Bug 480514: Prune the supported_signature_algorithms field of our

TLS 1.2 CertificateRequest message to reflect the limitation that
we only support TLS 1.2 CertificateVerify messages that use the
handshake hash (which is always SHA256). r=agl.

3 files changed, 30 insertions, 30 deletions

diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index 844fc6bf9..3c798ac5d 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -198,19 +198,18 @@ static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
     ct_DSS_sign,
 };
 
-/* This block is our supported_signature_algorithms value, in wire format.
- * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+/* This block is the contents of the supported_signature_algorithms field of
+ * our TLS 1.2 CertificateRequest message, in wire format. See
+ * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
+ *
+ * This block contains only sha256 entries because we only support TLS 1.2
+ * CertificateVerify messages that use the handshake hash. */
 static const PRUint8 supported_signature_algorithms[] = {
     tls_hash_sha256, tls_sig_rsa,
-    tls_hash_sha384, tls_sig_rsa,
-    tls_hash_sha1,   tls_sig_rsa,
 #ifdef NSS_ENABLE_ECC
     tls_hash_sha256, tls_sig_ecdsa,
-    tls_hash_sha384, tls_sig_ecdsa,
-    tls_hash_sha1,   tls_sig_ecdsa,
 #endif
     tls_hash_sha256, tls_sig_dsa,
-    tls_hash_sha1,   tls_sig_dsa,
 };
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
@@ -3960,23 +3959,6 @@ ssl3_AppendSignatureAndHashAlgorithm(
     return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
 }
 
-/* Appends our supported_signature_algorithms value to the current handshake
- * message. */
-SECStatus
-ssl3_AppendSupportedSignatureAlgorithms(sslSocket *ss)
-{
-    return ssl3_AppendHandshakeVariable(ss, supported_signature_algorithms,
-					sizeof(supported_signature_algorithms),
-					2);
-}
-
-/* Returns the size in bytes of our supported_signature_algorithms value. */
-unsigned int
-ssl3_SizeOfSupportedSignatureAlgorithms(void)
-{
-    return sizeof(supported_signature_algorithms);
-}
-
 /**************************************************************************
  * Consume Handshake functions.
  *
@@ -8358,6 +8340,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
     SECItem *      name;
     CERTDistNames *ca_list;
     const PRUint8 *certTypes;
+    const PRUint8 *sigAlgs;
     SECItem *      names	= NULL;
     SECStatus      rv;
     int            length;
@@ -8365,6 +8348,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
     int            calen	= 0;
     int            nnames	= 0;
     int            certTypesLength;
+    int            sigAlgsLength;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
 		SSL_GETPID(), ss->fd));
@@ -8391,10 +8375,12 @@ ssl3_SendCertificateRequest(sslSocket *ss)
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
+    sigAlgs         = supported_signature_algorithms;
+    sigAlgsLength   = sizeof supported_signature_algorithms;
 
     length = 1 + certTypesLength + 2 + calen;
     if (isTLS12) {
-	length += 2 + ssl3_SizeOfSupportedSignatureAlgorithms();
+	length += 2 + sigAlgsLength;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
@@ -8406,7 +8392,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
 	return rv; 		/* err set by AppendHandshake. */
     }
     if (isTLS12) {
-	rv = ssl3_AppendSupportedSignatureAlgorithms(ss);
+	rv = ssl3_AppendHandshakeVariable(ss, sigAlgs, sigAlgsLength, 2);
 	if (rv != SECSuccess) {
 	    return rv; 		/* err set by AppendHandshake. */
 	}
diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c
index 741643975..f6e9e2b78 100644
--- a/lib/ssl/ssl3ext.c
+++ b/lib/ssl/ssl3ext.c
@@ -2081,6 +2081,21 @@ ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 static PRInt32
 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 {
+    static const unsigned char signatureAlgorithms[] = {
+	/* This block is the contents of our signature_algorithms extension, in
+	 * wire format. See
+	 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+	tls_hash_sha256, tls_sig_rsa,
+	tls_hash_sha384, tls_sig_rsa,
+	tls_hash_sha1,   tls_sig_rsa,
+#ifdef NSS_ENABLE_ECC
+	tls_hash_sha256, tls_sig_ecdsa,
+	tls_hash_sha384, tls_sig_ecdsa,
+	tls_hash_sha1,   tls_sig_ecdsa,
+#endif
+	tls_hash_sha256, tls_sig_dsa,
+	tls_hash_sha1,   tls_sig_dsa,
+    };
     PRInt32 extension_length;
 
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
@@ -2091,7 +2106,7 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 	2 /* extension type */ +
 	2 /* extension length */ +
 	2 /* supported_signature_algorithms length */ +
-	ssl3_SizeOfSupportedSignatureAlgorithms();
+	sizeof(signatureAlgorithms);
 
     if (append && maxBytes >= extension_length) {
 	SECStatus rv;
@@ -2101,7 +2116,8 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 	rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
 	if (rv != SECSuccess)
 	    goto loser;
-	rv = ssl3_AppendSupportedSignatureAlgorithms(ss);
+	rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
+					  sizeof(signatureAlgorithms), 2);
 	if (rv != SECSuccess)
 	    goto loser;
 	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
index 15aa6a7cf..4818b47d3 100644
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -1614,8 +1614,6 @@ extern SECStatus ssl3_AppendHandshakeVariable( sslSocket *ss,
 			const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize);
 extern SECStatus ssl3_AppendSignatureAndHashAlgorithm(sslSocket *ss,
 			const SSL3SignatureAndHashAlgorithm* sigAndHash);
-extern SECStatus ssl3_AppendSupportedSignatureAlgorithms(sslSocket *ss);
-extern unsigned int ssl3_SizeOfSupportedSignatureAlgorithms(void);
 extern SECStatus ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, 
 			SSL3Opaque **b, PRUint32 *length);
 extern PRInt32   ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes,