Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1334114 - Allow mismatched groups with signature scheme configura…
…tion, r=kaie

--HG--
extra : rebase_source : abe0f91bcb5f6c2939e5be52eb10a26bc06063b9
extra : amend_source : 008ec272a237ac066f8bdefd9f2c5f45a30e43aa
  • Loading branch information
martinthomson committed Jan 30, 2017
1 parent 114cfd8 commit 7676500
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 8 deletions.
22 changes: 20 additions & 2 deletions gtests/ssl_gtest/ssl_auth_unittest.cc
Expand Up @@ -198,7 +198,16 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
ssl_sig_ecdsa_secp384r1_sha384);
}

TEST_P(TlsConnectTls12Plus, SignatureSchemeCurveMismatch) {
// In TLS 1.2, curve and hash aren't bound together.
TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Connect();
}

// In TLS 1.3, curve and hash are coupled.
TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
Reset(TlsAgent::kServerEcdsa256);
client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Expand All @@ -207,7 +216,16 @@ TEST_P(TlsConnectTls12Plus, SignatureSchemeCurveMismatch) {
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}

TEST_P(TlsConnectTls12Plus, SignatureSchemeBadConfig) {
// Configuring a P-256 cert with only SHA-384 signatures is OK in TLS 1.2.
TEST_P(TlsConnectTls12, SignatureSchemeBadConfig) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert can't be used.
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Connect();
}

// A P-256 certificate in TLS 1.3 needs a SHA-256 signature scheme.
TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
Reset(TlsAgent::kServerEcdsa256); // P-256 cert can't be used.
server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
Expand Down
2 changes: 1 addition & 1 deletion gtests/ssl_gtest/ssl_ecdh_unittest.cc
Expand Up @@ -58,7 +58,7 @@ TEST_P(TlsConnectTls12, ConnectEcdheP384) {
Reset(TlsAgent::kServerEcdsa384);
ConnectWithCipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256);
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_ecdsa,
ssl_sig_ecdsa_secp384r1_sha384);
ssl_sig_ecdsa_secp256r1_sha256);
}

TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
Expand Down
9 changes: 5 additions & 4 deletions lib/ssl/ssl.h
Expand Up @@ -356,10 +356,11 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
** that is compatible with both its certificate and its peer's supported
** values.
**
** NSS uses the strict signature schemes from TLS 1.3 in TLS 1.2. That means
** that if a peer indicates support for SHA-384 and ECDSA, NSS will not
** generate a signature if it has a P-256 key, even though that is permitted in
** TLS 1.2.
** This configuration affects TLS 1.2, but the combination of EC group and hash
** algorithm is interpreted loosely to be compatible with other implementations.
** For TLS 1.2, NSS will ignore the curve group when generating or verifying
** ECDSA signatures. For example, a P-384 ECDSA certificate is used with
** SHA-256 if ssl_sig_ecdsa_secp256r1_sha256 is enabled.
**
** Omitting SHA-256 schemes from this list might be foolish. Support is
** mandatory in TLS 1.2 and 1.3 and there might be interoperability issues.
Expand Down
2 changes: 1 addition & 1 deletion lib/ssl/ssl3con.c
Expand Up @@ -6404,7 +6404,7 @@ ssl_PickSignatureScheme(sslSocket *ss,
PRUint32 policy;

if (!ssl_SignatureSchemeValidForKey(!isTLS13 /* allowSha1 */,
PR_TRUE /* matchGroup */,
isTLS13 /* matchGroup */,
keyType, group, preferred)) {
continue;
}
Expand Down

0 comments on commit 7676500

Please sign in to comment.