bug 1195434 - specify what signature schemes the platform will actually accept in TLS handshakes r=mt

MozReview-Commit-ID: A3T4EgEfcfy --HG-- extra : rebase_source : 0369bb38069fde33a57e885b5009257b4a16c7ac
2025-02-27 12:50:09 +00:00 · 2016-11-03 12:53:23 -07:00 · 2016-11-03 12:53:23 -07:00 · aca0d93d8d
commit aca0d93d8d
parent a2603b1a0e
2 changed files with 20 additions and 0 deletions
--- a/config/external/nss/nss.symbols
+++ b/config/external/nss/nss.symbols
@ -692,6 +692,7 @@ SSL_SetSRTPCiphers
 SSL_SetStapledOCSPResponses
 SSL_SetURL
 SSL_ShutdownServerSessionIDCache
+SSL_SignatureSchemePrefSet
 SSL_SNISocketConfigHook
 SSL_VersionRangeGet
 SSL_VersionRangeGetDefault
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@ -2447,6 +2447,20 @@ loser:
  return nullptr;
 }

+static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
+  ssl_sig_ecdsa_secp256r1_sha256,
+  ssl_sig_ecdsa_secp384r1_sha384,
+  ssl_sig_ecdsa_secp521r1_sha512,
+  ssl_sig_rsa_pss_sha256,
+  ssl_sig_rsa_pss_sha384,
+  ssl_sig_rsa_pss_sha512,
+  ssl_sig_rsa_pkcs1_sha256,
+  ssl_sig_rsa_pkcs1_sha384,
+  ssl_sig_rsa_pkcs1_sha512,
+  ssl_sig_ecdsa_sha1,
+  ssl_sig_rsa_pkcs1_sha1,
+};
+
 static nsresult
 nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
                       bool haveProxy, const char* host, int32_t port,
@ -2516,6 +2530,11 @@ nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
    return NS_ERROR_FAILURE;
  }

+  if (SECSuccess != SSL_SignatureSchemePrefSet(fd, sEnabledSignatureSchemes,
+                      mozilla::ArrayLength(sEnabledSignatureSchemes))) {
+    return NS_ERROR_FAILURE;
+  }
+
  bool enabled = infoObject->SharedState().IsOCSPStaplingEnabled();
  if (SECSuccess != SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, enabled)) {
    return NS_ERROR_FAILURE;