diff options
| author | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
|---|---|---|
| committer | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
| commit | fd8d15350f7560f35085b4b945eb3e34a0dfa708 (patch) | |
| tree | c66b55dc65ee34047a03113a0e98c24266e57727 /lib/pk11wrap | |
| parent | 65aef21637ba6551e24933a4903f6e3b5c2e77a6 (diff) | |
| download | nss-hg-fd8d15350f7560f35085b4b945eb3e34a0dfa708.tar.gz | |
Backed out changeset 761e7d215e0a for causing gtest failuresNSS_3_89_BETA1
Diffstat (limited to 'lib/pk11wrap')
| -rw-r--r-- | lib/pk11wrap/pk11kea.c | 7 | ||||
| -rw-r--r-- | lib/pk11wrap/pk11pars.c | 34 |
2 files changed, 5 insertions, 36 deletions
diff --git a/lib/pk11wrap/pk11kea.c b/lib/pk11wrap/pk11kea.c index 805e48651..249a301ad 100644 --- a/lib/pk11wrap/pk11kea.c +++ b/lib/pk11wrap/pk11kea.c @@ -78,14 +78,15 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, if (privKeyHandle == CK_INVALID_HANDLE) { PK11RSAGenParams rsaParams; - if (symKeyLength > 120) /* bytes */ { - /* we'd have to generate an RSA key pair > 1024 bits long, + if (symKeyLength > 53) /* bytes */ { + /* we'd have to generate an RSA key pair > 512 bits long, ** and that's too costly. Don't even try. */ PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); goto rsa_failed; } - rsaParams.keySizeInBits = 1024; + rsaParams.keySizeInBits = + (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; rsaParams.pe = 0x10001; privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c index 0243a930b..2c72bf06f 100644 --- a/lib/pk11wrap/pk11pars.c +++ b/lib/pk11wrap/pk11pars.c @@ -434,21 +434,12 @@ static const optionFreeDef sslOptList[] = { { CIPHER_NAME("DTLS1.3"), 0x304 }, }; -static const optionFreeDef keySizeFlagsList[] = { - { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG }, - { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG }, - { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG }, -}; - static const optionFreeDef freeOptList[] = { /* Restrictions for asymetric keys */ { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE }, { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE }, { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE }, - { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE }, - /* what operations doe the key size apply to */ - { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS }, /* constraints on SSL Protocols */ { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY }, { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY }, @@ -557,7 +548,6 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, *result = val; return SECSuccess; } - /* handle any ssl strings */ for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { if (policyValueLength == sslOptList[i].name_size && PORT_Strncasecmp(sslOptList[i].name, policyValue, @@ -566,29 +556,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, return SECSuccess; } } - /* handle key_size flags. Each flag represents a bit, which - * gets or'd together. They can be separated by , | or + */ - val = 0; - while (*policyValue) { - PRBool found = PR_FALSE; - for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) { - if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue, - keySizeFlagsList[i].name_size) == 0) { - val |= keySizeFlagsList[i].option; - found = PR_TRUE; - policyValue += keySizeFlagsList[i].name_size; - break; - } - } - if (!found) { - return SECFailure; - } - if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') { - policyValue++; - } - } - *result = val; - return SECSuccess; + return SECFailure; } /* Policy operations: |