Bug 1470914, land NSS beta snapshot 6349fa699c3b UPGRADE_NSS_RELEASE, r=me

2018-08-15 14:42:53 +02:00 · 2018-08-15 14:42:53 +02:00 · fdf57fee14
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-01d970fe9048
+6349fa699c3b
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/gtests/nss_bogo_shim/config.json
+++ b/security/nss/gtests/nss_bogo_shim/config.json
@ -15,8 +15,6 @@
        "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
        "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
        "SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
-        "WrongMessageType-TLS13-EncryptedExtensions":"wrong boring expectedLocalError",
-        "TrailingMessageData-TLS13-EncryptedExtensions":"wrong boring expectedLocalError",
        "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
        "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
        "CheckRecordVersion-TLS*":"Bug 1317634",
@ -45,12 +43,14 @@
        "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
        "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
        "FragmentedClientVersion":"received a malformed Client Hello handshake message",
-        "UnofferedExtension-Client-TLS13":"wrong boring expectedLocalError",
-        "UnknownExtension-Client-TLS13":"wrong boring expectedLocalError",
-        "WrongMessageType-TLS13-CertificateRequest":"wrong boring expectedLocalError",
-        "WrongMessageType-TLS13-ServerCertificateVerify":"wrong boring expectedLocalError",
-        "WrongMessageType-TLS13-ServerCertificate":"wrong boring expectedLocalError",
-        "WrongMessageType-TLS13-ServerFinished":"wrong boring expectedLocalError",
+        "WrongMessageType-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "TrailingMessageData-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnofferedExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnknownExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-CertificateRequest":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificateVerify":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificate":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerFinished":"Boring expects CCS (Bugs 1481209, 1304603)",
        "TrailingMessageData-*": "Bug 1304575",
        "DuplicateKeyShares":"Bug 1304578",
        "Resume-Server-TLS13-TLS13":"Bug 1314351",
--- a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
@ -197,6 +197,81 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
                 2048);
 }

+// Replaces the signature scheme in a CertificateVerify message.
+class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
+ public:
+  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
+                                  SSLSignatureScheme scheme)
+      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
+        scheme_(scheme) {
+    EnableDecryption();
+  }
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+    output->Write(0, scheme_, 2);
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme scheme_;
+};
+
+// Check if CertificateVerify signed with rsa_pss_rsae_* is properly
+// rejected when the certificate is RSA-PSS.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentRsaeSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa_pss");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_rsae_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
+// Check if CertificateVerify signed with rsa_pss_pss_* is properly
+// rejected when the certificate is RSA.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentPssSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_pss_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
 public:
  TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
@ -410,29 +485,6 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }

-// Replaces the signature scheme in a TLS 1.3 CertificateVerify message.
-class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
- public:
-  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
-                                  SSLSignatureScheme scheme)
-      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
-        scheme_(scheme) {
-    EnableDecryption();
-  }
-
- protected:
-  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
-                                               const DataBuffer& input,
-                                               DataBuffer* output) {
-    *output = input;
-    output->Write(0, scheme_, 2);
-    return CHANGE;
-  }
-
- private:
-  SSLSignatureScheme scheme_;
-};
-
 TEST_P(TlsConnectTls13, UnsupportedSignatureSchemeAlert) {
  EnsureTlsSetup();
  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, ssl_sig_none);
--- a/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
@ -643,4 +643,43 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
  client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }

+// Replace SignatureAndHashAlgorithm of a SKE.
+class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
+ public:
+  DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
+                             SSLSignatureScheme sig_scheme)
+      : TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
+        sig_scheme_(sig_scheme) {}
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+
+    uint32_t len;
+    uint32_t idx = 0;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    output->Write(idx, sig_scheme_, 2);
+
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme sig_scheme_;
+};
+
+TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
+  EnableOnlyDheCiphers();
+
+  MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_,
+                                            ssl_sig_ecdsa_secp256r1_sha256);
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+}
+
 }  // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
@ -454,6 +454,25 @@ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
      client_, ssl_signature_algorithms_xtn, extension));
 }

+TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
+  // 31 unknown signature algorithms followed by sha-256, rsa
+  const uint8_t val[] = {
+      0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+  DataBuffer extension(val, sizeof(val));
+  MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
+                                      extension);
+  client_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+}
+
 TEST_P(TlsExtensionTestGeneric, NoSupportedGroups) {
  ClientHelloErrorTest(
      std::make_shared<TlsExtensionDropper>(client_, ssl_supported_groups_xtn),
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@ -6961,12 +6961,12 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
        rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
        if (rv != SECSuccess) {
-            goto loser; /* malformed or unsupported. */
+            goto alert_loser; /* malformed or unsupported. */
        }
        rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme,
                                                 ss->sec.peerCert);
        if (rv != SECSuccess) {
-            goto loser;
+            goto alert_loser;
        }
        hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
    } else {
@ -7190,7 +7190,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
    SECStatus rv;
    SECItem buf;
    SSLSignatureScheme *schemes = NULL;
-    unsigned int numSchemes = 0;
+    unsigned int numSupported = 0;
+    unsigned int numRemaining = 0;
    unsigned int max;

    rv = ssl3_ExtConsumeHandshakeVariable(ss, &buf, 2, b, len);
@ -7209,7 +7210,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
    }

    /* Limit the number of schemes we read. */
-    max = PR_MIN(buf.len / 2, MAX_SIGNATURE_SCHEMES);
+    numRemaining = buf.len / 2;
+    max = PR_MIN(numRemaining, MAX_SIGNATURE_SCHEMES);

    if (arena) {
        schemes = PORT_ArenaZNewArray(arena, SSLSignatureScheme, max);
@ -7221,7 +7223,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
        return SECFailure;
    }

-    for (; max; --max) {
+    for (; numRemaining && numSupported < MAX_SIGNATURE_SCHEMES; --numRemaining) {
        PRUint32 tmp;
        rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &buf.data, &buf.len);
        if (rv != SECSuccess) {
@ -7230,11 +7232,11 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
            return SECFailure;
        }
        if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
-            schemes[numSchemes++] = (SSLSignatureScheme)tmp;
+            schemes[numSupported++] = (SSLSignatureScheme)tmp;
        }
    }

-    if (!numSchemes) {
+    if (!numSupported) {
        if (!arena) {
            PORT_Free(schemes);
        }
@ -7243,7 +7245,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,

 done:
    *schemesOut = schemes;
-    *numSchemesOut = numSchemes;
+    *numSchemesOut = numSupported;
    return SECSuccess;
 }

@ -9570,7 +9572,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length)
                                                 ss->sec.peerCert);
        if (rv != SECSuccess) {
            errCode = PORT_GetError();
-            desc = decrypt_error;
+            desc = illegal_parameter;
            goto alert_loser;
        }

--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@ -230,7 +230,7 @@ typedef struct {
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4

 /* MAX_SIGNATURE_SCHEMES allows for all the values we support. */
-#define MAX_SIGNATURE_SCHEMES 15
+#define MAX_SIGNATURE_SCHEMES 18

 typedef struct sslOptionsStr {
    /* If SSL_SetNextProtoNego has been called, then this contains the