Prefer to generate SHA-1 signatures for TLS 1.2 client authentication if

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 3916 matching lines @@
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.hashType = handshake_hash_single;
 
             if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 return SECFailure;
             }
 
-#ifdef _WIN32
             /* A backup SHA-1 hash for a potential client auth signature. */
             if (!ss->sec.isServer) {
                 ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1);
                 if (ss->ssl3.hs.md5 == NULL) {
                     ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                     return SECFailure;
                 }
 
                 if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
                     ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                     return SECFailure;
                 }
             }
-#endif
         } else {
             /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
              * created successfully. */
             ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
             if (ss->ssl3.hs.md5 == NULL) {
                 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
             if (ss->ssl3.hs.sha == NULL) {
@@ skipping 3080 matching lines @@
                 }
                 if (ss->ssl3.platformClientKey) {
                     ssl_FreePlatformKey(ss->ssl3.platformClientKey);
                     ss->ssl3.platformClientKey = (PlatformKey)NULL;
                 }
                 goto send_no_certificate;
             }
 
             if (isTLS12 && ss->ssl3.hs.md5) {
                 PRBool need_backup_hash = PR_FALSE;
+                PRBool prefer_sha1 = PR_FALSE;
 #ifdef _WIN32
                 /* If the key is in CAPI, assume conservatively that the CAPI
                  * service provider may be unable to sign SHA-256 hashes.
-                 * Use SHA-1 if the server supports it. */
+                 */
                 if (ss->ssl3.platformClientKey->dwKeySpec !=
                     CERT_NCRYPT_KEY_SPEC) {
+                    /* CAPI only supports RSA and DSA signatures, so we don't
+                     * need to check the key type. */
+                    prefer_sha1 = PR_TRUE;
+                }
+#endif  /* _WIN32 */
+                /* If the key is a 1024-bit RSA or DSA key, assume
+                 * conservatively that it may be unable to sign SHA-256
+                 * hashes. This is the case for older Estonian ID cards that
+                 * have 1024-bit RSA keys. In FIPS 186-2 and older, DSA key
+                 * size is at most 1024 bits and the hash function must be
+                 * SHA-1.
+                 */
+                if (!prefer_sha1) {
+                    SECKEYPublicKey *pubk =
+                        CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+                    if (pubk == NULL) {
+                        errCode = SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE;
+                        goto loser;
+                    }
+                    if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
+                        prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128;

[wtc, 2013/09/05 21:53:21]

SECKEY_PublicKeyStrength returns the key size in bytes.

+                    }
+                    SECKEY_DestroyPublicKey(pubk);
+                }
+                /* Use SHA-1 if the server supports it. */
+                if (prefer_sha1) {
                     for (i = 0; i < algorithms.len; i += 2) {
-                        /* CAPI only supports RSA and DSA signatures. */
                         if (algorithms.data[i] == tls_hash_sha1 &&
                             (algorithms.data[i+1] == tls_sig_rsa ||
                              algorithms.data[i+1] == tls_sig_dsa)) {
                             need_backup_hash = PR_TRUE;
                             break;
                         }
                     }
                 }
-#endif  /* _WIN32 */
                 if (!need_backup_hash) {
                     PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
                     ss->ssl3.hs.md5 = NULL;
                 }
             }
             break;  /* not an error */
         }
 #endif   /* NSS_PLATFORM_CLIENT_AUTH */
         /* check what the callback function returned */
         if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
@@ skipping 5269 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */