diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c --- ./cmd/crmftest/testcrmf.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./cmd/crmftest/testcrmf.c 2022-06-20 16:47:35.023785628 -0700 @@ -85,7 +85,7 @@ #include "sechash.h" #endif -#define MAX_KEY_LEN 512 +#define MAX_KEY_LEN 1024 #define PATH_LEN 150 #define BUFF_SIZE 150 #define UID_BITS 800 diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc --- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-20 16:47:35.024785635 -0700 @@ -16,6 +16,7 @@ #include "secerr.h" #include "sechash.h" #include "pk11_signature_test.h" +#include "blapit.h" #include "testvectors/rsa_signature_2048_sha224-vectors.h" #include "testvectors/rsa_signature_2048_sha256-vectors.h" @@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest * Use 6 as the invalid value since modLen % 16 must be zero. */ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) { - const size_t kRsaShortKeyBits = 736; +#define RSA_SHORT_KEY_LENGTH 736 +/* if our minimum supported key length is big enough to handle + * our largest Hash function, we can't test a short length */ +#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH + const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH; const size_t kRsaKeyBits = 752; static const std::vector kMsg{'T', 'E', 'S', 'T'}; static const std::vector kSha512DigestInfo{ @@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, nullptr); EXPECT_EQ(SECSuccess, rv); +#else + GTEST_SKIP(); +#endif } TEST(RsaPkcs1Test, RequireNullParameter) { diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc --- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-20 16:47:35.024785635 -0700 @@ -9,6 +9,8 @@ #include "prtime.h" #include "secerr.h" #include "ssl.h" +#include "nss.h" +#include "blapit.h" #include "gtest_utils.h" #include "tls_agent.h" @@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); ASSERT_TRUE(slot); PK11RSAGenParams rsaparams; - // The absolute minimum size of RSA key that we can use with SHA-256 is - // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. +// The absolute minimum size of RSA key that we can use with SHA-256 is +// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. +#define RSA_WEAK_KEY 528 +#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY rsaparams.keySizeInBits = 528; +#else + rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1; +#endif rsaparams.pe = 65537; // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient @@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) { ssl_sig_rsa_pss_pss_sha256}; client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); +#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + // save the MIN POLICY length. + PRInt32 minRsa; + + ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa)); +#if RSA_MIN_MODULUS_BITS >= 2048 + ASSERT_EQ(SECSuccess, + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024)); +#else + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048)); +#endif +#endif ScopedSECKEYPrivateKey dc_priv; ScopedSECKEYPublicKey dc_pub; @@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) { auto cfilter = MakeTlsFilter( client_, ssl_delegated_credentials_xtn); ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity); +#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa)); +#endif } class ReplaceDCSigScheme : public TlsHandshakeFilter { diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h --- ./lib/cryptohi/keyhi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/cryptohi/keyhi.h 2022-06-20 16:47:35.024785635 -0700 @@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk); /* +** Return the strength of the private key in bits +*/ +extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk); + +/* ** Return the length of the signature in bytes */ extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk); diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h --- ./lib/cryptohi/keyi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/cryptohi/keyi.h 2022-06-20 16:47:35.024785635 -0700 @@ -4,6 +4,7 @@ #ifndef _KEYI_H_ #define _KEYI_H_ +#include "secerr.h" SEC_BEGIN_PROTOS /* NSS private functions */ @@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan const SECItem *params, CK_RSA_PKCS_PSS_PARAMS *mech); +/* make sure the key length matches the policy for keyType */ +SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, + SECErrorCodes error); SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c --- ./lib/cryptohi/seckey.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/cryptohi/seckey.c 2022-06-20 16:47:35.025785641 -0700 @@ -14,6 +14,7 @@ #include "secdig.h" #include "prtime.h" #include "keyi.h" +#include "nss.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) SEC_ASN1_MKSUB(SEC_IntegerTemplate) @@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC return bitSize; } +unsigned +SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) +{ + unsigned bitSize = 0; + CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE; + SECItem params; + SECStatus rv; + + if (!privk) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + + /* interpret modulus length as key strength */ + switch (privk->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + /* some tokens don't export CKA_MODULUS on the private key, + * PK11_SignatureLen works around this if necessary */ + bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; + if (bitSize == -1) { + bitSize = 0; + } + return bitSize; + case dsaKey: + case fortezzaKey: + case dhKey: + case keaKey: + attribute = CKA_PRIME; + break; + case ecKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_PARAMS, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + return 0; + } + bitSize = SECKEY_ECParamsToKeySize(¶ms); + PORT_Free(params.data); + return bitSize; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + PORT_Assert(attribute != CKT_INVALID_TYPE); + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + attribute, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + bitSize = SECKEY_BigIntegerBitLength(¶ms); + PORT_Free(params.data); + return bitSize; +} + /* returns signature length in bytes (not bits) */ unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk) @@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK } /* + * Check that a given key meets the policy limits for the given key + * size. + */ +SECStatus +seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) +{ + PRInt32 opt = -1; + PRInt32 optVal; + SECStatus rv; + + switch (keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + opt = NSS_RSA_MIN_KEY_SIZE; + break; + case dsaKey: + case fortezzaKey: + opt = NSS_DSA_MIN_KEY_SIZE; + break; + case dhKey: + case keaKey: + opt = NSS_DH_MIN_KEY_SIZE; + break; + case ecKey: + opt = NSS_ECC_MIN_KEY_SIZE; + break; + case nullKey: + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + PORT_Assert(opt != -1); + rv = NSS_OptionGet(opt, &optVal); + if (rv != SECSuccess) { + return rv; + } + if (optVal < keyLength) { + PORT_SetError(error); + return SECFailure; + } + return SECSuccess; +} + +/* * Use the private key to find a public key handle. The handle will be on * the same slot as the private key. */ diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c --- ./lib/cryptohi/secsign.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/cryptohi/secsign.c 2022-06-20 16:47:35.025785641 -0700 @@ -15,6 +15,7 @@ #include "pk11func.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" struct SGNContextStr { SECOidTag signalg; @@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p SECOidTag hashalg, signalg; KeyType keyType; PRUint32 policyFlags; + PRInt32 optFlags; SECStatus rv; /* OK, map a PKCS #7 hash and encrypt algorithm into @@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PrivateKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { @@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey, SGNDigestInfo *di = 0; SECOidTag enctag; PRUint32 policyFlags; + PRInt32 optFlags; result->data = 0; + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(privKey->keyType, + SECKEY_PrivateKeyStrengthInBits(privKey), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return SECFailure; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c --- ./lib/cryptohi/secvfy.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/cryptohi/secvfy.c 2022-06-20 16:47:35.025785641 -0700 @@ -16,6 +16,7 @@ #include "secdig.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey unsigned int sigLen; KeyType type; PRUint32 policyFlags; + PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ @@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } - + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PublicKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h --- ./lib/freebl/blapit.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/freebl/blapit.h 2022-06-20 16:47:35.025785641 -0700 @@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu * These values come from the initial key size limits from the PKCS #11 * module. They may be arbitrarily adjusted to any value freebl supports. */ -#define RSA_MIN_MODULUS_BITS 128 +#define RSA_MIN_MODULUS_BITS 1023 /* 128 */ #define RSA_MAX_MODULUS_BITS 16384 #define RSA_MAX_EXPONENT_BITS 64 #define DH_MIN_P_BITS 128 diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h --- ./lib/nss/nss.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/nss/nss.h 2022-06-20 16:47:35.026785647 -0700 @@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */ #define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */ +/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to + * the NSS_XXX_MIN_KEY_SIZE values. + * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input + * value + * On get it returns all the flags + * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and + * does not affect the other flags + * On get it returns all the flags + * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input + * value and does not affect the other flags + * On get it returns all the compliment of all the flags + * (cleared flags == 1) */ +#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e +#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f +#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010 +/* currently defined flags */ +#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1 +#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2 +#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4 + +#define NSS_ECC_MIN_KEY_SIZE 0x011 + /* * Set and get global options for the NSS library. */ diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c --- ./lib/nss/nssoptions.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/nss/nssoptions.c 2022-06-20 16:47:35.026785647 -0700 @@ -26,6 +26,8 @@ struct nssOps { PRInt32 dtlsVersionMaxPolicy; PRInt32 pkcs12DecodeForceUnicode; PRInt32 defaultLocks; + PRInt32 keySizePolicyFlags; + PRInt32 eccMinKeySize; }; static struct nssOps nss_ops = { @@ -37,7 +39,9 @@ static struct nssOps nss_ops = { 1, 0xffff, PR_FALSE, - 0 + 0, + NSS_KEY_SIZE_POLICY_SSL_FLAG, + SSL_ECC_MIN_CURVE_BITS }; SECStatus @@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val case NSS_DEFAULT_LOCKS: nss_ops.defaultLocks = value; break; + case NSS_KEY_SIZE_POLICY_FLAGS: + nss_ops.keySizePolicyFlags = value; + break; + case NSS_KEY_SIZE_POLICY_SET_FLAGS: + nss_ops.keySizePolicyFlags |= value; + break; + case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: + nss_ops.keySizePolicyFlags &= ~value; + break; + case NSS_ECC_MIN_KEY_SIZE: + nss_ops.eccMinKeySize = value; + break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); rv = SECFailure; @@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va case NSS_DEFAULT_LOCKS: *value = nss_ops.defaultLocks; break; + case NSS_KEY_SIZE_POLICY_FLAGS: + case NSS_KEY_SIZE_POLICY_SET_FLAGS: + *value = nss_ops.keySizePolicyFlags; + break; + case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: + *value = ~nss_ops.keySizePolicyFlags; + break; + case NSS_ECC_MIN_KEY_SIZE: + *value = nss_ops.eccMinKeySize; + break; default: rv = SECFailure; } diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h --- ./lib/nss/nssoptions.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/nss/nssoptions.h 2022-06-20 16:47:35.026785647 -0700 @@ -18,3 +18,5 @@ * happens because NSS used to count bit lengths incorrectly. */ #define SSL_DH_MIN_P_BITS 1023 #define SSL_DSA_MIN_P_BITS 1023 +/* not really used by SSL, but define it here for consistency */ +#define SSL_ECC_MIN_CURVE_BITS 256 diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c --- ./lib/pk11wrap/pk11kea.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./lib/pk11wrap/pk11kea.c 2022-06-20 16:47:35.026785647 -0700 @@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_ if (privKeyHandle == CK_INVALID_HANDLE) { PK11RSAGenParams rsaParams; - if (symKeyLength > 53) /* bytes */ { - /* we'd have to generate an RSA key pair > 512 bits long, + if (symKeyLength > 120) /* bytes */ { + /* we'd have to generate an RSA key pair > 1024 bits long, ** and that's too costly. Don't even try. */ PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); goto rsa_failed; } - rsaParams.keySizeInBits = - (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; + rsaParams.keySizeInBits = 1024; rsaParams.pe = 0x10001; privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c --- ./lib/pk11wrap/pk11pars.c.sign_policy 2022-06-20 16:47:35.004785510 -0700 +++ ./lib/pk11wrap/pk11pars.c 2022-06-20 16:47:35.026785647 -0700 @@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[] { CIPHER_NAME("DTLS1.3"), 0x304 }, }; +static const optionFreeDef keySizeFlagsList[] = { + { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG }, + { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG }, + { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG }, +}; + static const optionFreeDef freeOptList[] = { /* Restrictions for asymetric keys */ { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE }, { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE }, { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE }, + { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE }, + /* what operations doe the key size apply to */ + { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS }, /* constraints on SSL Protocols */ { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY }, { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY }, @@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol *result = val; return SECSuccess; } + /* handle any ssl strings */ for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { if (policyValueLength == sslOptList[i].name_size && PORT_Strncasecmp(sslOptList[i].name, policyValue, @@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol return SECSuccess; } } - return SECFailure; + /* handle key_size flags. Each flag represents a bit, which + * gets or'd together. They can be separated by , | or + */ + val = 0; + while (*policyValue) { + PRBool found = PR_FALSE; + for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) { + if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue, + keySizeFlagsList[i].name_size) == 0) { + val |= keySizeFlagsList[i].option; + found = PR_TRUE; + policyValue += keySizeFlagsList[i].name_size; + break; + } + } + if (!found) { + return SECFailure; + } + if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') { + policyValue++; + } + } + *result = val; + return SECSuccess; } /* Policy operations: diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c --- ./lib/ssl/ssl3con.c.sign_policy 2022-06-20 16:47:34.998785473 -0700 +++ ./lib/ssl/ssl3con.c 2022-06-20 16:47:35.028785660 -0700 @@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket unsigned dh_p_bits; unsigned dh_g_bits; PRInt32 minDH; + PRInt32 optval; + PRBool usePolicyLength = PR_FALSE; SSL3Hashes hashes; SECItem signature = { siBuffer, NULL, 0 }; @@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket if (rv != SECSuccess) { goto loser; /* malformed. */ } + rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); + if (rv == SECSuccess) { + usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); + } - rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); + rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH) + : SECFailure; if (rv != SECSuccess || minDH <= 0) { minDH = SSL_DH_MIN_P_BITS; } @@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECStatus rv; PRUint32 minKey; PRInt32 optval; + PRBool usePolicyLength = PR_TRUE; + + rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); + if (rv == SECSuccess) { + usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); + } ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey); switch (SECKEY_GetPublicKeyType(pubKey)) { case rsaKey: case rsaPssKey: case rsaOaepKey: - rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const break; case dsaKey: - rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const break; case dhKey: - rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval); + rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval) + : SECFailure; if (rv == SECSuccess && optval > 0) { minKey = (PRUint32)optval; } else { @@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const break; case ecKey: - /* Don't check EC strength here on the understanding that we only - * support curves we like. */ - minKey = ss->sec.authKeyBits; + rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval) + : SECFailure; + if (rv == SECSuccess && optval > 0) { + minKey = (PRUint32)optval; + } else { + /* Don't check EC strength here on the understanding that we + * only support curves we like. */ + minKey = ss->sec.authKeyBits; + } break; default: diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt --- ./tests/policy/crypto-policy.txt.sign_policy 2022-05-26 02:54:33.000000000 -0700 +++ ./tests/policy/crypto-policy.txt 2022-06-20 16:47:35.028785660 -0700 @@ -6,6 +6,8 @@ 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy +0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size +2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size 2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value 2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value 2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt --- ./tests/ssl/sslpolicy.txt.sign_policy 2022-06-20 16:47:35.028785660 -0700 +++ ./tests/ssl/sslpolicy.txt 2022-06-20 16:50:08.958742135 -0700 @@ -196,6 +196,11 @@ # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary # compatibility reasons # 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL + 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL + # test default settings # NOTE: tstclient will attempt to overide the defaults, so we detect we # were successful by locking in our settings diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh --- ./tests/dbupgrade/dbupgrade.sh.sign_policy 2022-06-22 08:43:55.905407738 -0700 +++ ./tests/dbupgrade/dbupgrade.sh 2022-06-22 08:43:58.837426779 -0700 @@ -69,7 +69,7 @@ dbupgrade_main() echo $i if [ -d $i ]; then echo "upgrading db $i" - ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 + ${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 html_msg $? 0 "Upgrading $i" else echo "skipping db $i"