Closed Bug 1552208 (CVE-2019-11727) Opened 6 years ago Closed 6 years ago

NSS client will sign CertificateVerify message with rsa_pkcs1_sha256 SignatureScheme in TLS 1.3

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.43
Type:
defect

Tracking

(firefox-esr60 wontfix, firefox67 wontfix, firefox68 fixed, firefox69 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed
firefox69 --- fixed

People

(Reporter: hkario, Assigned: ueno)

References

Details

(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main68+])

Attachments

(2 files)

pacp-trace.tar.gz
3.98 KB, application/gzip
Details
Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
47 bytes, text/x-phabricator-request
Details | Review
Attached file pacp-trace.tar.gz

It's possible to force NSS client to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest.

tested with nss-4.34.0

packet capture with SSLKEYLOGFILE attached

typo; I've tested with nss-3.43.0

Is this a "vulnerability" that needs to be hidden, or an edge-case bug for people who configure their servers wrong?

Flags: needinfo?(jjones)

This does look like a spec compliance issue, as PKCS1-v1_5 signatures should not be used for TLS 1.3 messages. It's supposed to be allowed to be advertised for 1.2 backwards compat, and of course used in x.509.

I don't think this has serious security impacts -- I suppose it's another avenue for Bleichenbacker, but if only on a single message, it's probably sec-low/sec-other? :mt, can you weigh in on that?

Adding CryptoEng staff for visibility.

Flags: needinfo?(jjones) → needinfo?(mt)
Priority: -- → P1

Yes, we should filter out PKCS1-v1_5. We didn't originally because we started out with no PSS, but that isn't a good reason to keep it that way.

Flags: needinfo?(mt)
Keywords: sec-low

Pushed as: https://hg.mozilla.org/projects/nss/rev/0a4e8b72a92e144663c2f35d3836f7828cfc97f2

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.45

Is this something we should consider backporting to 3.44 so it's included in Fx68 (and by extension, our next ESR)?

Assignee: nobody → dueno
Flags: needinfo?(jjones)

Probably yes. Daiki, if you agree, feel free to do the backport. Otherwise, I'll add transplanting it to my todo list for the next week or so

Flags: needinfo?(jjones)
Group: crypto-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main68+]
Alias: CVE-2019-11727
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: