Bug 1303648 - Only enable groups that are present, r=ekr,franziskus

--HG--
extra : rebase_source : 15a5eaf317d3f0819c72350a46fbac1e14761f05

external_tests/ssl_gtest/ssl_0rtt_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_auth_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_damage_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_dhe_unittest.cc

@@ -4,11 +4,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include <set>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_drop_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 
 extern "C" {
 // This is not something that should make you happy.

external_tests/ssl_gtest/ssl_ecdh_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
@@ -255,6 +255,27 @@ TEST_P(TlsConnectGenericPre13, P384PriorityFromModelSocket) {
   CheckKeys(ssl_kea_ecdh, ssl_auth_rsa_sign, 384);
 }
 
+// If we only have a lame group, we fall back to static RSA.
+TEST_P(TlsConnectGenericPre13, UseLameGroup) {
+  static const SSLNamedGroup groups[] = {ssl_grp_ec_secp192r1};
+  client_->ConfigNamedGroups(groups, PR_ARRAY_SIZE(groups));
+  server_->ConfigNamedGroups(groups, PR_ARRAY_SIZE(groups));
+  Connect();
+  CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
+}
+
+// In TLS 1.3, we can't generate the ClientHello.
+TEST_P(TlsConnectTls13, UseLameGroup) {
+  static const SSLNamedGroup groups[] = {ssl_grp_ec_sect283k1};
+  client_->ConfigNamedGroups(groups, PR_ARRAY_SIZE(groups));
+  server_->ConfigNamedGroups(groups, PR_ARRAY_SIZE(groups));
+  client_->StartConnect();
+  client_->Handshake();
+#ifndef NSS_ECC_MORE_THAN_SUITE_B  // TODO: remove this guard
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+#endif
+}
+
 TEST_P(TlsConnectStreamPre13, ConfiguredGroupsRenegotiate) {
   EnsureTlsSetup();
   client_->DisableAllCiphers();

external_tests/ssl_gtest/ssl_ems_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_gtest.cc

@@ -1,7 +1,7 @@
+#include "ssl.h"
 #include "nspr.h"
 #include "nss.h"
 #include "prenv.h"
-#include "ssl.h"
 
 #include <cstdlib>
 

external_tests/ssl_gtest/ssl_hrr_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_loopback_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_record_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "nss.h"
 #include "ssl.h"
+#include "nss.h"
 #include "sslimpl.h"
 
 #include "databuffer.h"

external_tests/ssl_gtest/ssl_resumption_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_staticrsa_unittest.cc

@@ -4,10 +4,10 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
-#include "ssl.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_v2_client_hello_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "pk11pub.h"
 #include "ssl.h"
+#include "pk11pub.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

external_tests/ssl_gtest/ssl_version_unittest.cc

@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "secerr.h"
 #include "ssl.h"
+#include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 

lib/ssl/manifest.mn

@@ -1,4 +1,4 @@
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
@@ -7,46 +7,47 @@ CORE_DEPTH = ../..
 # DEFINES = -DTRACE
 
 EXPORTS = \
-	ssl.h \
-	sslt.h \
-	sslerr.h \
-	sslproto.h \
-	preenc.h \
-	$(NULL)
+        ssl.h \
+        sslt.h \
+        sslerr.h \
+        sslproto.h \
+        preenc.h \
+        $(NULL)
 
 MODULE = nss
 MAPFILE = $(OBJDIR)/ssl.def
 
 CSRCS = \
-	derive.c \
-	dtlscon.c \
-	prelib.c \
-	ssl3con.c \
-	ssl3gthr.c \
-	sslauth.c \
-	sslcon.c \
-	ssldef.c \
-	sslenum.c \
-	sslerr.c \
-	sslerrstrs.c \
-	sslinit.c \
-	ssl3ext.c \
-	sslmutex.c \
-	sslnonce.c \
-	sslreveal.c \
-	sslsecur.c \
-	sslsnce.c \
-	sslsock.c \
-	ssltrace.c \
-	sslver.c \
-	authcert.c \
-	cmpcert.c \
-	sslinfo.c \
-	ssl3ecc.c \
+        derive.c \
+        dtlscon.c \
+        prelib.c \
+        ssl3con.c \
+        ssl3gthr.c \
+        sslauth.c \
+        sslcon.c \
+        ssldef.c \
+        sslenum.c \
+        sslerr.c \
+        sslerrstrs.c \
+        sslinit.c \
+        ssl3ext.c \
+        sslmutex.c \
+        sslnonce.c \
+        sslreveal.c \
+        sslsecur.c \
+        sslsnce.c \
+        sslsock.c \
+        ssltrace.c \
+        sslver.c \
+        authcert.c \
+        cmpcert.c \
+        sslinfo.c \
+        ssl3ecc.c \
         tls13con.c \
         tls13hkdf.c \
         sslcert.c \
-	$(NULL)
+        sslgrp.c \
+        $(NULL)
 
 LIBRARY_NAME = ssl
 LIBRARY_VERSION = 3

lib/ssl/ssl3con.c

@@ -793,8 +793,7 @@ ssl_NamedGroupTypeEnabled(const sslSocket *ss, NamedGroupType groupType)
     unsigned int i;
     for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
         if (ss->namedGroupPreferences[i] &&
-            ss->namedGroupPreferences[i]->type == groupType &&
-            ssl_NamedGroupEnabled(ss, ss->namedGroupPreferences[i])) {
+            ss->namedGroupPreferences[i]->type == groupType) {
             return PR_TRUE;
         }
     }
@@ -814,22 +813,26 @@ ssl_KEAEnabled(const sslSocket *ss, SSLKEAType keaType)
                 return PR_FALSE;
             }
 
-            /* No need to check for a common FFDHE group if we are in TLS 1.2 or
-             * earlier and named groups aren't required. */
-            if (!ss->opt.requireDHENamedGroups &&
-                ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-                /* If the client indicates support for named FFDHE groups, check
-                 * that we have one in common. */
-                if (ss->sec.isServer && ss->ssl3.hs.peerSupportsFfdheGroups) {
-                    return ssl_NamedGroupTypeEnabled(ss, group_type_ff);
+            if (ss->sec.isServer) {
+                /* If the server requires named FFDHE groups, then the client
+                 * must have included an FFDHE group. peerSupportsFfdheGroups
+                 * is set to true in ssl_HandleSupportedGroupsXtn(). */
+                if (ss->opt.requireDHENamedGroups &&
+                    !ss->ssl3.hs.peerSupportsFfdheGroups) {
+                    return PR_FALSE;
+                }
+
+                /* We can use the weak DH group if all of these are true:
+                 * 1. We don't require named groups.
+                 * 2. The peer doesn't support named groups.
+                 * 3. This isn't TLS 1.3.
+                 * 4. The weak group is enabled. */
+                if (!ss->opt.requireDHENamedGroups &&
+                    !ss->ssl3.hs.peerSupportsFfdheGroups &&
+                    ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
+                    ss->ssl3.dheWeakGroupEnabled) {
+                    return PR_TRUE;
                 }
-                return PR_TRUE;
-            }
-            /* If the server requires the extension, then the client must have
-             * already sent a ffdhe group. peerSupportsFfdheGroups is set to true in
-             * ssl_HandleSupportedGroupsXtn(). */
-            if (ss->sec.isServer && !ss->ssl3.hs.peerSupportsFfdheGroups) {
-                return PR_FALSE;
             }
             return ssl_NamedGroupTypeEnabled(ss, group_type_ff);
         }
@@ -6778,8 +6781,7 @@ ssl3_SendDHClientKeyExchange(sslSocket *ss, SECKEYPublicKey *svrPubKey)
     ssl3DHParams customParams;
     const namedGroupDef *groupDef;
     namedGroupDef customGroupDef = {
-        0, ssl_grp_ffdhe_custom, 0, group_type_ff,
-        SEC_OID_TLS_DHE_CUSTOM, PR_FALSE
+        ssl_grp_ffdhe_custom, 0, group_type_ff, SEC_OID_TLS_DHE_CUSTOM
     };
     sslEphemeralKeyPair *keyPair = NULL;
     SECKEYPublicKey *pubKey;
@@ -13593,7 +13595,7 @@ ssl3_InitState(sslSocket *ss)
 
     ss->ssl3.hs.zeroRttState = ssl_0rtt_none;
 
-    ssl_DisableNonSuiteBGroups(ss);
+    ssl_FilterSupportedGroups(ss);
 
     ss->ssl3.initialized = PR_TRUE;
     return SECSuccess;