aef9d0723d
- mark rsa 1023 as FIPS, reject RSA key sizes less than 1023. - allow applications to rerun the POST arbitrarily (that is after dlopen).
710 lines
31 KiB
Diff
710 lines
31 KiB
Diff
diff -up ./cmd/crmftest/testcrmf.c.signature-policy ./cmd/crmftest/testcrmf.c
|
|
--- ./cmd/crmftest/testcrmf.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./cmd/crmftest/testcrmf.c 2022-06-21 09:16:23.916905015 -0700
|
|
@@ -85,7 +85,7 @@
|
|
#include "sechash.h"
|
|
#endif
|
|
|
|
-#define MAX_KEY_LEN 512
|
|
+#define MAX_KEY_LEN 1024
|
|
#define PATH_LEN 150
|
|
#define BUFF_SIZE 150
|
|
#define UID_BITS 800
|
|
diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.signature-policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
|
|
--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-21 09:16:23.916905015 -0700
|
|
@@ -16,6 +16,7 @@
|
|
#include "secerr.h"
|
|
#include "sechash.h"
|
|
#include "pk11_signature_test.h"
|
|
+#include "blapit.h"
|
|
|
|
#include "testvectors/rsa_signature_2048_sha224-vectors.h"
|
|
#include "testvectors/rsa_signature_2048_sha256-vectors.h"
|
|
@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
|
|
* Use 6 as the invalid value since modLen % 16 must be zero.
|
|
*/
|
|
TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
|
|
- const size_t kRsaShortKeyBits = 736;
|
|
+#define RSA_SHORT_KEY_LENGTH 736
|
|
+/* if our minimum supported key length is big enough to handle
|
|
+ * our largest Hash function, we can't test a short length */
|
|
+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
|
|
+ const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
|
|
const size_t kRsaKeyBits = 752;
|
|
static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
|
|
static const std::vector<uint8_t> kSha512DigestInfo{
|
|
@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
|
|
SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
|
|
nullptr);
|
|
EXPECT_EQ(SECSuccess, rv);
|
|
+#else
|
|
+ GTEST_SKIP();
|
|
+#endif
|
|
}
|
|
|
|
TEST(RsaPkcs1Test, RequireNullParameter) {
|
|
diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.signature-policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
|
|
--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.signature-policy 2022-06-21 09:16:23.901904919 -0700
|
|
+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-21 09:19:12.482981408 -0700
|
|
@@ -9,6 +9,8 @@
|
|
#include "prtime.h"
|
|
#include "secerr.h"
|
|
#include "ssl.h"
|
|
+#include "nss.h"
|
|
+#include "blapit.h"
|
|
|
|
#include "gtest_utils.h"
|
|
#include "tls_agent.h"
|
|
@@ -357,9 +359,14 @@ static void GenerateWeakRsaKey(ScopedSEC
|
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
|
ASSERT_TRUE(slot);
|
|
PK11RSAGenParams rsaparams;
|
|
- // The absolute minimum size of RSA key that we can use with SHA-256 is
|
|
- // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
|
+// The absolute minimum size of RSA key that we can use with SHA-256 is
|
|
+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
|
+#define RSA_WEAK_KEY 528
|
|
+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
|
|
rsaparams.keySizeInBits = 528;
|
|
+#else
|
|
+ rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
|
|
+#endif
|
|
rsaparams.pe = 65537;
|
|
|
|
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
|
|
@@ -399,6 +406,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
|
ssl_sig_rsa_pss_pss_sha256};
|
|
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
|
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
|
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
|
+ // save the MIN POLICY length.
|
|
+ PRInt32 minRsa;
|
|
+
|
|
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
|
+#if RSA_MIN_MODULUS_BITS >= 2048
|
|
+ ASSERT_EQ(SECSuccess,
|
|
+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
|
+#else
|
|
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
|
|
+#endif
|
|
+#endif
|
|
|
|
ScopedSECKEYPrivateKey dc_priv;
|
|
ScopedSECKEYPublicKey dc_pub;
|
|
@@ -421,6 +440,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
|
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
|
client_, ssl_delegated_credentials_xtn);
|
|
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
|
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
|
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
|
+#endif
|
|
}
|
|
|
|
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
|
diff -up ./lib/cryptohi/keyhi.h.signature-policy ./lib/cryptohi/keyhi.h
|
|
--- ./lib/cryptohi/keyhi.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/cryptohi/keyhi.h 2022-06-21 09:16:23.917905021 -0700
|
|
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
|
|
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
|
|
|
|
/*
|
|
+** Return the strength of the private key in bits
|
|
+*/
|
|
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
|
|
+
|
|
+/*
|
|
** Return the length of the signature in bytes
|
|
*/
|
|
extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
|
|
diff -up ./lib/cryptohi/keyi.h.signature-policy ./lib/cryptohi/keyi.h
|
|
--- ./lib/cryptohi/keyi.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/cryptohi/keyi.h 2022-06-21 09:16:23.917905021 -0700
|
|
@@ -4,6 +4,7 @@
|
|
|
|
#ifndef _KEYI_H_
|
|
#define _KEYI_H_
|
|
+#include "secerr.h"
|
|
|
|
SEC_BEGIN_PROTOS
|
|
/* NSS private functions */
|
|
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
|
|
const SECItem *params,
|
|
CK_RSA_PKCS_PSS_PARAMS *mech);
|
|
|
|
+/* make sure the key length matches the policy for keyType */
|
|
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
|
|
+ SECErrorCodes error);
|
|
SEC_END_PROTOS
|
|
|
|
#endif /* _KEYHI_H_ */
|
|
diff -up ./lib/cryptohi/seckey.c.signature-policy ./lib/cryptohi/seckey.c
|
|
--- ./lib/cryptohi/seckey.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/cryptohi/seckey.c 2022-06-21 09:16:23.917905021 -0700
|
|
@@ -14,6 +14,7 @@
|
|
#include "secdig.h"
|
|
#include "prtime.h"
|
|
#include "keyi.h"
|
|
+#include "nss.h"
|
|
|
|
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
|
|
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
|
|
@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
|
|
return bitSize;
|
|
}
|
|
|
|
+unsigned
|
|
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
|
|
+{
|
|
+ unsigned bitSize = 0;
|
|
+ CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
|
|
+ SECItem params;
|
|
+ SECStatus rv;
|
|
+
|
|
+ if (!privk) {
|
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ /* interpret modulus length as key strength */
|
|
+ switch (privk->keyType) {
|
|
+ case rsaKey:
|
|
+ case rsaPssKey:
|
|
+ case rsaOaepKey:
|
|
+ /* some tokens don't export CKA_MODULUS on the private key,
|
|
+ * PK11_SignatureLen works around this if necessary */
|
|
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
|
+ if (bitSize == -1) {
|
|
+ bitSize = 0;
|
|
+ }
|
|
+ return bitSize;
|
|
+ case dsaKey:
|
|
+ case fortezzaKey:
|
|
+ case dhKey:
|
|
+ case keaKey:
|
|
+ attribute = CKA_PRIME;
|
|
+ break;
|
|
+ case ecKey:
|
|
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
|
+ CKA_EC_PARAMS, NULL, ¶ms);
|
|
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
|
+ return 0;
|
|
+ }
|
|
+ bitSize = SECKEY_ECParamsToKeySize(¶ms);
|
|
+ PORT_Free(params.data);
|
|
+ return bitSize;
|
|
+ default:
|
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
+ return 0;
|
|
+ }
|
|
+ PORT_Assert(attribute != CKT_INVALID_TYPE);
|
|
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
|
+ attribute, NULL, ¶ms);
|
|
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
+ return 0;
|
|
+ }
|
|
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
|
+ PORT_Free(params.data);
|
|
+ return bitSize;
|
|
+}
|
|
+
|
|
/* returns signature length in bytes (not bits) */
|
|
unsigned
|
|
SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
|
|
@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
|
|
}
|
|
|
|
/*
|
|
+ * Check that a given key meets the policy limits for the given key
|
|
+ * size.
|
|
+ */
|
|
+SECStatus
|
|
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
|
|
+{
|
|
+ PRInt32 opt = -1;
|
|
+ PRInt32 optVal;
|
|
+ SECStatus rv;
|
|
+
|
|
+ switch (keyType) {
|
|
+ case rsaKey:
|
|
+ case rsaPssKey:
|
|
+ case rsaOaepKey:
|
|
+ opt = NSS_RSA_MIN_KEY_SIZE;
|
|
+ break;
|
|
+ case dsaKey:
|
|
+ case fortezzaKey:
|
|
+ opt = NSS_DSA_MIN_KEY_SIZE;
|
|
+ break;
|
|
+ case dhKey:
|
|
+ case keaKey:
|
|
+ opt = NSS_DH_MIN_KEY_SIZE;
|
|
+ break;
|
|
+ case ecKey:
|
|
+ opt = NSS_ECC_MIN_KEY_SIZE;
|
|
+ break;
|
|
+ case nullKey:
|
|
+ default:
|
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
+ return SECFailure;
|
|
+ }
|
|
+ PORT_Assert(opt != -1);
|
|
+ rv = NSS_OptionGet(opt, &optVal);
|
|
+ if (rv != SECSuccess) {
|
|
+ return rv;
|
|
+ }
|
|
+ if (optVal < keyLength) {
|
|
+ PORT_SetError(error);
|
|
+ return SECFailure;
|
|
+ }
|
|
+ return SECSuccess;
|
|
+}
|
|
+
|
|
+/*
|
|
* Use the private key to find a public key handle. The handle will be on
|
|
* the same slot as the private key.
|
|
*/
|
|
diff -up ./lib/cryptohi/secsign.c.signature-policy ./lib/cryptohi/secsign.c
|
|
--- ./lib/cryptohi/secsign.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/cryptohi/secsign.c 2022-06-21 09:16:23.917905021 -0700
|
|
@@ -15,6 +15,7 @@
|
|
#include "pk11func.h"
|
|
#include "secerr.h"
|
|
#include "keyi.h"
|
|
+#include "nss.h"
|
|
|
|
struct SGNContextStr {
|
|
SECOidTag signalg;
|
|
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
|
SECOidTag hashalg, signalg;
|
|
KeyType keyType;
|
|
PRUint32 policyFlags;
|
|
+ PRInt32 optFlags;
|
|
SECStatus rv;
|
|
|
|
/* OK, map a PKCS #7 hash and encrypt algorithm into
|
|
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
|
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
|
return NULL;
|
|
}
|
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
|
+ rv = seckey_EnforceKeySize(key->keyType,
|
|
+ SECKEY_PrivateKeyStrengthInBits(key),
|
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
|
+ if (rv != SECSuccess) {
|
|
+ return NULL;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
/* check the policy on the hash algorithm */
|
|
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
|
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
|
@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
|
|
SGNDigestInfo *di = 0;
|
|
SECOidTag enctag;
|
|
PRUint32 policyFlags;
|
|
+ PRInt32 optFlags;
|
|
|
|
result->data = 0;
|
|
|
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
|
+ rv = seckey_EnforceKeySize(privKey->keyType,
|
|
+ SECKEY_PrivateKeyStrengthInBits(privKey),
|
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
|
+ if (rv != SECSuccess) {
|
|
+ return SECFailure;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
/* check the policy on the hash algorithm */
|
|
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
|
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
|
diff -up ./lib/cryptohi/secvfy.c.signature-policy ./lib/cryptohi/secvfy.c
|
|
--- ./lib/cryptohi/secvfy.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/cryptohi/secvfy.c 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -16,6 +16,7 @@
|
|
#include "secdig.h"
|
|
#include "secerr.h"
|
|
#include "keyi.h"
|
|
+#include "nss.h"
|
|
|
|
/*
|
|
** Recover the DigestInfo from an RSA PKCS#1 signature.
|
|
@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
|
|
unsigned int sigLen;
|
|
KeyType type;
|
|
PRUint32 policyFlags;
|
|
+ PRInt32 optFlags;
|
|
|
|
/* make sure the encryption algorithm matches the key type */
|
|
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
|
|
@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
|
|
PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
|
|
return NULL;
|
|
}
|
|
-
|
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
|
|
+ rv = seckey_EnforceKeySize(key->keyType,
|
|
+ SECKEY_PublicKeyStrengthInBits(key),
|
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
|
+ if (rv != SECSuccess) {
|
|
+ return NULL;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
/* check the policy on the encryption algorithm */
|
|
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
|
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
|
diff -up ./lib/freebl/blapit.h.signature-policy ./lib/freebl/blapit.h
|
|
--- ./lib/freebl/blapit.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/freebl/blapit.h 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
|
|
* These values come from the initial key size limits from the PKCS #11
|
|
* module. They may be arbitrarily adjusted to any value freebl supports.
|
|
*/
|
|
-#define RSA_MIN_MODULUS_BITS 128
|
|
+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
|
|
#define RSA_MAX_MODULUS_BITS 16384
|
|
#define RSA_MAX_EXPONENT_BITS 64
|
|
#define DH_MIN_P_BITS 128
|
|
diff -up ./lib/nss/nss.h.signature-policy ./lib/nss/nss.h
|
|
--- ./lib/nss/nss.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/nss/nss.h 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
|
|
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
|
|
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
|
|
|
|
+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
|
|
+ * the NSS_XXX_MIN_KEY_SIZE values.
|
|
+ * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
|
|
+ * value
|
|
+ * On get it returns all the flags
|
|
+ * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
|
|
+ * does not affect the other flags
|
|
+ * On get it returns all the flags
|
|
+ * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
|
|
+ * value and does not affect the other flags
|
|
+ * On get it returns all the compliment of all the flags
|
|
+ * (cleared flags == 1) */
|
|
+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
|
|
+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
|
|
+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
|
|
+/* currently defined flags */
|
|
+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
|
|
+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
|
|
+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
|
|
+
|
|
+#define NSS_ECC_MIN_KEY_SIZE 0x011
|
|
+
|
|
/*
|
|
* Set and get global options for the NSS library.
|
|
*/
|
|
diff -up ./lib/nss/nssoptions.c.signature-policy ./lib/nss/nssoptions.c
|
|
--- ./lib/nss/nssoptions.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/nss/nssoptions.c 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -26,6 +26,8 @@ struct nssOps {
|
|
PRInt32 dtlsVersionMaxPolicy;
|
|
PRInt32 pkcs12DecodeForceUnicode;
|
|
PRInt32 defaultLocks;
|
|
+ PRInt32 keySizePolicyFlags;
|
|
+ PRInt32 eccMinKeySize;
|
|
};
|
|
|
|
static struct nssOps nss_ops = {
|
|
@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
|
|
1,
|
|
0xffff,
|
|
PR_FALSE,
|
|
- 0
|
|
+ 0,
|
|
+ NSS_KEY_SIZE_POLICY_SSL_FLAG,
|
|
+ SSL_ECC_MIN_CURVE_BITS
|
|
};
|
|
|
|
SECStatus
|
|
@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
|
|
case NSS_DEFAULT_LOCKS:
|
|
nss_ops.defaultLocks = value;
|
|
break;
|
|
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
|
+ nss_ops.keySizePolicyFlags = value;
|
|
+ break;
|
|
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
|
+ nss_ops.keySizePolicyFlags |= value;
|
|
+ break;
|
|
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
|
+ nss_ops.keySizePolicyFlags &= ~value;
|
|
+ break;
|
|
+ case NSS_ECC_MIN_KEY_SIZE:
|
|
+ nss_ops.eccMinKeySize = value;
|
|
+ break;
|
|
default:
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
rv = SECFailure;
|
|
@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
|
|
case NSS_DEFAULT_LOCKS:
|
|
*value = nss_ops.defaultLocks;
|
|
break;
|
|
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
|
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
|
+ *value = nss_ops.keySizePolicyFlags;
|
|
+ break;
|
|
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
|
+ *value = ~nss_ops.keySizePolicyFlags;
|
|
+ break;
|
|
+ case NSS_ECC_MIN_KEY_SIZE:
|
|
+ *value = nss_ops.eccMinKeySize;
|
|
+ break;
|
|
default:
|
|
rv = SECFailure;
|
|
}
|
|
diff -up ./lib/nss/nssoptions.h.signature-policy ./lib/nss/nssoptions.h
|
|
--- ./lib/nss/nssoptions.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/nss/nssoptions.h 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -18,3 +18,5 @@
|
|
* happens because NSS used to count bit lengths incorrectly. */
|
|
#define SSL_DH_MIN_P_BITS 1023
|
|
#define SSL_DSA_MIN_P_BITS 1023
|
|
+/* not really used by SSL, but define it here for consistency */
|
|
+#define SSL_ECC_MIN_CURVE_BITS 256
|
|
diff -up ./lib/pk11wrap/pk11kea.c.signature-policy ./lib/pk11wrap/pk11kea.c
|
|
--- ./lib/pk11wrap/pk11kea.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/pk11wrap/pk11kea.c 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
|
|
if (privKeyHandle == CK_INVALID_HANDLE) {
|
|
PK11RSAGenParams rsaParams;
|
|
|
|
- if (symKeyLength > 53) /* bytes */ {
|
|
- /* we'd have to generate an RSA key pair > 512 bits long,
|
|
+ if (symKeyLength > 120) /* bytes */ {
|
|
+ /* we'd have to generate an RSA key pair > 1024 bits long,
|
|
** and that's too costly. Don't even try.
|
|
*/
|
|
PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
|
|
goto rsa_failed;
|
|
}
|
|
- rsaParams.keySizeInBits =
|
|
- (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
|
|
+ rsaParams.keySizeInBits = 1024;
|
|
rsaParams.pe = 0x10001;
|
|
privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
|
|
&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
|
|
diff -up ./lib/pk11wrap/pk11pars.c.signature-policy ./lib/pk11wrap/pk11pars.c
|
|
--- ./lib/pk11wrap/pk11pars.c.signature-policy 2022-06-21 09:16:23.898904900 -0700
|
|
+++ ./lib/pk11wrap/pk11pars.c 2022-06-21 09:16:23.918905028 -0700
|
|
@@ -430,12 +430,21 @@ static const optionFreeDef sslOptList[]
|
|
{ CIPHER_NAME("DTLS1.3"), 0x304 },
|
|
};
|
|
|
|
+static const optionFreeDef keySizeFlagsList[] = {
|
|
+ { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
|
|
+ { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
|
|
+ { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
|
|
+};
|
|
+
|
|
static const optionFreeDef freeOptList[] = {
|
|
|
|
/* Restrictions for asymetric keys */
|
|
{ CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
|
|
{ CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
|
|
{ CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
|
|
+ { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
|
|
+ /* what operations doe the key size apply to */
|
|
+ { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
|
|
/* constraints on SSL Protocols */
|
|
{ CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
|
|
{ CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
|
|
@@ -543,6 +552,7 @@ secmod_getPolicyOptValue(const char *pol
|
|
*result = val;
|
|
return SECSuccess;
|
|
}
|
|
+ /* handle any ssl strings */
|
|
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
|
|
if (policyValueLength == sslOptList[i].name_size &&
|
|
PORT_Strncasecmp(sslOptList[i].name, policyValue,
|
|
@@ -551,7 +561,29 @@ secmod_getPolicyOptValue(const char *pol
|
|
return SECSuccess;
|
|
}
|
|
}
|
|
- return SECFailure;
|
|
+ /* handle key_size flags. Each flag represents a bit, which
|
|
+ * gets or'd together. They can be separated by , | or + */
|
|
+ val = 0;
|
|
+ while (*policyValue) {
|
|
+ PRBool found = PR_FALSE;
|
|
+ for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
|
|
+ if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
|
|
+ keySizeFlagsList[i].name_size) == 0) {
|
|
+ val |= keySizeFlagsList[i].option;
|
|
+ found = PR_TRUE;
|
|
+ policyValue += keySizeFlagsList[i].name_size;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (!found) {
|
|
+ return SECFailure;
|
|
+ }
|
|
+ if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
|
|
+ policyValue++;
|
|
+ }
|
|
+ }
|
|
+ *result = val;
|
|
+ return SECSuccess;
|
|
}
|
|
|
|
/* Policy operations:
|
|
diff -up ./lib/softoken/fips_algorithms.h.signature-policy ./lib/softoken/fips_algorithms.h
|
|
--- ./lib/softoken/fips_algorithms.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/softoken/fips_algorithms.h 2022-06-21 09:16:23.919905034 -0700
|
|
@@ -54,7 +54,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
|
/* mechanisms using the same key types share the same key type
|
|
* limits */
|
|
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
|
-#define RSA_FB_STEP 1024
|
|
+#define RSA_FB_STEP 1
|
|
+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
|
|
+#define RSA_LEGACY_FB_STEP 256
|
|
#define DSA_FB_KEY 2048, 4096 /* min, max */
|
|
#define DSA_FB_STEP 1024
|
|
#define DH_FB_KEY 2048, 4096 /* min, max */
|
|
@@ -66,6 +68,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
|
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
/* -------------- RSA Multipart Signing Operations -------------------- */
|
|
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
@@ -75,6 +78,14 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
|
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
|
/* ------------------------- DSA Operations --------------------------- */
|
|
{ CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
|
|
{ CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
|
|
diff -up ./lib/ssl/ssl3con.c.signature-policy ./lib/ssl/ssl3con.c
|
|
--- ./lib/ssl/ssl3con.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./lib/ssl/ssl3con.c 2022-06-21 09:16:23.920905040 -0700
|
|
@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
|
unsigned dh_p_bits;
|
|
unsigned dh_g_bits;
|
|
PRInt32 minDH;
|
|
+ PRInt32 optval;
|
|
+ PRBool usePolicyLength = PR_FALSE;
|
|
|
|
SSL3Hashes hashes;
|
|
SECItem signature = { siBuffer, NULL, 0 };
|
|
@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
|
if (rv != SECSuccess) {
|
|
goto loser; /* malformed. */
|
|
}
|
|
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
|
+ if (rv == SECSuccess) {
|
|
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
|
+ }
|
|
|
|
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
|
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
|
|
+ : SECFailure;
|
|
if (rv != SECSuccess || minDH <= 0) {
|
|
minDH = SSL_DH_MIN_P_BITS;
|
|
}
|
|
@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
|
SECStatus rv;
|
|
PRUint32 minKey;
|
|
PRInt32 optval;
|
|
+ PRBool usePolicyLength = PR_TRUE;
|
|
+
|
|
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
|
+ if (rv == SECSuccess) {
|
|
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
|
+ }
|
|
|
|
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
|
|
switch (SECKEY_GetPublicKeyType(pubKey)) {
|
|
case rsaKey:
|
|
case rsaPssKey:
|
|
case rsaOaepKey:
|
|
- rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
|
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
|
|
+ : SECFailure;
|
|
if (rv == SECSuccess && optval > 0) {
|
|
minKey = (PRUint32)optval;
|
|
} else {
|
|
@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
|
break;
|
|
|
|
case dsaKey:
|
|
- rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
|
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
|
|
+ : SECFailure;
|
|
if (rv == SECSuccess && optval > 0) {
|
|
minKey = (PRUint32)optval;
|
|
} else {
|
|
@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
|
break;
|
|
|
|
case dhKey:
|
|
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
|
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
|
|
+ : SECFailure;
|
|
if (rv == SECSuccess && optval > 0) {
|
|
minKey = (PRUint32)optval;
|
|
} else {
|
|
@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
|
break;
|
|
|
|
case ecKey:
|
|
- /* Don't check EC strength here on the understanding that we only
|
|
- * support curves we like. */
|
|
- minKey = ss->sec.authKeyBits;
|
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
|
|
+ : SECFailure;
|
|
+ if (rv == SECSuccess && optval > 0) {
|
|
+ minKey = (PRUint32)optval;
|
|
+ } else {
|
|
+ /* Don't check EC strength here on the understanding that we
|
|
+ * only support curves we like. */
|
|
+ minKey = ss->sec.authKeyBits;
|
|
+ }
|
|
break;
|
|
|
|
default:
|
|
diff -up ./tests/policy/crypto-policy.txt.signature-policy ./tests/policy/crypto-policy.txt
|
|
--- ./tests/policy/crypto-policy.txt.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./tests/policy/crypto-policy.txt 2022-06-21 09:16:23.920905040 -0700
|
|
@@ -6,6 +6,8 @@
|
|
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
|
|
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
|
|
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
|
|
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
|
|
+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
|
|
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
|
|
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
|
|
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
|
|
diff -up ./tests/ssl/sslpolicy.txt.signature-policy ./tests/ssl/sslpolicy.txt
|
|
--- ./tests/ssl/sslpolicy.txt.signature-policy 2022-05-26 02:54:33.000000000 -0700
|
|
+++ ./tests/ssl/sslpolicy.txt 2022-06-21 09:16:23.920905040 -0700
|
|
@@ -194,6 +194,10 @@
|
|
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
|
|
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
|
|
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
|
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
|
# test default settings
|
|
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
|
# were successful by locking in our settings
|