Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support

Policy update

Current state of the nss policy system:

The initial policy patch focused on getting policy working well in handling ssl. The policy infrastructure used two existing NSS infrastructure:
    1) Algorithm policies tied the OIDS and
    2) the ssl policy constraints first created to handle export policy restrictions.
To make loadable policies work, we added a couple of new things:
   1) a policy parser to the secmod infrastructure which allows us to set algorithm policies based on a config file. This file had two sections: disallow= and allow=. Disallow turned off policy bits, and allow turned them on. Disallow was always parsed first, so you could very strictly control your policy map by saying disallow=all allow={exclusive list of allowed algorithms}
   2) a new NSS_Option() value that allowed the policy parser to set integer values (like minimum tls version) based on the data in the policy parser.
   3) SSL code which is run at ssl_init time that reads the algorithm policies and maps the results to SSL policies.

The resulting loaded policy code, in general, sets the boundaries of what it possible, actually enable/disable of ssl cipher suites are still under program control, and the builtin NSS default values. The only consession to configuration is if a cipher is disallowed by policy, it is also disabled. Allowing a cipher suite by policy that wasn't already enabled, however, doesn't enable that policy by default. Inside the policy restrictions, applications can still make their own decisions on configuration and preference.

At the time the policy system was designed, there were 3 additional features, which were designed, but not specified: disable, enable, and lock.

disable and enable work just like disallow and allow, except the specify what the default settings are. This would allow the policy file to change the underlying default in the case where the application doesn't try to configure ssl on it's own.

lock would make either the policy or configuration 'locked' meaning once the lock has been executed, no further changes to those configurations would be allowed.

What is needed:

We have a need for the following additional features:

1) we want to turn more of the sha-1 hash function off by default. We still need sha-1 digest because it's used in many non-secure cases, but we do want to disable more sha-1 signature usage. Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers can be controlled by policy. We want to disallow a greater range of signature (that is signature use in general).

2) we want to disable more ciphers by default, but need a way to have certain policies (like LEGACY) turn them back on, so that our shipped system is more secure by default.

What this patch provides:

1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The cryptohi code which exports the NSS sign/verify high level code now checks the hash and signing algorithm against this new policy flag and fails if the policy isn't available.
New key words were added to the policy parser for 'all-signature', which implies all signature flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE. NOTE: disable=all/signature and disable=all/all-signature are effective equivalent because cert-signatures eventually call the low level signature functions, but disable=all allow=rsa-pss/all-signature and disable=all allow=rsa-pss/signature are different in that the latter allows all rsa-pss signature and the latter allows rsa-pss signatures, but no on certificates (or on smime in the future)
Also new keywords were added for rsa-pkcs, rsa-pss, and ecdsa for signature algorithms (along with dsa).

2) This patch implements disable and enable. These functions only work on SSL configuration. In the future SMIME/CMS configuration could also be added. Because the policy system is parsed and handled by NSS, and SSL configuration is handled in SSL, we use the same Apply code we used to apply ssl policy to set the inital configuration. The configured enable/disable state is configured in the ALGORTHIM policy system, where one bit says the enable/disable value is active and another bit which gives it's state.

3) two locks have been implented, policy-lock and ssl-lock. These are specified in the parser as flags (flags=policy-lock,ssl-lock). The policy locks all the policy changes: ssl_policy, algorithm policy, and options. It is implemented by two new exported functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first allows applications to test if the policy is locked without having to try changing the policy. The various policy set functions check the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK if it's true.
 The ssl-lock changes the state of the policy to locked, and the state cannot be changed back without shutting down NSS. The second is implemented by setting a new Option called NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we can add an SMIME lock in the future. SSL checks the NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite value, and blocks the change if it's set.

4) sslpolicy tests were updated to test the enable, disable, flags=policy-lock, flags=ssl-lock and the new signature primitives.

5) policy tests were updated to be able to run standalone (like all the other all.sh tests), as well as new tests to detect when no signing algorithms have been enabled.


What is not in the patch

1) S/MIME signature policy has been defined for a while, but never hooked up.
2) S/MIME export policy needs to be connected back to the algorithm policy system just like the ssl cipher suites already are.
3) S/MIME default configuration needs to be connected back to the policy system.
4) ECC Curve policy  needs to be hooked up with the signature policy (probably should create a generic 'key meets policy' function and have every call it).

Differential Revision: https://phabricator.services.mozilla.com/D93697

1 files changed, 153 insertions, 52 deletions

diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
index 0e823233d..68738b3d4 100644
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -158,16 +158,17 @@ SECMOD_CreateModule(const char *library, const char *moduleName,
  * Disallow values are parsed first, then allow values, independent of the
  * order they appear.
  *
- * Future key words (not yet implemented):
+ * flags: turn on the following flags:
+ *    policy-lock: turn off the ability for applications to change policy with
+ *                 the call NSS_SetAlgorithmPolicy or the other system policy
+ *                 calls (SSL_SetPolicy, etc.)
+ *    ssl-lock:    turn off the ability to change the ssl defaults.
+ *
+ * The following only apply to ssl cipher suites (future smime)
+ *
  * enable: turn on ciphersuites by default.
  * disable: turn off ciphersuites by default without disallowing them by policy.
- * flags: turn on the following flags:
- *     ssl-lock: turn off the ability for applications to change policy with
- *               the SSL_SetCipherPolicy (or SSL_SetPolicy).
- *     policy-lock: turn off the ability for applications to change policy with
- *               the call NSS_SetAlgorithmPolicy.
- *     ssl-default-lock: turn off the ability for applications to change cipher
- *               suite states with SSL_EnableCipher, SSL_DisableCipher.
+ *
  *
  */
 
@@ -323,21 +324,21 @@ static const oidValDef curveOptList[] = {
 static const oidValDef hashOptList[] = {
     /* Hashes */
     { CIPHER_NAME("MD2"), SEC_OID_MD2,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("MD4"), SEC_OID_MD4,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("MD5"), SEC_OID_MD5,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA256"), SEC_OID_SHA256,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA384"), SEC_OID_SHA384,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }
 };
 
 static const oidValDef macOptList[] = {
@@ -389,7 +390,13 @@ static const oidValDef kxOptList[] = {
 static const oidValDef signOptList[] = {
     /* Signatures */
     { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
 };
 
 typedef struct {
@@ -405,7 +412,7 @@ static const algListsDef algOptLists[] = {
     { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
     { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
     { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
-    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
+    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
 };
 
 static const optionFreeDef sslOptList[] = {
@@ -443,10 +450,19 @@ static const policyFlagDef policyFlagList[] = {
     /* add other key exhanges in the future */
     { CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX },
     { CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
-    /* add other signatures in the future */
-    { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
-    /* enable everything */
-    { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+    { CIPHER_NAME("CMS-SIGNATURE"), NSS_USE_ALG_IN_CMS_SIGNATURE },
+    { CIPHER_NAME("ALL-SIGNATURE"), NSS_USE_ALG_IN_SIGNATURE },
+    /* sign turns off all signatures, but doesn't change the
+     * allowance for specific sigantures... for example:
+     * disallow=sha256/all allow=sha256/signature doesn't allow
+     * cert-sigantures, where disallow=sha256/all allow=sha256/all-signature
+     * does.
+     * however, disallow=sha356/signature and disallow=sha256/all-siganture are
+     * equivalent in effect */
+    { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_ANY_SIGNATURE },
+    /* enable/disable everything */
+    { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX |
+                              NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("NONE"), 0 }
 };
 
@@ -538,8 +554,82 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
     return SECFailure;
 }
 
+/* Policy operations:
+ *     Disallow: operation is disallowed by policy. Implies disabled.
+ *     Allow: operation is allowed by policy (but could be disabled).
+ *     Disable: operation is turned off by default (but could be allowed).
+ *     Enable: operation is enabled by default. Implies allowed.
+ */
+typedef enum {
+    NSS_DISALLOW,
+    NSS_ALLOW,
+    NSS_DISABLE,
+    NSS_ENABLE
+} NSSPolicyOperation;
+
+/* apply the operator specific policy */
+SECStatus
+secmod_setPolicyOperation(SECOidTag oid, NSSPolicyOperation operation,
+                          PRUint32 value)
+{
+    SECStatus rv = SECSuccess;
+    switch (operation) {
+        case NSS_DISALLOW:
+            /* clear the requested policy bits */
+            rv = NSS_SetAlgorithmPolicy(oid, 0, value);
+            break;
+        case NSS_ALLOW:
+            /* set the requested policy bits */
+            rv = NSS_SetAlgorithmPolicy(oid, value, 0);
+            break;
+        /* enable/disable only apply to SSL cipher suites (future S/MIME).
+         * Enable/disable is implemented by clearing the DEFAULT_NOT_VALID
+         * flag, then setting the NSS_USE_DEFAULT_SSL_ENABLE flag to the
+         * correct value. The ssl policy code will then sort out what to
+         * set based on ciphers and cipher suite values.*/
+        case NSS_DISABLE:
+            if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
+                /* clear not valid and enable */
+                rv = NSS_SetAlgorithmPolicy(oid, 0,
+                                            NSS_USE_DEFAULT_NOT_VALID |
+                                                NSS_USE_DEFAULT_SSL_ENABLE);
+            }
+            break;
+        case NSS_ENABLE:
+            if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
+                /* set enable, clear not valid. NOTE: enable implies allow! */
+                rv = NSS_SetAlgorithmPolicy(oid, value | NSS_USE_DEFAULT_SSL_ENABLE,
+                                            NSS_USE_DEFAULT_NOT_VALID);
+            }
+            break;
+        default:
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;
+            break;
+    }
+    return rv;
+}
+
+const char *
+secmod_getOperationString(NSSPolicyOperation operation)
+{
+    switch (operation) {
+        case NSS_DISALLOW:
+            return "disallow";
+        case NSS_ALLOW:
+            return "allow";
+        case NSS_DISABLE:
+            return "disable";
+        case NSS_ENABLE:
+            return "enable";
+        default:
+            break;
+    }
+    return "invalid";
+}
+
 static SECStatus
-secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
+secmod_applyCryptoPolicy(const char *policyString, NSSPolicyOperation operation,
                          PRBool printPolicyFeedback)
 {
     const char *cipher, *currentString;
@@ -573,18 +663,10 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
             for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
                 const algListsDef *algOptList = &algOptLists[i];
                 for (j = 0; j < algOptList->entries; j++) {
-                    PRUint32 enable, disable;
                     if (!newValue) {
                         value = algOptList->list[j].val;
                     }
-                    if (allow) {
-                        enable = value;
-                        disable = 0;
-                    } else {
-                        enable = 0;
-                        disable = value;
-                    }
-                    NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
+                    secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
                 }
             }
             continue;
@@ -603,20 +685,12 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
                 if ((newOption || algOpt->name_size == length) &&
                     PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
                     PRUint32 value = algOpt->val;
-                    PRUint32 enable, disable;
                     if (newOption) {
                         value = secmod_parsePolicyValue(&cipher[name_size] + 1,
                                                         length - name_size - 1,
                                                         printPolicyFeedback);
                     }
-                    if (allow) {
-                        enable = value;
-                        disable = 0;
-                    } else {
-                        enable = 0;
-                        disable = value;
-                    }
-                    rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
+                    rv = secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
                     if (rv != SECSuccess) {
                         /* could not enable option */
                         /* NSS_SetAlgorithPolicy should have set the error code */
@@ -666,7 +740,7 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
         if (unknown && printPolicyFeedback) {
             PR_SetEnv("NSS_POLICY_FAIL=1");
             fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
-                    allow ? "allow" : "disallow", length, cipher);
+                    secmod_getOperationString(operation), length, cipher);
         }
     }
     return rv;
@@ -709,7 +783,8 @@ secmod_sanityCheckCryptoPolicy(void)
                 anyEnabled = PR_TRUE;
                 fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
             }
-            if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+            if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) &&
+                ((value & NSS_USE_CERT_SIGNATURE_OK) == NSS_USE_CERT_SIGNATURE_OK)) {
                 ++num_sig_enabled;
                 anyEnabled = PR_TRUE;
                 fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
@@ -740,7 +815,7 @@ secmod_sanityCheckCryptoPolicy(void)
 static SECStatus
 secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
 {
-    char *disallow, *allow;
+    char *args;
     SECStatus rv;
 
     if (policyConfig == NULL) {
@@ -752,20 +827,46 @@ secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
     if (rv != SECSuccess) {
         return rv;
     }
-    disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
-    rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
-    if (disallow)
-        PORT_Free(disallow);
+    args = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
+    rv = secmod_applyCryptoPolicy(args, NSS_DISALLOW, printPolicyFeedback);
+    if (args)
+        PORT_Free(args);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    args = NSSUTIL_ArgGetParamValue("allow", policyConfig);
+    rv = secmod_applyCryptoPolicy(args, NSS_ALLOW, printPolicyFeedback);
+    if (args)
+        PORT_Free(args);
     if (rv != SECSuccess) {
         return rv;
     }
-    allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
-    rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
-    if (allow)
-        PORT_Free(allow);
+    args = NSSUTIL_ArgGetParamValue("disable", policyConfig);
+    rv = secmod_applyCryptoPolicy(args, NSS_DISABLE, printPolicyFeedback);
+    if (args)
+        PORT_Free(args);
     if (rv != SECSuccess) {
         return rv;
     }
+    args = NSSUTIL_ArgGetParamValue("enable", policyConfig);
+    rv = secmod_applyCryptoPolicy(args, NSS_ENABLE, printPolicyFeedback);
+    if (args)
+        PORT_Free(args);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    /* this has to be last. Everything after this will be a noop */
+    if (NSSUTIL_ArgHasFlag("flags", "ssl-lock", policyConfig)) {
+        PRInt32 locks;
+        /* don't overwrite other (future) lock flags */
+        rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
+        if (rv == SECSuccess) {
+            NSS_OptionSet(NSS_DEFAULT_LOCKS, locks | NSS_DEFAULT_SSL_LOCK);
+        }
+    }
+    if (NSSUTIL_ArgHasFlag("flags", "policy-lock", policyConfig)) {
+        NSS_LockPolicy();
+    }
     if (printPolicyFeedback) {
         /* This helps to distinguish configurations that don't contain any
          * policy config= statement. */