nss/Bug-1412829-reject-empty-supported_signature_algorit.patch

From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 22 Nov 2018 10:55:20 +0100
Subject: [PATCH 441/489] Bug 1412829, reject empty
 supported_signature_algorithms in CR in TLS 1.2,
 r=mt

Summary: This basically reverts bug 1335069 to align with RFC 5246.

Reviewers: mt

Reviewed By: mt

Bug #: 1412829

Differential Revision: https://phabricator.services.mozilla.com/D12563

--HG--
extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4
---
 gtests/nss_bogo_shim/config.json      |  3 ++-
 gtests/ssl_gtest/ssl_auth_unittest.cc | 15 +++++----------
 lib/ssl/ssl3con.c                     | 17 +++++++++--------
 3 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json
index 66f55d3..5c7a2e3 100644
--- a/gtests/nss_bogo_shim/config.json
+++ b/gtests/nss_bogo_shim/config.json
@@ -64,7 +64,8 @@
         "RequireAnyClientCertificate-TLS1*":"Bug 1339387",
         "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
         "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
-        "P224-Server":"NSS doesn't support P-224"
+        "P224-Server":"NSS doesn't support P-224",
+        "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
     },
     "ErrorMap" : {
         ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
index 93a8c54..3a52ac2 100644
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
   }
 };
 
-// Check that we fall back to SHA-1 when the server doesn't provide any
+// Check that we send an alert when the server doesn't provide any
 // supported_signature_algorithms in the CertificateRequest message.
-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
   auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
 
-  ConnectExpectAlert(server_, kTlsAlertDecryptError);
-
-  // We're expecting a bad signature here because we tampered with a handshake
-  // message (CertReq). Previously, without the SHA-1 fallback, we would've
-  // seen a malformed record alert.
-  server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
 
-  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
+  server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
 }
 
 static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index d7e8452..225f4f6 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
 
     PORT_Assert(pubKey);
 
-    if (!isTLS13 && numSchemes == 0) {
-        /* If the server didn't provide any signature algorithms
-         * then let's assume they support SHA-1. */
-        rv = ssl_PickFallbackSignatureScheme(ss, pubKey);
-        SECKEY_DestroyPublicKey(pubKey);
-        return rv;
+    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        /* We should have already checked that a signature scheme was
+         * listed in the request. */
+        PORT_Assert(schemes && numSchemes > 0);
     }
 
-    PORT_Assert(schemes && numSchemes > 0);
-
     if (!isTLS13 &&
         (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
          SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
             PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
             goto loser; /* malformed, alert has been sent */
         }
+        if (signatureSchemeCount == 0) {
+            errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+            desc = handshake_failure;
+            goto alert_loser;
+        }
     }
 
     rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);
-- 
1.7.12.4
Package init 2019-09-30 11:10:05 -04:00			`From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001`
			`From: Daiki Ueno <dueno@redhat.com>`
			`Date: Thu, 22 Nov 2018 10:55:20 +0100`
			`Subject: [PATCH 441/489] Bug 1412829, reject empty`
			`supported_signature_algorithms in CR in TLS 1.2,`
			`r=mt`

			`Summary: This basically reverts bug 1335069 to align with RFC 5246.`

			`Reviewers: mt`

			`Reviewed By: mt`

			`Bug #: 1412829`

			`Differential Revision: https://phabricator.services.mozilla.com/D12563`

			`--HG--`
			`extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4`
			`---`
			`gtests/nss_bogo_shim/config.json \| 3 ++-`
			`gtests/ssl_gtest/ssl_auth_unittest.cc \| 15 +++++----------`
			`lib/ssl/ssl3con.c \| 17 +++++++++--------`
			`3 files changed, 16 insertions(+), 19 deletions(-)`

			`diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json`
			`index 66f55d3..5c7a2e3 100644`
			`--- a/gtests/nss_bogo_shim/config.json`
			`+++ b/gtests/nss_bogo_shim/config.json`
			`@@ -64,7 +64,8 @@`
			`"RequireAnyClientCertificate-TLS1*":"Bug 1339387",`
			`"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",`
			`"ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",`
			`- "P224-Server":"NSS doesn't support P-224"`
			`+ "P224-Server":"NSS doesn't support P-224",`
			`+ "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."`
			`},`
			`"ErrorMap" : {`
			`":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",`
			`diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc`
			`index 93a8c54..3a52ac2 100644`
			`--- a/gtests/ssl_gtest/ssl_auth_unittest.cc`
			`+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc`
			`@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {`
			`}`
			`};`

			`-// Check that we fall back to SHA-1 when the server doesn't provide any`
			`+// Check that we send an alert when the server doesn't provide any`
			`// supported_signature_algorithms in the CertificateRequest message.`
			`-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {`
			`+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {`
			`EnsureTlsSetup();`
			`MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);`
			`auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(`
			`@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {`
			`client_->SetupClientAuth();`
			`server_->RequestClientAuth(true);`

			`- ConnectExpectAlert(server_, kTlsAlertDecryptError);`
			`-`
			`- // We're expecting a bad signature here because we tampered with a handshake`
			`- // message (CertReq). Previously, without the SHA-1 fallback, we would've`
			`- // seen a malformed record alert.`
			`- server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);`
			`- client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);`
			`+ ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);`

			`- CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);`
			`+ server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);`
			`+ client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);`
			`}`

			`static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {`
			`diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c`
			`index d7e8452..225f4f6 100644`
			`--- a/lib/ssl/ssl3con.c`
			`+++ b/lib/ssl/ssl3con.c`
			`@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket ss, const SSLSignatureScheme schemes,`

			`PORT_Assert(pubKey);`

			`- if (!isTLS13 && numSchemes == 0) {`
			`- /* If the server didn't provide any signature algorithms`
			`- * then let's assume they support SHA-1. */`
			`- rv = ssl_PickFallbackSignatureScheme(ss, pubKey);`
			`- SECKEY_DestroyPublicKey(pubKey);`
			`- return rv;`
			`+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {`
			`+ /* We should have already checked that a signature scheme was`
			`+ * listed in the request. */`
			`+ PORT_Assert(schemes && numSchemes > 0);`
			`}`

			`- PORT_Assert(schemes && numSchemes > 0);`
			`-`
			`if (!isTLS13 &&`
			`(SECKEY_GetPublicKeyType(pubKey) == rsaKey \|\|`
			`SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&`
			`@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket ss, PRUint8 b, PRUint32 length)`
			`PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);`
			`goto loser; /* malformed, alert has been sent */`
			`}`
			`+ if (signatureSchemeCount == 0) {`
			`+ errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;`
			`+ desc = handshake_failure;`
			`+ goto alert_loser;`
			`+ }`
			`}`

			`rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);`
			`--`
			`1.7.12.4`