Index: net/third_party/nss/patches/tls12backuphash.patch |
=================================================================== |
--- net/third_party/nss/patches/tls12backuphash.patch (revision 223078) |
+++ net/third_party/nss/patches/tls12backuphash.patch (working copy) |
@@ -1,13 +1,12 @@ |
Index: net/third_party/nss/ssl/ssl3con.c |
=================================================================== |
---- net/third_party/nss/ssl/ssl3con.c (revision 219342) |
+--- net/third_party/nss/ssl/ssl3con.c (revision 220594) |
+++ net/third_party/nss/ssl/ssl3con.c (working copy) |
-@@ -3933,6 +3933,22 @@ |
+@@ -3933,6 +3933,20 @@ |
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
return SECFailure; |
} |
+ |
-+#ifdef _WIN32 |
+ /* A backup SHA-1 hash for a potential client auth signature. */ |
+ if (!ss->sec.isServer) { |
+ ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1); |
@@ -21,11 +20,10 @@ |
+ return SECFailure; |
+ } |
+ } |
-+#endif |
} else { |
/* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or |
* created successfully. */ |
-@@ -4043,6 +4059,13 @@ |
+@@ -4043,6 +4057,13 @@ |
ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); |
return rv; |
} |
@@ -39,7 +37,7 @@ |
} else { |
rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); |
if (rv != SECSuccess) { |
-@@ -4791,6 +4814,30 @@ |
+@@ -4791,6 +4812,30 @@ |
return rv; |
} |
@@ -70,7 +68,7 @@ |
/* |
* SSL 2 based implementations pass in the initial outbound buffer |
* so that the handshake hash can contain the included information. |
-@@ -6044,7 +6091,17 @@ |
+@@ -6044,7 +6089,17 @@ |
SSL_GETPID(), ss->fd)); |
ssl_GetSpecReadLock(ss); |
@@ -89,7 +87,7 @@ |
ssl_ReleaseSpecReadLock(ss); |
if (rv != SECSuccess) { |
goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
-@@ -6098,11 +6155,6 @@ |
+@@ -6098,11 +6153,6 @@ |
if (rv != SECSuccess) { |
goto done; |
} |
@@ -101,21 +99,47 @@ |
sigAndHash.hashAlg = hashes.hashAlg; |
rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash); |
-@@ -6994,6 +7046,31 @@ |
+@@ -6994,6 +7044,56 @@ |
} |
goto send_no_certificate; |
} |
+ |
+ if (isTLS12 && ss->ssl3.hs.md5) { |
+ PRBool need_backup_hash = PR_FALSE; |
++ PRBool prefer_sha1 = PR_FALSE; |
+#ifdef _WIN32 |
+ /* If the key is in CAPI, assume conservatively that the CAPI |
+ * service provider may be unable to sign SHA-256 hashes. |
-+ * Use SHA-1 if the server supports it. */ |
++ */ |
+ if (ss->ssl3.platformClientKey->dwKeySpec != |
+ CERT_NCRYPT_KEY_SPEC) { |
++ /* CAPI only supports RSA and DSA signatures, so we don't |
++ * need to check the key type. */ |
++ prefer_sha1 = PR_TRUE; |
++ } |
++#endif /* _WIN32 */ |
++ /* If the key is a 1024-bit RSA or DSA key, assume |
++ * conservatively that it may be unable to sign SHA-256 |
++ * hashes. This is the case for older Estonian ID cards that |
++ * have 1024-bit RSA keys. In FIPS 186-2 and older, DSA key |
++ * size is at most 1024 bits and the hash function must be |
++ * SHA-1. |
++ */ |
++ if (!prefer_sha1) { |
++ SECKEYPublicKey *pubk = |
++ CERT_ExtractPublicKey(ss->ssl3.clientCertificate); |
++ if (pubk == NULL) { |
++ errCode = SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE; |
++ goto loser; |
++ } |
++ if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) { |
++ prefer_sha1 = SECKEY_PublicKeyStrength(pubk) <= 128; |
++ } |
++ SECKEY_DestroyPublicKey(pubk); |
++ } |
++ /* Use SHA-1 if the server supports it. */ |
++ if (prefer_sha1) { |
+ for (i = 0; i < algorithms.len; i += 2) { |
-+ /* CAPI only supports RSA and DSA signatures. */ |
+ if (algorithms.data[i] == tls_hash_sha1 && |
+ (algorithms.data[i+1] == tls_sig_rsa || |
+ algorithms.data[i+1] == tls_sig_dsa)) { |
@@ -124,7 +148,6 @@ |
+ } |
+ } |
+ } |
-+#endif /* _WIN32 */ |
+ if (!need_backup_hash) { |
+ PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE); |
+ ss->ssl3.hs.md5 = NULL; |
@@ -133,7 +156,7 @@ |
break; /* not an error */ |
} |
#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
-@@ -7227,6 +7304,13 @@ |
+@@ -7227,6 +7327,13 @@ |
(ss->ssl3.platformClientKey || |
ss->ssl3.clientPrivateKey != NULL); |
@@ -149,15 +172,15 @@ |
* certificate to an attacker that does not have a valid cert for the |
Index: net/third_party/nss/ssl/sslimpl.h |
=================================================================== |
---- net/third_party/nss/ssl/sslimpl.h (revision 219342) |
+--- net/third_party/nss/ssl/sslimpl.h (revision 220594) |
+++ net/third_party/nss/ssl/sslimpl.h (working copy) |
@@ -838,6 +838,9 @@ |
* SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and |
* |sha| for SHA-1. |
* TLS 1.2 and later use only |sha|, for SHA-256. */ |
-+ /* NOTE: On Windows, TLS 1.2 and later use |md5| as a backup handshake hash |
-+ * for generating client auth signatures. Confusingly, the backup hash |
-+ * function is SHA-1. */ |
++ /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup |
++ * handshake hash for generating client auth signatures. Confusingly, the |
++ * backup hash function is SHA-1. */ |
PK11Context * md5; |
PK11Context * sha; |