3d912a |
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
|
|
3d912a |
@@ -701,6 +701,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
|
|
|
3d912a |
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
|
|
3d912a |
}
|
|
|
3d912a |
|
|
|
3d912a |
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
|
|
|
3d912a |
+ static const SSLSignatureScheme kSignatureScheme[] = {
|
|
|
3d912a |
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
|
|
|
3d912a |
+
|
|
|
3d912a |
+ Reset(TlsAgent::kServerRsa, "rsa");
|
|
|
3d912a |
+ client_->SetSignatureSchemes(kSignatureScheme,
|
|
|
3d912a |
+ PR_ARRAY_SIZE(kSignatureScheme));
|
|
|
3d912a |
+ server_->SetSignatureSchemes(kSignatureScheme,
|
|
|
3d912a |
+ PR_ARRAY_SIZE(kSignatureScheme));
|
|
|
3d912a |
+ client_->SetupClientAuth();
|
|
|
3d912a |
+ server_->RequestClientAuth(true);
|
|
|
3d912a |
+
|
|
|
3d912a |
+ auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
|
|
|
3d912a |
+ client_, kTlsHandshakeCertificateVerify);
|
|
|
3d912a |
+ capture_cert_verify->EnableDecryption();
|
|
|
3d912a |
+
|
|
|
3d912a |
+ Connect();
|
|
|
3d912a |
+ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
|
|
|
3d912a |
+ 1024);
|
|
|
3d912a |
+}
|
|
|
3d912a |
+
|
|
|
3d912a |
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
|
|
|
3d912a |
+ static const SSLSignatureScheme kSignatureScheme[] = {
|
|
|
3d912a |
+ ssl_sig_rsa_pkcs1_sha256};
|
|
|
3d912a |
+
|
|
|
3d912a |
+ Reset(TlsAgent::kServerRsa, "rsa");
|
|
|
3d912a |
+ client_->SetSignatureSchemes(kSignatureScheme,
|
|
|
3d912a |
+ PR_ARRAY_SIZE(kSignatureScheme));
|
|
|
3d912a |
+ server_->SetSignatureSchemes(kSignatureScheme,
|
|
|
3d912a |
+ PR_ARRAY_SIZE(kSignatureScheme));
|
|
|
3d912a |
+ client_->SetupClientAuth();
|
|
|
3d912a |
+ server_->RequestClientAuth(true);
|
|
|
3d912a |
+
|
|
|
3d912a |
+ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
|
|
3d912a |
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
|
|
3d912a |
+ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
|
|
3d912a |
+}
|
|
|
3d912a |
+
|
|
|
3d912a |
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
|
|
|
3d912a |
public:
|
|
|
3d912a |
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
|
|
|
3d912a |
@@ -933,7 +971,7 @@ TEST_P(TlsConnectTls13, InconsistentSign
|
|
|
3d912a |
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
|
|
|
3d912a |
}
|
|
|
3d912a |
|
|
|
3d912a |
-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
|
|
|
3d912a |
+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
|
|
|
3d912a |
server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
|
|
|
3d912a |
PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
|
|
|
3d912a |
server_->RequestClientAuth(false);
|
|
|
3d912a |
@@ -1395,12 +1433,21 @@ TEST_P(TlsSignatureSchemeConfiguration,
|
|
|
3d912a |
INSTANTIATE_TEST_CASE_P(
|
|
|
3d912a |
SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
|
|
|
3d912a |
::testing::Combine(
|
|
|
3d912a |
- TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
|
|
|
3d912a |
+ TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
|
|
|
3d912a |
::testing::Values(TlsAgent::kServerRsaSign),
|
|
|
3d912a |
::testing::Values(ssl_auth_rsa_sign),
|
|
|
3d912a |
::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
|
|
|
3d912a |
ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
|
|
|
3d912a |
ssl_sig_rsa_pss_rsae_sha384)));
|
|
|
3d912a |
+// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
|
|
|
3d912a |
+INSTANTIATE_TEST_CASE_P(
|
|
|
3d912a |
+ SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
|
|
|
3d912a |
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
|
|
|
3d912a |
+ TlsConnectTestBase::kTlsV13,
|
|
|
3d912a |
+ ::testing::Values(TlsAgent::kServerRsaSign),
|
|
|
3d912a |
+ ::testing::Values(ssl_auth_rsa_sign),
|
|
|
3d912a |
+ ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
|
|
|
3d912a |
+ ssl_sig_rsa_pss_rsae_sha384)));
|
|
|
3d912a |
// PSS with SHA-512 needs a bigger key to work.
|
|
|
3d912a |
INSTANTIATE_TEST_CASE_P(
|
|
|
3d912a |
SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
|
|
|
3d912a |
diff --git a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
|
|
3d912a |
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
|
|
3d912a |
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
|
|
3d912a |
@@ -68,12 +68,6 @@ class TlsCipherSuiteTestBase : public Tl
|
|
|
3d912a |
virtual void SetupCertificate() {
|
|
|
3d912a |
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
|
|
3d912a |
switch (sig_scheme_) {
|
|
|
3d912a |
- case ssl_sig_rsa_pkcs1_sha256:
|
|
|
3d912a |
- case ssl_sig_rsa_pkcs1_sha384:
|
|
|
3d912a |
- case ssl_sig_rsa_pkcs1_sha512:
|
|
|
3d912a |
- Reset(TlsAgent::kServerRsaSign);
|
|
|
3d912a |
- auth_type_ = ssl_auth_rsa_sign;
|
|
|
3d912a |
- break;
|
|
|
3d912a |
case ssl_sig_rsa_pss_rsae_sha256:
|
|
|
3d912a |
case ssl_sig_rsa_pss_rsae_sha384:
|
|
|
3d912a |
Reset(TlsAgent::kServerRsaSign);
|
|
|
3d912a |
@@ -330,6 +324,12 @@ static SSLSignatureScheme kSignatureSche
|
|
|
3d912a |
ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384,
|
|
|
3d912a |
ssl_sig_rsa_pss_pss_sha512};
|
|
|
3d912a |
|
|
|
3d912a |
+static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
|
|
|
3d912a |
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
|
|
|
3d912a |
+ ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384,
|
|
|
3d912a |
+ ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256,
|
|
|
3d912a |
+ ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512};
|
|
|
3d912a |
+
|
|
|
3d912a |
INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
|
|
|
3d912a |
kDummySignatureSchemesParams,
|
|
|
3d912a |
TLS_RSA_WITH_RC4_128_SHA,
|
|
|
3d912a |
@@ -394,7 +394,7 @@ INSTANTIATE_CIPHER_TEST_P(
|
|
|
3d912a |
#ifndef NSS_DISABLE_TLS_1_3
|
|
|
3d912a |
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
|
|
|
3d912a |
::testing::ValuesIn(kFasterDHEGroups),
|
|
|
3d912a |
- ::testing::ValuesIn(kSignatureSchemesParamsArr),
|
|
|
3d912a |
+ ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
|
|
|
3d912a |
TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
|
|
|
3d912a |
TLS_AES_256_GCM_SHA384);
|
|
|
3d912a |
INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
|
|
|
3d912a |
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
|
|
|
3d912a |
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
|
|
|
3d912a |
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
|
|
|
3d912a |
@@ -436,14 +436,14 @@ TEST_P(TlsExtensionTest12Plus, Signature
|
|
|
3d912a |
}
|
|
|
3d912a |
|
|
|
3d912a |
TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
|
|
|
3d912a |
- // 31 unknown signature algorithms followed by sha-256, rsa
|
|
|
3d912a |
+ // 31 unknown signature algorithms followed by sha-256, rsa-pss
|
|
|
3d912a |
const uint8_t val[] = {
|
|
|
3d912a |
0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
3d912a |
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
3d912a |
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
3d912a |
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
3d912a |
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
3d912a |
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
|
|
|
3d912a |
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
|
|
|
3d912a |
DataBuffer extension(val, sizeof(val));
|
|
|
3d912a |
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
|
|
|
3d912a |
extension);
|
|
|
3d912a |
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
|
|
3d912a |
--- a/lib/ssl/ssl3con.c
|
|
|
3d912a |
+++ b/lib/ssl/ssl3con.c
|
|
|
3d912a |
@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
|
|
|
3d912a |
static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
|
|
|
3d912a |
static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
|
|
|
3d912a |
PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
|
|
|
3d912a |
+PRBool ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme);
|
|
|
3d912a |
PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
|
|
|
3d912a |
|
|
|
3d912a |
const PRUint8 ssl_hello_retry_random[] = {
|
|
|
3d912a |
@@ -4101,6 +4102,9 @@ ssl_SignatureSchemeValid(SSLSignatureSch
|
|
|
3d912a |
if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
|
|
|
3d912a |
return PR_FALSE;
|
|
|
3d912a |
}
|
|
|
3d912a |
+ if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
|
|
|
3d912a |
+ return PR_FALSE;
|
|
|
3d912a |
+ }
|
|
|
3d912a |
/* With TLS 1.3, EC keys should have been selected based on calling
|
|
|
3d912a |
* ssl_SignatureSchemeFromSpki(), reject them otherwise. */
|
|
|
3d912a |
return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
|
|
|
3d912a |
@@ -4351,6 +4355,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
|
|
|
3d912a |
}
|
|
|
3d912a |
|
|
|
3d912a |
PRBool
|
|
|
3d912a |
+ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme)
|
|
|
3d912a |
+{
|
|
|
3d912a |
+ switch (scheme) {
|
|
|
3d912a |
+ case ssl_sig_rsa_pkcs1_sha256:
|
|
|
3d912a |
+ case ssl_sig_rsa_pkcs1_sha384:
|
|
|
3d912a |
+ case ssl_sig_rsa_pkcs1_sha512:
|
|
|
3d912a |
+ case ssl_sig_rsa_pkcs1_sha1:
|
|
|
3d912a |
+ return PR_TRUE;
|
|
|
3d912a |
+
|
|
|
3d912a |
+ default:
|
|
|
3d912a |
+ return PR_FALSE;
|
|
|
3d912a |
+ }
|
|
|
3d912a |
+ return PR_FALSE;
|
|
|
3d912a |
+}
|
|
|
3d912a |
+
|
|
|
3d912a |
+PRBool
|
|
|
3d912a |
ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
|
|
|
3d912a |
{
|
|
|
3d912a |
switch (scheme) {
|