From 2b1b89ec6cee1233e6d9d5188104db0f1df9a437 Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Mon, 19 Dec 2022 09:40:20 -0800 Subject: Bug 1767883 Need to add policy control to keys lengths for signatures. There are three changes in the patch which are related to key length processing: Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning. Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]). Differential Revision: https://phabricator.services.mozilla.com/D146341 --- lib/cryptohi/keyhi.h | 5 +++ lib/cryptohi/keyi.h | 4 ++ lib/cryptohi/seckey.c | 99 ++++++++++++++++++++++++++++++++++++++++++ lib/cryptohi/secsign.c | 23 ++++++++++ lib/cryptohi/secvfy.c | 13 +++++- lib/freebl/blapit.h | 2 +- lib/nss/nss.h | 22 ++++++++++ lib/nss/nssoptions.c | 28 +++++++++++- lib/nss/nssoptions.h | 2 + lib/pk11wrap/pk11kea.c | 7 ++- lib/pk11wrap/pk11pars.c | 34 ++++++++++++++- lib/softoken/fips_algorithms.h | 13 +++++- lib/ssl/ssl3con.c | 39 ++++++++++++----- 13 files changed, 272 insertions(+), 19 deletions(-) (limited to 'lib') diff --git a/lib/cryptohi/keyhi.h b/lib/cryptohi/keyhi.h index 180990049..173dbda90 100644 --- a/lib/cryptohi/keyhi.h +++ b/lib/cryptohi/keyhi.h @@ -52,6 +52,11 @@ extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk); */ extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk); +/* +** Return the strength of the private key in bits +*/ +extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk); + /* ** Return the length of the signature in bytes */ diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h index 707e11ade..5683afbeb 100644 --- a/lib/cryptohi/keyi.h +++ b/lib/cryptohi/keyi.h @@ -4,6 +4,7 @@ #ifndef _KEYI_H_ #define _KEYI_H_ +#include "secerr.h" SEC_BEGIN_PROTOS /* NSS private functions */ @@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, const SECItem *params, CK_RSA_PKCS_PSS_PARAMS *mech); +/* make sure the key length matches the policy for keyType */ +SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, + SECErrorCodes error); SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c index fb353fa14..656609e0d 100644 --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -14,6 +14,7 @@ #include "secdig.h" #include "prtime.h" #include "keyi.h" +#include "nss.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) SEC_ASN1_MKSUB(SEC_IntegerTemplate) @@ -1040,6 +1041,59 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) return bitSize; } +unsigned +SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) +{ + unsigned bitSize = 0; + SECItem params = { siBuffer, NULL, 0 }; + SECStatus rv; + + if (!privk) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + + /* interpret modulus length as key strength */ + switch (privk->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + /* some tokens don't export CKA_MODULUS on the private key, + * PK11_SignatureLen works around this if necessary */ + bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; + if (bitSize == -1) { + bitSize = 0; + } + return bitSize; + case dsaKey: + case fortezzaKey: + case dhKey: + case keaKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_PRIME, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + bitSize = SECKEY_BigIntegerBitLength(¶ms); + PORT_Free(params.data); + return bitSize; + case ecKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_PARAMS, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + return 0; + } + bitSize = SECKEY_ECParamsToKeySize(¶ms); + PORT_Free(params.data); + return bitSize; + default: + break; + } + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; +} + /* returns signature length in bytes (not bits) */ unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk) @@ -1213,6 +1267,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) return NULL; } +/* + * Check that a given key meets the policy limits for the given key + * size. + */ +SECStatus +seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) +{ + PRInt32 opt = -1; + PRInt32 optVal; + SECStatus rv; + + switch (keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + opt = NSS_RSA_MIN_KEY_SIZE; + break; + case dsaKey: + case fortezzaKey: + opt = NSS_DSA_MIN_KEY_SIZE; + break; + case dhKey: + case keaKey: + opt = NSS_DH_MIN_KEY_SIZE; + break; + case ecKey: + opt = NSS_ECC_MIN_KEY_SIZE; + break; + case nullKey: + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + PORT_Assert(opt != -1); + rv = NSS_OptionGet(opt, &optVal); + if (rv != SECSuccess) { + return rv; + } + if (optVal > keyLength) { + PORT_SetError(error); + return SECFailure; + } + return SECSuccess; +} + /* * Use the private key to find a public key handle. The handle will be on * the same slot as the private key. diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c index 13a6d6c5e..8779904d3 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -15,6 +15,7 @@ #include "pk11func.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" struct SGNContextStr { SECOidTag signalg; @@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) SECOidTag hashalg, signalg; KeyType keyType; PRUint32 policyFlags; + PRInt32 optFlags; SECStatus rv; /* OK, map a PKCS #7 hash and encrypt algorithm into @@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PrivateKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { @@ -465,9 +477,20 @@ SGN_Digest(SECKEYPrivateKey *privKey, SGNDigestInfo *di = 0; SECOidTag enctag; PRUint32 policyFlags; + PRInt32 optFlags; result->data = 0; + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(privKey->keyType, + SECKEY_PrivateKeyStrengthInBits(privKey), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return SECFailure; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c index f6f5d72b8..8c9dc2d87 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -16,6 +16,7 @@ #include "secdig.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -466,6 +467,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, unsigned int sigLen; KeyType type; PRUint32 policyFlags; + PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ @@ -475,7 +477,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } - + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PublicKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h index 0054e17b8..d3d935ebe 100644 --- a/lib/freebl/blapit.h +++ b/lib/freebl/blapit.h @@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); * These values come from the initial key size limits from the PKCS #11 * module. They may be arbitrarily adjusted to any value freebl supports. */ -#define RSA_MIN_MODULUS_BITS 128 +#define RSA_MIN_MODULUS_BITS 1023 /* 128 */ #define RSA_MAX_MODULUS_BITS 16384 #define RSA_MAX_EXPONENT_BITS 64 #define DH_MIN_P_BITS 128 diff --git a/lib/nss/nss.h b/lib/nss/nss.h index 081422e91..b3ef5057c 100644 --- a/lib/nss/nss.h +++ b/lib/nss/nss.h @@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData); #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */ #define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */ +/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to + * the NSS_XXX_MIN_KEY_SIZE values. + * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input + * value + * On get it returns all the flags + * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and + * does not affect the other flags + * On get it returns all the flags + * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input + * value and does not affect the other flags + * On get it returns all the compliment of all the flags + * (cleared flags == 1) */ +#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e +#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f +#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010 +/* currently defined flags */ +#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1 +#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2 +#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4 + +#define NSS_ECC_MIN_KEY_SIZE 0x011 + /* * Set and get global options for the NSS library. */ diff --git a/lib/nss/nssoptions.c b/lib/nss/nssoptions.c index f7225c414..cc637ffda 100644 --- a/lib/nss/nssoptions.c +++ b/lib/nss/nssoptions.c @@ -26,6 +26,8 @@ struct nssOps { PRInt32 dtlsVersionMaxPolicy; PRInt32 pkcs12DecodeForceUnicode; PRInt32 defaultLocks; + PRInt32 keySizePolicyFlags; + PRInt32 eccMinKeySize; }; static struct nssOps nss_ops = { @@ -37,7 +39,9 @@ static struct nssOps nss_ops = { 1, 0xffff, PR_FALSE, - 0 + 0, + NSS_KEY_SIZE_POLICY_SSL_FLAG, + SSL_ECC_MIN_CURVE_BITS }; SECStatus @@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 value) case NSS_DEFAULT_LOCKS: nss_ops.defaultLocks = value; break; + case NSS_KEY_SIZE_POLICY_FLAGS: + nss_ops.keySizePolicyFlags = value; + break; + case NSS_KEY_SIZE_POLICY_SET_FLAGS: + nss_ops.keySizePolicyFlags |= value; + break; + case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: + nss_ops.keySizePolicyFlags &= ~value; + break; + case NSS_ECC_MIN_KEY_SIZE: + nss_ops.eccMinKeySize = value; + break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; @@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *value) case NSS_DEFAULT_LOCKS: *value = nss_ops.defaultLocks; break; + case NSS_KEY_SIZE_POLICY_FLAGS: + case NSS_KEY_SIZE_POLICY_SET_FLAGS: + *value = nss_ops.keySizePolicyFlags; + break; + case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: + *value = ~nss_ops.keySizePolicyFlags; + break; + case NSS_ECC_MIN_KEY_SIZE: + *value = nss_ops.eccMinKeySize; + break; default: rv = SECFailure; } diff --git a/lib/nss/nssoptions.h b/lib/nss/nssoptions.h index 024c1e92f..3f19c61ed 100644 --- a/lib/nss/nssoptions.h +++ b/lib/nss/nssoptions.h @@ -18,3 +18,5 @@ * happens because NSS used to count bit lengths incorrectly. */ #define SSL_DH_MIN_P_BITS 1023 #define SSL_DSA_MIN_P_BITS 1023 +/* not really used by SSL, but define it here for consistency */ +#define SSL_ECC_MIN_CURVE_BITS 255 diff --git a/lib/pk11wrap/pk11kea.c b/lib/pk11wrap/pk11kea.c index 249a301ad..805e48651 100644 --- a/lib/pk11wrap/pk11kea.c +++ b/lib/pk11wrap/pk11kea.c @@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, if (privKeyHandle == CK_INVALID_HANDLE) { PK11RSAGenParams rsaParams; - if (symKeyLength > 53) /* bytes */ { - /* we'd have to generate an RSA key pair > 512 bits long, + if (symKeyLength > 120) /* bytes */ { + /* we'd have to generate an RSA key pair > 1024 bits long, ** and that's too costly. Don't even try. */ PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); goto rsa_failed; } - rsaParams.keySizeInBits = - (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; + rsaParams.keySizeInBits = 1024; rsaParams.pe = 0x10001; privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c index 2c72bf06f..0243a930b 100644 --- a/lib/pk11wrap/pk11pars.c +++ b/lib/pk11wrap/pk11pars.c @@ -434,12 +434,21 @@ static const optionFreeDef sslOptList[] = { { CIPHER_NAME("DTLS1.3"), 0x304 }, }; +static const optionFreeDef keySizeFlagsList[] = { + { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG }, + { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG }, + { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG }, +}; + static const optionFreeDef freeOptList[] = { /* Restrictions for asymetric keys */ { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE }, { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE }, { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE }, + { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE }, + /* what operations doe the key size apply to */ + { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS }, /* constraints on SSL Protocols */ { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY }, { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY }, @@ -548,6 +557,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, *result = val; return SECSuccess; } + /* handle any ssl strings */ for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { if (policyValueLength == sslOptList[i].name_size && PORT_Strncasecmp(sslOptList[i].name, policyValue, @@ -556,7 +566,29 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength, return SECSuccess; } } - return SECFailure; + /* handle key_size flags. Each flag represents a bit, which + * gets or'd together. They can be separated by , | or + */ + val = 0; + while (*policyValue) { + PRBool found = PR_FALSE; + for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) { + if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue, + keySizeFlagsList[i].name_size) == 0) { + val |= keySizeFlagsList[i].option; + found = PR_TRUE; + policyValue += keySizeFlagsList[i].name_size; + break; + } + } + if (!found) { + return SECFailure; + } + if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') { + policyValue++; + } + } + *result = val; + return SECSuccess; } /* Policy operations: diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h index 244b4b87a..9084c8341 100644 --- a/lib/softoken/fips_algorithms.h +++ b/lib/softoken/fips_algorithms.h @@ -54,7 +54,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { /* mechanisms using the same key types share the same key type * limits */ #define RSA_FB_KEY 2048, 4096 /* min, max */ -#define RSA_FB_STEP 1024 +#define RSA_FB_STEP 1 +#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ +#define RSA_LEGACY_FB_STEP 256 #define DSA_FB_KEY 2048, 4096 /* min, max */ #define DSA_FB_STEP 1024 #define DH_FB_KEY 2048, 4096 /* min, max */ @@ -66,6 +68,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, /* -------------- RSA Multipart Signing Operations -------------------- */ { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, @@ -75,6 +78,14 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, /* ------------------------- DSA Operations --------------------------- */ { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index 867c13ee7..a2618e00c 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -7450,7 +7450,8 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) SECItem dh_Ys = { siBuffer, NULL, 0 }; unsigned dh_p_bits; unsigned dh_g_bits; - PRInt32 minDH; + PRInt32 minDH = 0; + PRInt32 optval; SSL3Hashes hashes; SECItem signature = { siBuffer, NULL, 0 }; @@ -7461,9 +7462,12 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length) if (rv != SECSuccess) { goto loser; /* malformed. */ } + rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); + if ((rv == SECSuccess) && (optval & NSS_KEY_SIZE_POLICY_SSL_FLAG)) { + (void)NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); + } - rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); - if (rv != SECSuccess || minDH <= 0) { + if (minDH <= 0) { minDH = SSL_DH_MIN_P_BITS; } dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p); @@ -11535,15 +11539,22 @@ SECStatus ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) { SECStatus rv; - PRUint32 minKey; + PRUint32 minKey = 0; PRInt32 optval; + PRBool usePolicyLength = PR_TRUE; + + rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); + if (rv == SECSuccess) { + usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); + } ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey); switch (SECKEY_GetPublicKeyType(pubKey)) { case rsaKey: case rsaPssKey: case rsaOaepKey: - rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11552,7 +11563,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case dsaKey: - rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11561,7 +11573,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case dhKey: - rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11570,9 +11583,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey) break; case ecKey: - /* Don't check EC strength here on the understanding that we only - * support curves we like. */ - minKey = ss->sec.authKeyBits; + rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval) + : SECFailure; + if (rv == SECSuccess && optval > 0) { + minKey = (PRUint32)optval; + } else { + /* Don't check EC strength here on the understanding that we + * only support curves we like. */ + minKey = ss->sec.authKeyBits; + } break; default: -- cgit v1.2.1