зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-11 Kai Engert <kaie@kuix.de> * automation/release/nspr-version.txt: Bug 1583068 - Require NSPR version 4.23 r=jcj [93245f5733b3] [NSS_3_47_BETA1] 2019-10-11 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi, lib/freebl/freebl.gyp: Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1` is passed to build.sh. Depends on D34473 [9abcea09fdd4] 2019-10-11 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/aes-armv8.c: Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO. r=kjacobs,mt `AESContext->iv` doesn't align to 16 bytes on PGO build, so we should remove __builtin_assume. Also, I guess that `expandedKey` has same problem. [1b0f5c5335ee] * lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h, lib/freebl/freebl.gyp, lib/freebl/intel-aes.h, lib/freebl/rijndael.c: Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj [efb895a43899] 2019-09-06 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_ciphersuite_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_fuzz_unittest.cc, gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c: Bug 1549225 - Up front Signature Scheme validation, r=ueno Summary: This patch started as an attempt to ensure that a DSA signature scheme would not be advertised if we weren't willing to negotiate versions less than TLS 1.3. Then I realized that we didn't do the same for PKCS#1 RSA. Then I realized that we were still willing to try to establish connections when we had a certificate that we couldn't use. Then I realized that ssl3_config_match_init() wasn't being run consistently. On resumption, we only ran it when we were PARANOID. That's silly because we weren't checking policies. Then I realized that we were allowing ECDSA certificates to be used when the named group in the certificate was disabled. We weren't enforcing that consistently either. However, I also discovered that the check we have wouldn't work without a tweak because in TLS 1.3 the named group is part of the signature scheme; the configured named groups are only used prior to TLS 1.3 when selecting ECDSA/ECDH certificates. So that sounds like a lot of changes but what it boils down to is more robust checking of the configuration prior to starting a connection. As a result, we should be offering fewer options that we're unwilling or unable to follow through on. A good number of tests needed tweaking as a result because we were relying on getting past the checks in those tests. No real problems were found as a result; this just moves failures that might arise from misconfiguration a little earlier in the process. [9b418f0a4912] 2019-10-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc, lib/pk11wrap/pk11pk12.c: Bug 1586947 - Store nickname during EC key import. r=jcj This patch stores the nickname (if specified) during EC key import. This was already done for all other key types. [c319019aee75] 2019-10-08 Marcus Burghardt <mburghardt@mozilla.com> * lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c, lib/pki/pki3hack.c: Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and stanpcertdb. r=jcj Some conditionals that are always true were removed. [b34061c3a377] Differential Revision: https://phabricator.services.mozilla.com/D49030 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
f3071e8691
Коммит
685c607058
|
@ -1 +1 @@
|
|||
dc86215aea17
|
||||
NSS_3_47_BETA1
|
|
@ -1,4 +1,4 @@
|
|||
4.22
|
||||
4.23
|
||||
|
||||
# The first line of this file must contain the human readable NSPR
|
||||
# version number, which is the minimum required version of NSPR
|
||||
|
|
|
@ -96,6 +96,7 @@
|
|||
'cc_is_gcc%': '<(cc_is_gcc)',
|
||||
'cc_use_gnu_ld%': '<(cc_use_gnu_ld)',
|
||||
# Some defaults
|
||||
'disable_arm_hw_aes%': 0,
|
||||
'disable_tests%': 0,
|
||||
'disable_chachapoly%': 0,
|
||||
'disable_dbm%': 0,
|
||||
|
|
|
@ -10,4 +10,3 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -15,6 +15,20 @@
|
|||
|
||||
namespace nss_test {
|
||||
|
||||
const std::vector<uint8_t> kValidP256Key = {
|
||||
0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
|
||||
0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
||||
0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
|
||||
0xc9, 0xaf, 0xa9, 0xd8, 0x45, 0xba, 0x75, 0x16, 0x6b, 0x5c, 0x21, 0x57,
|
||||
0x67, 0xb1, 0xd6, 0x93, 0x4e, 0x50, 0xc3, 0xdb, 0x36, 0xe8, 0x9b, 0x12,
|
||||
0x7b, 0x8a, 0x62, 0x2b, 0x12, 0x0f, 0x67, 0x21, 0xa1, 0x44, 0x03, 0x42,
|
||||
0x00, 0x04, 0x60, 0xfe, 0xd4, 0xba, 0x25, 0x5a, 0x9d, 0x31, 0xc9, 0x61,
|
||||
0xeb, 0x74, 0xc6, 0x35, 0x6d, 0x68, 0xc0, 0x49, 0xb8, 0x92, 0x3b, 0x61,
|
||||
0xfa, 0x6c, 0xe6, 0x69, 0x62, 0x2e, 0x60, 0xf2, 0x9f, 0xb6, 0x79, 0x03,
|
||||
0xfe, 0x10, 0x08, 0xb8, 0xbc, 0x99, 0xa4, 0x1a, 0xe9, 0xe9, 0x56, 0x28,
|
||||
0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77, 0xa3,
|
||||
0xc2, 0x94, 0xd4, 0x46, 0x22, 0x99};
|
||||
|
||||
const std::vector<uint8_t> kValidRSAKey = {
|
||||
// 512-bit RSA private key (PKCS#8)
|
||||
0x30, 0x82, 0x01, 0x54, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
|
||||
|
@ -73,38 +87,76 @@ const std::vector<uint8_t> kInvalidZeroLengthKey = {
|
|||
|
||||
class DERPrivateKeyImportTest : public ::testing::Test {
|
||||
public:
|
||||
bool ParsePrivateKey(const std::vector<uint8_t>& data) {
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
||||
EXPECT_TRUE(slot);
|
||||
|
||||
bool ParsePrivateKey(const std::vector<uint8_t>& data, bool expect_success) {
|
||||
SECKEYPrivateKey* key = nullptr;
|
||||
SECStatus rv = SECFailure;
|
||||
std::string nick_str =
|
||||
::testing::UnitTest::GetInstance()->current_test_info()->name() +
|
||||
std::to_string(rand());
|
||||
SECItem item = {siBuffer, const_cast<unsigned char*>(data.data()),
|
||||
(unsigned int)data.size()};
|
||||
static_cast<unsigned int>(data.size())};
|
||||
SECItem nick = {siBuffer, reinterpret_cast<unsigned char*>(
|
||||
const_cast<char*>(nick_str.data())),
|
||||
static_cast<unsigned int>(nick_str.length())};
|
||||
|
||||
SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
|
||||
slot.get(), &item, nullptr, nullptr, false, false, KU_ALL, &key,
|
||||
nullptr);
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
EXPECT_TRUE(slot);
|
||||
if (!slot) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (PK11_NeedUserInit(slot.get())) {
|
||||
if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) {
|
||||
EXPECT_EQ(rv, SECSuccess) << "PK11_InitPin failed";
|
||||
}
|
||||
}
|
||||
rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr);
|
||||
EXPECT_EQ(rv, SECSuccess);
|
||||
|
||||
rv = PK11_ImportDERPrivateKeyInfoAndReturnKey(
|
||||
slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &key, nullptr);
|
||||
EXPECT_EQ(rv == SECSuccess, key != nullptr);
|
||||
SECKEY_DestroyPrivateKey(key);
|
||||
|
||||
if (expect_success) {
|
||||
// Try to find the key via its label
|
||||
ScopedSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot(
|
||||
slot.get(), const_cast<char*>(nick_str.c_str()), nullptr));
|
||||
EXPECT_FALSE(!list);
|
||||
}
|
||||
|
||||
if (key) {
|
||||
rv = PK11_DeleteTokenPrivateKey(key, true);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
|
||||
// PK11_DeleteTokenPrivateKey leaves an errorCode set when there's
|
||||
// no cert. This is expected, so clear it.
|
||||
if (PORT_GetError() == SSL_ERROR_NO_CERTIFICATE) {
|
||||
PORT_SetError(0);
|
||||
}
|
||||
}
|
||||
|
||||
return rv == SECSuccess;
|
||||
}
|
||||
};
|
||||
|
||||
TEST_F(DERPrivateKeyImportTest, ImportPrivateRSAKey) {
|
||||
EXPECT_TRUE(ParsePrivateKey(kValidRSAKey));
|
||||
EXPECT_FALSE(PORT_GetError());
|
||||
EXPECT_TRUE(ParsePrivateKey(kValidRSAKey, true));
|
||||
EXPECT_FALSE(PORT_GetError()) << PORT_GetError();
|
||||
}
|
||||
|
||||
TEST_F(DERPrivateKeyImportTest, ImportEcdsaKey) {
|
||||
EXPECT_TRUE(ParsePrivateKey(kValidP256Key, true));
|
||||
EXPECT_FALSE(PORT_GetError()) << PORT_GetError();
|
||||
}
|
||||
|
||||
TEST_F(DERPrivateKeyImportTest, ImportInvalidPrivateKey) {
|
||||
EXPECT_FALSE(ParsePrivateKey(kInvalidLengthKey));
|
||||
EXPECT_EQ(PORT_GetError(), SEC_ERROR_BAD_DER);
|
||||
EXPECT_FALSE(ParsePrivateKey(kInvalidLengthKey, false));
|
||||
EXPECT_EQ(PORT_GetError(), SEC_ERROR_BAD_DER) << PORT_GetError();
|
||||
}
|
||||
|
||||
TEST_F(DERPrivateKeyImportTest, ImportZeroLengthPrivateKey) {
|
||||
EXPECT_FALSE(ParsePrivateKey(kInvalidZeroLengthKey));
|
||||
EXPECT_EQ(PORT_GetError(), SEC_ERROR_BAD_KEY);
|
||||
EXPECT_FALSE(ParsePrivateKey(kInvalidZeroLengthKey, false));
|
||||
EXPECT_EQ(PORT_GetError(), SEC_ERROR_BAD_KEY) << PORT_GetError();
|
||||
}
|
||||
|
||||
} // namespace nss_test
|
||||
|
|
|
@ -783,6 +783,7 @@ TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
|
|||
1024);
|
||||
}
|
||||
|
||||
// Client should refuse to connect without a usable signature scheme.
|
||||
TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
|
||||
static const SSLSignatureScheme kSignatureScheme[] = {
|
||||
ssl_sig_rsa_pkcs1_sha256};
|
||||
|
@ -790,7 +791,21 @@ TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
|
|||
Reset(TlsAgent::kServerRsa, "rsa");
|
||||
client_->SetSignatureSchemes(kSignatureScheme,
|
||||
PR_ARRAY_SIZE(kSignatureScheme));
|
||||
server_->SetSignatureSchemes(kSignatureScheme,
|
||||
client_->SetupClientAuth();
|
||||
client_->StartConnect();
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
|
||||
// Though the client has a usable signature scheme, when a certificate is
|
||||
// requested, it can't produce one.
|
||||
TEST_P(TlsConnectTls13, ClientAuthPkcs1AndEcdsaScheme) {
|
||||
static const SSLSignatureScheme kSignatureScheme[] = {
|
||||
ssl_sig_rsa_pkcs1_sha256, ssl_sig_ecdsa_secp256r1_sha256};
|
||||
|
||||
Reset(TlsAgent::kServerRsa, "rsa");
|
||||
client_->SetSignatureSchemes(kSignatureScheme,
|
||||
PR_ARRAY_SIZE(kSignatureScheme));
|
||||
client_->SetupClientAuth();
|
||||
server_->RequestClientAuth(true);
|
||||
|
@ -1433,6 +1448,109 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPss) {
|
|||
&ServerCertDataRsaPss));
|
||||
}
|
||||
|
||||
// A server should refuse to even start a handshake with
|
||||
// misconfigured certificate and signature scheme.
|
||||
TEST_P(TlsConnectTls12Plus, MisconfiguredCertScheme) {
|
||||
Reset(TlsAgent::kServerDsa);
|
||||
static const SSLSignatureScheme kScheme[] = {ssl_sig_ecdsa_secp256r1_sha256};
|
||||
server_->SetSignatureSchemes(kScheme, PR_ARRAY_SIZE(kScheme));
|
||||
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
// TLS 1.2 disables cipher suites, which leads to a different error.
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
} else {
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
}
|
||||
|
||||
// In TLS 1.2, disabling an EC group causes ECDSA to be invalid.
|
||||
TEST_P(TlsConnectTls12, Tls12CertDisabledGroup) {
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
static const std::vector<SSLNamedGroup> k25519 = {ssl_grp_ec_curve25519};
|
||||
server_->ConfigNamedGroups(k25519);
|
||||
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
}
|
||||
|
||||
// In TLS 1.3, ECDSA configuration only depends on the signature scheme.
|
||||
TEST_P(TlsConnectTls13, Tls13CertDisabledGroup) {
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
static const std::vector<SSLNamedGroup> k25519 = {ssl_grp_ec_curve25519};
|
||||
server_->ConfigNamedGroups(k25519);
|
||||
Connect();
|
||||
}
|
||||
|
||||
// A client should refuse to even start a handshake with only DSA.
|
||||
TEST_P(TlsConnectTls13, Tls13DsaOnlyClient) {
|
||||
static const SSLSignatureScheme kDsa[] = {ssl_sig_dsa_sha256};
|
||||
client_->SetSignatureSchemes(kDsa, PR_ARRAY_SIZE(kDsa));
|
||||
client_->StartConnect();
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, Tls13DsaOnlyServer) {
|
||||
Reset(TlsAgent::kServerDsa);
|
||||
static const SSLSignatureScheme kDsa[] = {ssl_sig_dsa_sha256};
|
||||
server_->SetSignatureSchemes(kDsa, PR_ARRAY_SIZE(kDsa));
|
||||
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, Tls13Pkcs1OnlyClient) {
|
||||
static const SSLSignatureScheme kPkcs1[] = {ssl_sig_rsa_pkcs1_sha256};
|
||||
client_->SetSignatureSchemes(kPkcs1, PR_ARRAY_SIZE(kPkcs1));
|
||||
client_->StartConnect();
|
||||
client_->Handshake();
|
||||
EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, Tls13Pkcs1OnlyServer) {
|
||||
static const SSLSignatureScheme kPkcs1[] = {ssl_sig_rsa_pkcs1_sha256};
|
||||
server_->SetSignatureSchemes(kPkcs1, PR_ARRAY_SIZE(kPkcs1));
|
||||
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, Tls13DsaIsNotAdvertisedClient) {
|
||||
EnsureTlsSetup();
|
||||
static const SSLSignatureScheme kSchemes[] = {ssl_sig_dsa_sha256,
|
||||
ssl_sig_rsa_pss_rsae_sha256};
|
||||
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
auto capture =
|
||||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
|
||||
Connect();
|
||||
// We should only have the one signature algorithm advertised.
|
||||
static const uint8_t kExpectedExt[] = {0, 2, ssl_sig_rsa_pss_rsae_sha256 >> 8,
|
||||
ssl_sig_rsa_pss_rsae_sha256 & 0xff};
|
||||
ASSERT_EQ(DataBuffer(kExpectedExt, sizeof(kExpectedExt)),
|
||||
capture->extension());
|
||||
}
|
||||
|
||||
TEST_P(TlsConnectTls13, Tls13DsaIsNotAdvertisedServer) {
|
||||
EnsureTlsSetup();
|
||||
static const SSLSignatureScheme kSchemes[] = {ssl_sig_dsa_sha256,
|
||||
ssl_sig_rsa_pss_rsae_sha256};
|
||||
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
auto capture = MakeTlsFilter<TlsExtensionCapture>(
|
||||
server_, ssl_signature_algorithms_xtn, true);
|
||||
capture->SetHandshakeTypes({kTlsHandshakeCertificateRequest});
|
||||
capture->EnableDecryption();
|
||||
server_->RequestClientAuth(false); // So we get a CertificateRequest.
|
||||
Connect();
|
||||
// We should only have the one signature algorithm advertised.
|
||||
static const uint8_t kExpectedExt[] = {0, 2, ssl_sig_rsa_pss_rsae_sha256 >> 8,
|
||||
ssl_sig_rsa_pss_rsae_sha256 & 0xff};
|
||||
ASSERT_EQ(DataBuffer(kExpectedExt, sizeof(kExpectedExt)),
|
||||
capture->extension());
|
||||
}
|
||||
|
||||
// variant, version, certificate, auth type, signature scheme
|
||||
typedef std::tuple<SSLProtocolVariant, uint16_t, std::string, SSLAuthType,
|
||||
SSLSignatureScheme>
|
||||
|
|
|
@ -56,6 +56,9 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
|
|||
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
std::vector<SSLNamedGroup> groups = {group_};
|
||||
if (cert_group_ != ssl_grp_none) {
|
||||
groups.push_back(cert_group_);
|
||||
}
|
||||
client_->ConfigNamedGroups(groups);
|
||||
server_->ConfigNamedGroups(groups);
|
||||
kea_type_ = SSLInt_GetKEAType(group_);
|
||||
|
@ -69,34 +72,47 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
|
|||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
switch (sig_scheme_) {
|
||||
case ssl_sig_rsa_pss_rsae_sha256:
|
||||
std::cerr << "Signature scheme: rsa_pss_rsae_sha256" << std::endl;
|
||||
Reset(TlsAgent::kServerRsaSign);
|
||||
auth_type_ = ssl_auth_rsa_sign;
|
||||
break;
|
||||
case ssl_sig_rsa_pss_rsae_sha384:
|
||||
std::cerr << "Signature scheme: rsa_pss_rsae_sha384" << std::endl;
|
||||
Reset(TlsAgent::kServerRsaSign);
|
||||
auth_type_ = ssl_auth_rsa_sign;
|
||||
break;
|
||||
case ssl_sig_rsa_pss_rsae_sha512:
|
||||
// You can't fit SHA-512 PSS in a 1024-bit key.
|
||||
std::cerr << "Signature scheme: rsa_pss_rsae_sha512" << std::endl;
|
||||
Reset(TlsAgent::kRsa2048);
|
||||
auth_type_ = ssl_auth_rsa_sign;
|
||||
break;
|
||||
case ssl_sig_rsa_pss_pss_sha256:
|
||||
std::cerr << "Signature scheme: rsa_pss_pss_sha256" << std::endl;
|
||||
Reset(TlsAgent::kServerRsaPss);
|
||||
auth_type_ = ssl_auth_rsa_pss;
|
||||
break;
|
||||
case ssl_sig_rsa_pss_pss_sha384:
|
||||
std::cerr << "Signature scheme: rsa_pss_pss_sha384" << std::endl;
|
||||
Reset("rsa_pss384");
|
||||
auth_type_ = ssl_auth_rsa_pss;
|
||||
break;
|
||||
case ssl_sig_rsa_pss_pss_sha512:
|
||||
std::cerr << "Signature scheme: rsa_pss_pss_sha512" << std::endl;
|
||||
Reset("rsa_pss512");
|
||||
auth_type_ = ssl_auth_rsa_pss;
|
||||
break;
|
||||
case ssl_sig_ecdsa_secp256r1_sha256:
|
||||
std::cerr << "Signature scheme: ecdsa_secp256r1_sha256" << std::endl;
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
auth_type_ = ssl_auth_ecdsa;
|
||||
cert_group_ = ssl_grp_ec_secp256r1;
|
||||
break;
|
||||
case ssl_sig_ecdsa_secp384r1_sha384:
|
||||
std::cerr << "Signature scheme: ecdsa_secp384r1_sha384" << std::endl;
|
||||
Reset(TlsAgent::kServerEcdsa384);
|
||||
auth_type_ = ssl_auth_ecdsa;
|
||||
cert_group_ = ssl_grp_ec_secp384r1;
|
||||
break;
|
||||
default:
|
||||
ADD_FAILURE() << "Unsupported signature scheme: " << sig_scheme_;
|
||||
|
@ -112,9 +128,11 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
|
|||
break;
|
||||
case ssl_auth_ecdsa:
|
||||
Reset(TlsAgent::kServerEcdsa256);
|
||||
cert_group_ = ssl_grp_ec_secp256r1;
|
||||
break;
|
||||
case ssl_auth_ecdh_ecdsa:
|
||||
Reset(TlsAgent::kServerEcdhEcdsa);
|
||||
cert_group_ = ssl_grp_ec_secp256r1;
|
||||
break;
|
||||
case ssl_auth_ecdh_rsa:
|
||||
Reset(TlsAgent::kServerEcdhRsa);
|
||||
|
@ -192,6 +210,7 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
|
|||
SSLAuthType auth_type_;
|
||||
SSLKEAType kea_type_;
|
||||
SSLNamedGroup group_;
|
||||
SSLNamedGroup cert_group_ = ssl_grp_none;
|
||||
SSLSignatureScheme sig_scheme_;
|
||||
SSLCipherSuiteInfo csinfo_;
|
||||
};
|
||||
|
|
|
@ -652,7 +652,7 @@ TEST_P(TlsExtensionTest12, SignatureAlgorithmDisableDSA) {
|
|||
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
|
||||
client_->SetSignatureSchemes(schemes.data(), schemes.size());
|
||||
ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
||||
server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
|
||||
// Check if no DSA algorithms are advertised.
|
||||
|
|
|
@ -252,4 +252,4 @@ INSTANTIATE_TEST_CASE_P(
|
|||
FuzzDatagram, TlsFuzzTest,
|
||||
::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
|
||||
TlsConnectTestBase::kTlsV11Plus));
|
||||
}
|
||||
} // namespace nss_test
|
||||
|
|
|
@ -472,4 +472,4 @@ TEST_P(TlsConnectTls13, EsniButTLS12Server) {
|
|||
ASSERT_FALSE(SSLInt_ExtensionNegotiated(server_->ssl_fd(),
|
||||
ssl_tls13_encrypted_sni_xtn));
|
||||
}
|
||||
}
|
||||
} // namespace nss_test
|
||||
|
|
|
@ -412,7 +412,6 @@ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
|
|||
cc->derIssuer.data);
|
||||
nssItem_Create(c->object.arena, &c->subject, cc->derSubject.len,
|
||||
cc->derSubject.data);
|
||||
if (PR_TRUE) {
|
||||
/* CERTCertificate stores serial numbers decoded. I need the DER
|
||||
* here. sigh.
|
||||
*/
|
||||
|
@ -423,7 +422,7 @@ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
|
|||
nssItem_Create(c->object.arena, &c->serial, derSerial.len,
|
||||
derSerial.data);
|
||||
PORT_Free(derSerial.data);
|
||||
}
|
||||
|
||||
if (nickname) {
|
||||
c->object.tempName =
|
||||
nssUTF8_Create(c->object.arena, nssStringType_UTF8String,
|
||||
|
|
|
@ -120,7 +120,24 @@ else
|
|||
endif
|
||||
endif
|
||||
ifeq ($(CPU_ARCH),aarch64)
|
||||
EXTRA_SRCS += gcm-aarch64.c
|
||||
DEFINES += -DUSE_HW_AES
|
||||
EXTRA_SRCS += aes-armv8.c gcm-aarch64.c
|
||||
endif
|
||||
ifeq ($(CPU_ARCH),arm)
|
||||
ifdef CC_IS_CLANG
|
||||
DEFINES += -DUSE_HW_AES
|
||||
EXTRA_SRCS += aes-armv8.c
|
||||
else ifeq (1,$(CC_IS_GCC))
|
||||
# Old compiler doesn't support ARM AES.
|
||||
ifneq (,$(filter 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
||||
DEFINES += -DUSE_HW_AES
|
||||
EXTRA_SRCS += aes-armv8.c
|
||||
endif
|
||||
ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
|
||||
DEFINES += -DUSE_HW_AES
|
||||
EXTRA_SRCS += aes-armv8.c
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
ifeq ($(OS_TARGET),OSF1)
|
||||
|
@ -761,6 +778,10 @@ ifdef INTEL_GCM_CLANG_CL
|
|||
$(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
|
||||
endif
|
||||
|
||||
ifeq ($(CPU_ARCH),arm)
|
||||
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
|
||||
endif
|
||||
ifeq ($(CPU_ARCH),aarch64)
|
||||
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
|
||||
$(OBJDIR)/$(PROG_PREFIX)gcm-aarch64$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
|
||||
endif
|
||||
|
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -0,0 +1,103 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
SECStatus arm_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
SECStatus arm_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output,
|
||||
unsigned int *outputLen,
|
||||
unsigned int maxOutputLen,
|
||||
const unsigned char *input,
|
||||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
|
||||
#define native_aes_ecb_worker(encrypt, keysize) \
|
||||
((encrypt) \
|
||||
? ((keysize) == 16 ? arm_aes_encrypt_ecb_128 \
|
||||
: (keysize) == 24 ? arm_aes_encrypt_ecb_192 \
|
||||
: arm_aes_encrypt_ecb_256) \
|
||||
: ((keysize) == 16 ? arm_aes_decrypt_ecb_128 \
|
||||
: (keysize) == 24 ? arm_aes_decrypt_ecb_192 \
|
||||
: arm_aes_decrypt_ecb_256))
|
||||
|
||||
#define native_aes_cbc_worker(encrypt, keysize) \
|
||||
((encrypt) \
|
||||
? ((keysize) == 16 ? arm_aes_encrypt_cbc_128 \
|
||||
: (keysize) == 24 ? arm_aes_encrypt_cbc_192 \
|
||||
: arm_aes_encrypt_cbc_256) \
|
||||
: ((keysize) == 16 ? arm_aes_decrypt_cbc_128 \
|
||||
: (keysize) == 24 ? arm_aes_decrypt_cbc_192 \
|
||||
: arm_aes_decrypt_cbc_256))
|
||||
|
||||
#define native_aes_init(encrypt, keysize) \
|
||||
do { \
|
||||
if (encrypt) { \
|
||||
rijndael_key_expansion(cx, key, Nk); \
|
||||
} else { \
|
||||
rijndael_invkey_expansion(cx, key, Nk); \
|
||||
} \
|
||||
} while (0)
|
|
@ -132,6 +132,35 @@
|
|||
'-march=armv8-a+crypto'
|
||||
]
|
||||
},
|
||||
{
|
||||
'target_name': 'armv8_c_lib',
|
||||
'type': 'static_library',
|
||||
'sources': [
|
||||
'aes-armv8.c',
|
||||
],
|
||||
'dependencies': [
|
||||
'<(DEPTH)/exports.gyp:nss_exports'
|
||||
],
|
||||
'conditions': [
|
||||
[ 'target_arch=="arm"', {
|
||||
'cflags': [
|
||||
'-march=armv8-a',
|
||||
'-mfpu=crypto-neon-fp-armv8'
|
||||
],
|
||||
'cflags_mozilla': [
|
||||
'-march=armv8-a',
|
||||
'-mfpu=crypto-neon-fp-armv8'
|
||||
],
|
||||
}, 'target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'cflags': [
|
||||
'-march=armv8-a+crypto'
|
||||
],
|
||||
'cflags_mozilla': [
|
||||
'-march=armv8-a+crypto'
|
||||
],
|
||||
}]
|
||||
]
|
||||
},
|
||||
{
|
||||
'target_name': 'freebl',
|
||||
'type': 'static_library',
|
||||
|
@ -160,6 +189,10 @@
|
|||
'dependencies': [
|
||||
'gcm-aes-x86_c_lib',
|
||||
],
|
||||
}, 'disable_arm_hw_aes==0 and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
|
||||
'dependencies': [
|
||||
'armv8_c_lib'
|
||||
],
|
||||
}],
|
||||
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'dependencies': [
|
||||
|
@ -202,6 +235,10 @@
|
|||
'dependencies': [
|
||||
'gcm-aes-x86_c_lib',
|
||||
]
|
||||
}, 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'dependencies': [
|
||||
'armv8_c_lib',
|
||||
],
|
||||
}],
|
||||
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'dependencies': [
|
||||
|
@ -431,6 +468,11 @@
|
|||
'ARMHF',
|
||||
],
|
||||
}],
|
||||
[ 'disable_arm_hw_aes==0 and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
|
||||
'defines': [
|
||||
'USE_HW_AES',
|
||||
],
|
||||
}],
|
||||
],
|
||||
}],
|
||||
],
|
||||
|
|
|
@ -100,7 +100,7 @@ SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output,
|
|||
unsigned int inputLen,
|
||||
unsigned int blocksize);
|
||||
|
||||
#define intel_aes_ecb_worker(encrypt, keysize) \
|
||||
#define native_aes_ecb_worker(encrypt, keysize) \
|
||||
((encrypt) \
|
||||
? ((keysize) == 16 ? intel_aes_encrypt_ecb_128 \
|
||||
: (keysize) == 24 ? intel_aes_encrypt_ecb_192 \
|
||||
|
@ -109,7 +109,7 @@ SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output,
|
|||
: (keysize) == 24 ? intel_aes_decrypt_ecb_192 \
|
||||
: intel_aes_decrypt_ecb_256))
|
||||
|
||||
#define intel_aes_cbc_worker(encrypt, keysize) \
|
||||
#define native_aes_cbc_worker(encrypt, keysize) \
|
||||
((encrypt) \
|
||||
? ((keysize) == 16 ? intel_aes_encrypt_cbc_128 \
|
||||
: (keysize) == 24 ? intel_aes_encrypt_cbc_192 \
|
||||
|
@ -123,7 +123,7 @@ SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output,
|
|||
: (nr) == 12 ? intel_aes_encrypt_ctr_192 \
|
||||
: intel_aes_encrypt_ctr_256)
|
||||
|
||||
#define intel_aes_init(encrypt, keysize) \
|
||||
#define native_aes_init(encrypt, keysize) \
|
||||
do { \
|
||||
if (encrypt) { \
|
||||
if (keysize == 16) \
|
||||
|
|
|
@ -20,9 +20,18 @@
|
|||
#include "gcm.h"
|
||||
#include "mpi.h"
|
||||
|
||||
#ifdef USE_HW_AES
|
||||
#include "intel-aes.h"
|
||||
#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
|
||||
// not test yet on big endian platform of arm
|
||||
#undef USE_HW_AES
|
||||
#endif
|
||||
|
||||
#ifdef USE_HW_AES
|
||||
#ifdef NSS_X86_OR_X64
|
||||
#include "intel-aes.h"
|
||||
#else
|
||||
#include "aes-armv8.h"
|
||||
#endif
|
||||
#endif /* USE_HW_AES */
|
||||
#ifdef INTEL_GCM
|
||||
#include "intel-gcm.h"
|
||||
#endif /* INTEL_GCM */
|
||||
|
@ -847,7 +856,11 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
|
|||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
use_hw_aes = aesni_support() && (keysize % 8) == 0;
|
||||
#if defined(NSS_X86_OR_X64) || defined(USE_HW_AES)
|
||||
use_hw_aes = (aesni_support() || arm_aes_support()) && (keysize % 8) == 0;
|
||||
#else
|
||||
use_hw_aes = PR_FALSE;
|
||||
#endif
|
||||
/* Nb = (block size in bits) / 32 */
|
||||
cx->Nb = AES_BLOCK_SIZE / 4;
|
||||
/* Nk = (key size in bits) / 32 */
|
||||
|
@ -860,7 +873,7 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
|
|||
#ifdef USE_HW_AES
|
||||
if (use_hw_aes) {
|
||||
cx->worker = (freeblCipherFunc)
|
||||
intel_aes_cbc_worker(encrypt, keysize);
|
||||
native_aes_cbc_worker(encrypt, keysize);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
@ -872,7 +885,7 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
|
|||
#ifdef USE_HW_AES
|
||||
if (use_hw_aes) {
|
||||
cx->worker = (freeblCipherFunc)
|
||||
intel_aes_ecb_worker(encrypt, keysize);
|
||||
native_aes_ecb_worker(encrypt, keysize);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
@ -888,7 +901,7 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
|
|||
}
|
||||
#ifdef USE_HW_AES
|
||||
if (use_hw_aes) {
|
||||
intel_aes_init(encrypt, keysize);
|
||||
native_aes_init(encrypt, keysize);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
|
|
|
@ -488,13 +488,11 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
|
|||
goto fail;
|
||||
|
||||
#ifdef DEBUG_MODULE
|
||||
if (PR_TRUE) {
|
||||
modToDBG = PR_GetEnvSecure("NSS_DEBUG_PKCS11_MODULE");
|
||||
if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) {
|
||||
mod->functionList = (void *)nss_InsertDeviceLog(
|
||||
(CK_FUNCTION_LIST_PTR)mod->functionList);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
mod->isThreadSafe = PR_TRUE;
|
||||
|
|
|
@ -499,6 +499,10 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
|
|||
PK11_SETATTRS(attrs, CKA_DERIVE, (keyUsage & KU_KEY_AGREEMENT) ? &cktrue : &ckfalse,
|
||||
sizeof(CK_BBOOL));
|
||||
attrs++;
|
||||
if (nickname) {
|
||||
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
|
||||
attrs++;
|
||||
}
|
||||
ck_id = PK11_MakeIDFromPubKey(&lpk->u.ec.publicValue);
|
||||
if (ck_id == NULL) {
|
||||
goto loser;
|
||||
|
|
|
@ -1002,7 +1002,6 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
|
|||
&c->issuer, cc->derIssuer.len, cc->derIssuer.data);
|
||||
nssItem_Create(arena,
|
||||
&c->subject, cc->derSubject.len, cc->derSubject.data);
|
||||
if (PR_TRUE) {
|
||||
/* CERTCertificate stores serial numbers decoded. I need the DER
|
||||
* here. sigh.
|
||||
*/
|
||||
|
@ -1015,7 +1014,7 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
|
|||
}
|
||||
nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
|
||||
PORT_Free(derSerial.data);
|
||||
}
|
||||
|
||||
if (cc->emailAddr && cc->emailAddr[0]) {
|
||||
c->email = nssUTF8_Create(arena,
|
||||
nssStringType_PrintableString,
|
||||
|
|
|
@ -737,7 +737,7 @@ ssl_KEAEnabled(const sslSocket *ss, SSLKEAType keaType)
|
|||
}
|
||||
|
||||
static PRBool
|
||||
ssl_HasCert(const sslSocket *ss, SSLAuthType authType)
|
||||
ssl_HasCert(const sslSocket *ss, PRUint16 maxVersion, SSLAuthType authType)
|
||||
{
|
||||
PRCList *cursor;
|
||||
if (authType == ssl_auth_null || authType == ssl_auth_psk || authType == ssl_auth_tls13_any) {
|
||||
|
@ -757,8 +757,13 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType)
|
|||
* enabled, so this will essentially do nothing (unless we implement
|
||||
* curve configuration). However, once we have seen the
|
||||
* supported_groups extension and this is called from config_match(),
|
||||
* this will filter out certificates with an unsupported curve. */
|
||||
if ((authType == ssl_auth_ecdsa ||
|
||||
* this will filter out certificates with an unsupported curve.
|
||||
*
|
||||
* If we might negotiate TLS 1.3, skip this test as group configuration
|
||||
* doesn't affect choices in TLS 1.3.
|
||||
*/
|
||||
if (maxVersion < SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||
(authType == ssl_auth_ecdsa ||
|
||||
authType == ssl_auth_ecdh_ecdsa ||
|
||||
authType == ssl_auth_ecdh_rsa) &&
|
||||
!ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
|
||||
|
@ -767,7 +772,114 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType)
|
|||
return PR_TRUE;
|
||||
}
|
||||
if (authType == ssl_auth_rsa_sign) {
|
||||
return ssl_HasCert(ss, ssl_auth_rsa_pss);
|
||||
return ssl_HasCert(ss, maxVersion, ssl_auth_rsa_pss);
|
||||
}
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
/* Check that a signature scheme is accepted.
|
||||
* Both by policy and by having a token that supports it. */
|
||||
static PRBool
|
||||
ssl_SignatureSchemeAccepted(PRUint16 minVersion,
|
||||
SSLSignatureScheme scheme)
|
||||
{
|
||||
/* Disable RSA-PSS schemes if there are no tokens to verify them. */
|
||||
if (ssl_IsRsaPssSignatureScheme(scheme)) {
|
||||
if (!PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
} else if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
|
||||
/* Disable PKCS#1 signatures if we are limited to TLS 1.3. */
|
||||
if (minVersion >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
} else if (ssl_IsDsaSignatureScheme(scheme)) {
|
||||
/* DSA: not in TLS 1.3, and check policy. */
|
||||
if (minVersion >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
PRUint32 dsaPolicy;
|
||||
SECStatus rv = NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE,
|
||||
&dsaPolicy);
|
||||
if (rv == SECSuccess && (dsaPolicy & NSS_USE_ALG_IN_SSL_KX) == 0) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/* Hash policy. */
|
||||
PRUint32 hashPolicy;
|
||||
SSLHashType hashType = ssl_SignatureSchemeToHashType(scheme);
|
||||
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||
SECStatus rv = NSS_GetAlgorithmPolicy(hashOID, &hashPolicy);
|
||||
if (rv == SECSuccess && (hashPolicy & NSS_USE_ALG_IN_SSL_KX) == 0) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
ssl_CheckSignatureSchemes(sslSocket *ss)
|
||||
{
|
||||
if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* If this is a server using TLS 1.3, we just need to have one signature
|
||||
* scheme for which we have a usable certificate.
|
||||
*
|
||||
* Note: Certificates for earlier TLS versions are checked along with the
|
||||
* cipher suite in ssl3_config_match_init. */
|
||||
if (ss->sec.isServer && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
PRBool foundCert = PR_FALSE;
|
||||
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
SSLAuthType authType =
|
||||
ssl_SignatureSchemeToAuthType(ss->ssl3.signatureSchemes[i]);
|
||||
if (ssl_HasCert(ss, ss->vrange.max, authType)) {
|
||||
foundCert = PR_TRUE;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!foundCert) {
|
||||
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
return SECFailure;
|
||||
}
|
||||
}
|
||||
|
||||
/* Ensure that there is a signature scheme that can be accepted.*/
|
||||
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
if (ssl_SignatureSchemeAccepted(ss->vrange.min,
|
||||
ss->ssl3.signatureSchemes[i])) {
|
||||
return SECSuccess;
|
||||
}
|
||||
}
|
||||
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/* For a server, check that a signature scheme that can be used with the
|
||||
* provided authType is both enabled and usable. */
|
||||
static PRBool
|
||||
ssl_HasSignatureScheme(const sslSocket *ss, SSLAuthType authType)
|
||||
{
|
||||
PORT_Assert(ss->sec.isServer);
|
||||
PORT_Assert(ss->ssl3.hs.preliminaryInfo & ssl_preinfo_version);
|
||||
PORT_Assert(authType != ssl_auth_null);
|
||||
PORT_Assert(authType != ssl_auth_tls13_any);
|
||||
if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2 ||
|
||||
authType == ssl_auth_rsa_decrypt ||
|
||||
authType == ssl_auth_ecdh_rsa ||
|
||||
authType == ssl_auth_ecdh_ecdsa) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
SSLSignatureScheme scheme = ss->ssl3.signatureSchemes[i];
|
||||
SSLAuthType schemeAuthType = ssl_SignatureSchemeToAuthType(scheme);
|
||||
PRBool acceptable = authType == schemeAuthType ||
|
||||
(schemeAuthType == ssl_auth_rsa_pss &&
|
||||
authType == ssl_auth_rsa_sign);
|
||||
if (acceptable && ssl_SignatureSchemeAccepted(ss->version, scheme)) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
}
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
@ -798,6 +910,9 @@ ssl3_config_match_init(sslSocket *ss)
|
|||
if (SSL_ALL_VERSIONS_DISABLED(&ss->vrange)) {
|
||||
return 0;
|
||||
}
|
||||
if (ssl_CheckSignatureSchemes(ss) != SECSuccess) {
|
||||
return 0; /* Code already set. */
|
||||
}
|
||||
|
||||
ssl_FilterSupportedGroups(ss);
|
||||
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
|
||||
|
@ -820,10 +935,11 @@ ssl3_config_match_init(sslSocket *ss)
|
|||
|
||||
authType = kea_defs[cipher_def->key_exchange_alg].authKeyType;
|
||||
if (authType != ssl_auth_null && authType != ssl_auth_tls13_any) {
|
||||
if (ss->sec.isServer && !ssl_HasCert(ss, authType)) {
|
||||
if (ss->sec.isServer &&
|
||||
!(ssl_HasCert(ss, ss->vrange.max, authType) &&
|
||||
ssl_HasSignatureScheme(ss, authType))) {
|
||||
suite->isPresent = PR_FALSE;
|
||||
}
|
||||
if (!PK11_TokenExists(auth_alg_defs[authType])) {
|
||||
} else if (!PK11_TokenExists(auth_alg_defs[authType])) {
|
||||
suite->isPresent = PR_FALSE;
|
||||
}
|
||||
}
|
||||
|
@ -887,7 +1003,7 @@ ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
|
|||
return PR_FALSE;
|
||||
}
|
||||
|
||||
if (ss->sec.isServer && !ssl_HasCert(ss, kea_def->authKeyType)) {
|
||||
if (ss->sec.isServer && !ssl_HasCert(ss, vrange->max, kea_def->authKeyType)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
|
@ -4156,6 +4272,9 @@ ssl_SignatureSchemeValid(SSLSignatureScheme scheme, SECOidTag spkiOid,
|
|||
if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
if (ssl_IsDsaSignatureScheme(scheme)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
/* With TLS 1.3, EC keys should have been selected based on calling
|
||||
* ssl_SignatureSchemeFromSpki(), reject them otherwise. */
|
||||
return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
|
||||
|
@ -4270,6 +4389,7 @@ ssl_SignatureSchemeFromSpki(const CERTSubjectPublicKeyInfo *spki,
|
|||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* Check that a signature scheme is enabled by configuration. */
|
||||
PRBool
|
||||
ssl_SignatureSchemeEnabled(const sslSocket *ss, SSLSignatureScheme scheme)
|
||||
{
|
||||
|
@ -8052,6 +8172,7 @@ ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites,
|
|||
}
|
||||
}
|
||||
}
|
||||
PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
|
@ -8076,6 +8197,14 @@ ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
|
|||
PRUint16 selected;
|
||||
SECStatus rv;
|
||||
|
||||
/* Ensure that only valid cipher suites are enabled. */
|
||||
if (ssl3_config_match_init(ss) == 0) {
|
||||
/* No configured cipher is both supported by PK11 and allowed.
|
||||
* This is a configuration error, so report handshake failure.*/
|
||||
FATAL_ERROR(ss, PORT_GetError(), handshake_failure);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
rv = ssl3_NegotiateCipherSuiteInner(ss, suites, ss->version, &selected);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
|
@ -8205,13 +8334,6 @@ ssl3_ServerCallSNICallback(sslSocket *ss)
|
|||
ret = SSL_SNI_SEND_ALERT;
|
||||
break;
|
||||
}
|
||||
if (ssl3_config_match_init(ss) == 0) {
|
||||
/* no ciphers are working/supported */
|
||||
errCode = PORT_GetError();
|
||||
desc = handshake_failure;
|
||||
ret = SSL_SNI_SEND_ALERT;
|
||||
break;
|
||||
}
|
||||
/* Need to tell the client that application has picked
|
||||
* the name from the offered list and reconfigured the socket.
|
||||
* Don't do this if we negotiated ESNI.
|
||||
|
@ -8845,9 +8967,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
|||
if (sid)
|
||||
do {
|
||||
ssl3CipherSuiteCfg *suite;
|
||||
#ifdef PARANOID
|
||||
SSLVersionRange vrange = { ss->version, ss->version };
|
||||
#endif
|
||||
|
||||
suite = ss->cipherSuites;
|
||||
/* Find the entry for the cipher suite used in the cached session. */
|
||||
|
@ -8858,18 +8978,18 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
|||
PORT_Assert(j > 0);
|
||||
if (j == 0)
|
||||
break;
|
||||
#ifdef PARANOID
|
||||
|
||||
/* Double check that the cached cipher suite is still enabled,
|
||||
* implemented, and allowed by policy. Might have been disabled.
|
||||
* The product policy won't change during the process lifetime.
|
||||
* Implemented ("isPresent") shouldn't change for servers.
|
||||
*/
|
||||
if (ssl3_config_match_init(ss) == 0) {
|
||||
desc = handshake_failure;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss))
|
||||
break;
|
||||
#else
|
||||
if (!suite->enabled)
|
||||
break;
|
||||
#endif
|
||||
|
||||
/* Double check that the cached cipher suite is in the client's
|
||||
* list. If it isn't, fall through and start a new session. */
|
||||
for (i = 0; i + 1 < suites->len; i += 2) {
|
||||
|
@ -8887,21 +9007,12 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
|||
}
|
||||
}
|
||||
} while (0);
|
||||
/* START A NEW SESSION */
|
||||
|
||||
#ifndef PARANOID
|
||||
/* Look for a matching cipher suite. */
|
||||
if (ssl3_config_match_init(ss) == 0) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError(); /* error code is already set. */
|
||||
goto alert_loser;
|
||||
}
|
||||
#endif
|
||||
/* START A NEW SESSION */
|
||||
|
||||
rv = ssl3_NegotiateCipherSuite(ss, suites, PR_TRUE);
|
||||
if (rv != SECSuccess) {
|
||||
desc = handshake_failure;
|
||||
errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
|
||||
errCode = PORT_GetError();
|
||||
goto alert_loser;
|
||||
}
|
||||
|
||||
|
@ -9669,10 +9780,9 @@ ssl3_SendServerKeyExchange(sslSocket *ss)
|
|||
}
|
||||
|
||||
SECStatus
|
||||
ssl3_EncodeSigAlgs(const sslSocket *ss, sslBuffer *buf)
|
||||
ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, sslBuffer *buf)
|
||||
{
|
||||
unsigned int lengthOffset;
|
||||
unsigned int i;
|
||||
PRBool found = PR_FALSE;
|
||||
SECStatus rv;
|
||||
|
||||
|
@ -9681,33 +9791,13 @@ ssl3_EncodeSigAlgs(const sslSocket *ss, sslBuffer *buf)
|
|||
return SECFailure;
|
||||
}
|
||||
|
||||
for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
PRUint32 policy = 0;
|
||||
SSLHashType hashType = ssl_SignatureSchemeToHashType(
|
||||
ss->ssl3.signatureSchemes[i]);
|
||||
SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
|
||||
|
||||
/* Skip RSA-PSS schemes if there are no tokens to verify them. */
|
||||
if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||
!PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Skip DSA scheme if it is disabled by policy. */
|
||||
if (ssl_IsDsaSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
|
||||
(NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) ==
|
||||
SECSuccess) &&
|
||||
!(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
|
||||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
|
||||
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
|
||||
if (ssl_SignatureSchemeAccepted(minVersion,
|
||||
ss->ssl3.signatureSchemes[i])) {
|
||||
rv = sslBuffer_AppendNumber(buf, ss->ssl3.signatureSchemes[i], 2);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
found = PR_TRUE;
|
||||
}
|
||||
}
|
||||
|
@ -9753,7 +9843,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
|
|||
|
||||
length = 1 + certTypesLength + 2 + calen;
|
||||
if (isTLS12) {
|
||||
rv = ssl3_EncodeSigAlgs(ss, &sigAlgsBuf);
|
||||
rv = ssl3_EncodeSigAlgs(ss, ss->version, &sigAlgsBuf);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -1636,13 +1636,18 @@ SECStatus
|
|||
ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
|
||||
sslBuffer *buf, PRBool *added)
|
||||
{
|
||||
SECStatus rv;
|
||||
|
||||
if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_2) {
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
rv = ssl3_EncodeSigAlgs(ss, buf);
|
||||
PRUint16 minVersion;
|
||||
if (ss->sec.isServer) {
|
||||
minVersion = ss->version; /* CertificateRequest */
|
||||
} else {
|
||||
minVersion = ss->vrange.min; /* ClientHello */
|
||||
}
|
||||
|
||||
SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, buf);
|
||||
if (rv != SECSuccess) {
|
||||
return SECFailure;
|
||||
}
|
||||
|
|
|
@ -1681,7 +1681,8 @@ SECStatus ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey);
|
|||
SECStatus ssl3_AuthCertificate(sslSocket *ss);
|
||||
SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b,
|
||||
PRUint32 length);
|
||||
SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, sslBuffer *buf);
|
||||
SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion,
|
||||
sslBuffer *buf);
|
||||
SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss,
|
||||
unsigned int *calenp,
|
||||
const SECItem **namesp,
|
||||
|
|
|
@ -1731,18 +1731,10 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
|
|||
ss->ssl3.hs.zeroRttState = ssl_0rtt_sent;
|
||||
}
|
||||
|
||||
#ifndef PARANOID
|
||||
/* Look for a matching cipher suite. */
|
||||
if (ssl3_config_match_init(ss) == 0) { /* no ciphers are working/supported by PK11 */
|
||||
FATAL_ERROR(ss, PORT_GetError(), internal_error);
|
||||
goto loser;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Negotiate cipher suite. */
|
||||
rv = ssl3_NegotiateCipherSuite(ss, suites, PR_FALSE);
|
||||
if (rv != SECSuccess) {
|
||||
FATAL_ERROR(ss, SSL_ERROR_NO_CYPHER_OVERLAP, handshake_failure);
|
||||
FATAL_ERROR(ss, PORT_GetError(), handshake_failure);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче