aws-lc-rs: reduce priority of ECDSA_NISTP521_SHA512

In TLS1.2, this actually means ECDSA_SHA512. If the peer selects that, we get caught out depending on the curve of the public key because we don't support (for example) `ECDSA_NISTP256_SHA512`. Reducing the preference of this improves matters, because a peer that respects our priority will only select that if nothing else is possible (which includes the cases that SHA256 and SHA384 are not supported, in which case we are hosed, but also if the version is TLS1.3 and public key is on P521).
rustls · May 3, 2024 · 08af80a · 08af80a
1 parent c46cf7e
commit 08af80a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/rustls/src/crypto/aws_lc_rs/mod.rs b/rustls/src/crypto/aws_lc_rs/mod.rs
@@ -168,10 +168,6 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
     ],
     mapping: &[
         // Note: for TLS1.2 the curve is not fixed by SignatureScheme. For TLS1.3 it is.
-        (
-            SignatureScheme::ECDSA_NISTP521_SHA512,
-            &[webpki_algs::ECDSA_P521_SHA512],
-        ),
         (
             SignatureScheme::ECDSA_NISTP384_SHA384,
             &[
@@ -186,6 +182,10 @@ static SUPPORTED_SIG_ALGS: WebPkiSupportedAlgorithms = WebPkiSupportedAlgorithms
                 webpki_algs::ECDSA_P384_SHA256,
             ],
         ),
+        (
+            SignatureScheme::ECDSA_NISTP521_SHA512,
+            &[webpki_algs::ECDSA_P521_SHA512],
+        ),
         (SignatureScheme::ED25519, &[webpki_algs::ED25519]),
         (
             SignatureScheme::RSA_PSS_SHA512,

diff --git a/rustls/tests/api.rs b/rustls/tests/api.rs
@@ -1129,9 +1129,9 @@ fn server_cert_resolve_reduces_sigalgs_for_ecdsa_ciphersuite() {
         CipherSuite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
         if provider_is_aws_lc_rs() {
             vec![
-                SignatureScheme::ECDSA_NISTP521_SHA512,
                 SignatureScheme::ECDSA_NISTP384_SHA384,
                 SignatureScheme::ECDSA_NISTP256_SHA256,
+                SignatureScheme::ECDSA_NISTP521_SHA512,
                 SignatureScheme::ED25519,
             ]
         } else {
@@ -1499,10 +1499,6 @@ fn test_client_cert_resolve(
 fn default_signature_schemes(version: ProtocolVersion) -> Vec<SignatureScheme> {
     let mut v = vec![];
 
-    if provider_is_aws_lc_rs() {
-        v.push(SignatureScheme::ECDSA_NISTP521_SHA512);
-    }
-
     v.extend_from_slice(&[
         SignatureScheme::ECDSA_NISTP384_SHA384,
         SignatureScheme::ECDSA_NISTP256_SHA256,
@@ -1512,6 +1508,10 @@ fn default_signature_schemes(version: ProtocolVersion) -> Vec<SignatureScheme> {
         SignatureScheme::RSA_PSS_SHA256,
     ]);
 
+    if provider_is_aws_lc_rs() {
+        v.insert(2, SignatureScheme::ECDSA_NISTP521_SHA512);
+    }
+
     if version == ProtocolVersion::TLSv1_2 {
         v.extend_from_slice(&[
             SignatureScheme::RSA_PKCS1_SHA512,