rpms / nss

Clone
Source Code
GIT

Blame SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta c8-sig-altarch-armhfp c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   nss-3.79-rhel-8-fips-signature-policy.patch
Blob History Raw
285d04 
diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c
285d04 
--- ./cmd/crmftest/testcrmf.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./cmd/crmftest/testcrmf.c	2022-06-20 16:47:35.023785628 -0700
285d04 
@@ -85,7 +85,7 @@
285d04 
 #include "sechash.h"
285d04 
 #endif
285d04
285d04 
-#define MAX_KEY_LEN 512
285d04 
+#define MAX_KEY_LEN 1024
285d04 
 #define PATH_LEN 150
285d04 
 #define BUFF_SIZE 150
285d04 
 #define UID_BITS 800
285d04 
diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
285d04 
--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc	2022-06-20 16:47:35.024785635 -0700
285d04 
@@ -16,6 +16,7 @@
285d04 
 #include "secerr.h"
285d04 
 #include "sechash.h"
285d04 
 #include "pk11_signature_test.h"
285d04 
+#include "blapit.h"
285d04
285d04 
 #include "testvectors/rsa_signature_2048_sha224-vectors.h"
285d04 
 #include "testvectors/rsa_signature_2048_sha256-vectors.h"
285d04 
@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
285d04 
  * Use 6 as the invalid value since modLen % 16 must be zero.
285d04 
  */
285d04 
 TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
285d04 
-  const size_t kRsaShortKeyBits = 736;
285d04 
+#define RSA_SHORT_KEY_LENGTH 736
285d04 
+/* if our minimum supported key length is big enough to handle
285d04 
+ * our largest Hash function, we can't test a short length */
285d04 
+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
285d04 
+  const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
285d04 
   const size_t kRsaKeyBits = 752;
285d04 
   static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
285d04 
   static const std::vector<uint8_t> kSha512DigestInfo{
285d04 
@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
285d04 
                               SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
285d04 
                               nullptr);
285d04 
   EXPECT_EQ(SECSuccess, rv);
285d04 
+#else
285d04 
+  GTEST_SKIP();
285d04 
+#endif
285d04 
 }
285d04
285d04 
 TEST(RsaPkcs1Test, RequireNullParameter) {
285d04 
diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
285d04 
--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc	2022-06-20 16:47:35.024785635 -0700
285d04 
@@ -9,6 +9,8 @@
285d04 
 #include "prtime.h"
285d04 
 #include "secerr.h"
285d04 
 #include "ssl.h"
285d04 
+#include "nss.h"
285d04 
+#include "blapit.h"
285d04
285d04 
 #include "gtest_utils.h"
285d04 
 #include "tls_agent.h"
285d04 
@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC
285d04 
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
285d04 
   ASSERT_TRUE(slot);
285d04 
   PK11RSAGenParams rsaparams;
285d04 
-  // The absolute minimum size of RSA key that we can use with SHA-256 is
285d04 
-  // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
285d04 
+// The absolute minimum size of RSA key that we can use with SHA-256 is
285d04 
+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
285d04 
+#define RSA_WEAK_KEY 528
285d04 
+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
285d04 
   rsaparams.keySizeInBits = 528;
285d04 
+#else
285d04 
+  rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
285d04 
+#endif
285d04 
   rsaparams.pe = 65537;
285d04
285d04 
   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
285d04 
@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
285d04 
                                                 ssl_sig_rsa_pss_pss_sha256};
285d04 
   client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
285d04 
   server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
285d04 
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
285d04 
+  // save the MIN POLICY length.
285d04 
+  PRInt32 minRsa;
285d04 
+
285d04 
+  ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
285d04 
+#if RSA_MIN_MODULUS_BITS >= 2048
285d04 
+  ASSERT_EQ(SECSuccess,
285d04 
+            NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
285d04 
+#else
285d04 
+  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
285d04 
+#endif
285d04 
+#endif
285d04
285d04 
   ScopedSECKEYPrivateKey dc_priv;
285d04 
   ScopedSECKEYPublicKey dc_pub;
285d04 
@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
285d04 
   auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
285d04 
       client_, ssl_delegated_credentials_xtn);
285d04 
   ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
285d04 
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
285d04 
+  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
285d04 
+#endif
285d04 
 }
285d04
285d04 
 class ReplaceDCSigScheme : public TlsHandshakeFilter {
285d04 
diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h
285d04 
--- ./lib/cryptohi/keyhi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/cryptohi/keyhi.h	2022-06-20 16:47:35.024785635 -0700
285d04 
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
285d04 
 extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
285d04
285d04 
 /*
285d04 
+** Return the strength of the private key in bits
285d04 
+*/
285d04 
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
285d04 
+
285d04 
+/*
285d04 
 ** Return the length of the signature in bytes
285d04 
 */
285d04 
 extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
285d04 
diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h
285d04 
--- ./lib/cryptohi/keyi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/cryptohi/keyi.h	2022-06-20 16:47:35.024785635 -0700
285d04 
@@ -4,6 +4,7 @@
285d04
285d04 
 #ifndef _KEYI_H_
285d04 
 #define _KEYI_H_
285d04 
+#include "secerr.h"
285d04
285d04 
 SEC_BEGIN_PROTOS
285d04 
 /* NSS private functions */
285d04 
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
285d04 
                                             const SECItem *params,
285d04 
                                             CK_RSA_PKCS_PSS_PARAMS *mech);
285d04
285d04 
+/* make sure the key length matches the policy for keyType */
285d04 
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
285d04 
+                                SECErrorCodes error);
285d04 
 SEC_END_PROTOS
285d04
285d04 
 #endif /* _KEYHI_H_ */
285d04 
diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c
285d04 
--- ./lib/cryptohi/seckey.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/cryptohi/seckey.c	2022-06-20 16:47:35.025785641 -0700
285d04 
@@ -14,6 +14,7 @@
285d04 
 #include "secdig.h"
285d04 
 #include "prtime.h"
285d04 
 #include "keyi.h"
285d04 
+#include "nss.h"
285d04
285d04 
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
285d04 
 SEC_ASN1_MKSUB(SEC_IntegerTemplate)
285d04 
@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
285d04 
     return bitSize;
285d04 
 }
285d04
285d04 
+unsigned
285d04 
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
285d04 
+{
285d04 
+    unsigned bitSize = 0;
285d04 
+    CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
285d04 
+    SECItem params;
285d04 
+    SECStatus rv;
285d04 
+
285d04 
+    if (!privk) {
285d04 
+        PORT_SetError(SEC_ERROR_INVALID_KEY);
285d04 
+        return 0;
285d04 
+    }
285d04 
+
285d04 
+    /* interpret modulus length as key strength */
285d04 
+    switch (privk->keyType) {
285d04 
+        case rsaKey:
285d04 
+        case rsaPssKey:
285d04 
+        case rsaOaepKey:
285d04 
+            /* some tokens don't export CKA_MODULUS on the private key,
285d04 
+             * PK11_SignatureLen works around this if necessary */
285d04 
+            bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
285d04 
+            if (bitSize == -1) {
285d04 
+                bitSize = 0;
285d04 
+            }
285d04 
+            return bitSize;
285d04 
+        case dsaKey:
285d04 
+        case fortezzaKey:
285d04 
+        case dhKey:
285d04 
+        case keaKey:
285d04 
+            attribute = CKA_PRIME;
285d04 
+            break;
285d04 
+        case ecKey:
285d04 
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
285d04 
+                                    CKA_EC_PARAMS, NULL, &params);
285d04 
+            if ((rv != SECSuccess) || (params.data == NULL)) {
285d04 
+                return 0;
285d04 
+            }
285d04 
+            bitSize = SECKEY_ECParamsToKeySize(&params);
285d04 
+            PORT_Free(params.data);
285d04 
+            return bitSize;
285d04 
+        default:
285d04 
+            PORT_SetError(SEC_ERROR_INVALID_KEY);
285d04 
+            return 0;
285d04 
+    }
285d04 
+    PORT_Assert(attribute != CKT_INVALID_TYPE);
285d04 
+    rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
285d04 
+                            attribute, NULL, &params);
285d04 
+    if ((rv != SECSuccess) || (params.data == NULL)) {
285d04 
+        PORT_SetError(SEC_ERROR_INVALID_KEY);
285d04 
+        return 0;
285d04 
+    }
285d04 
+    bitSize = SECKEY_BigIntegerBitLength(&params);
285d04 
+    PORT_Free(params.data);
285d04 
+    return bitSize;
285d04 
+}
285d04 
+
285d04 
 /* returns signature length in bytes (not bits) */
285d04 
 unsigned
285d04 
 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
285d04 
@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
285d04 
 }
285d04
285d04 
 /*
285d04 
+ * Check that a given key meets the policy limits for the given key
285d04 
+ * size.
285d04 
+ */
285d04 
+SECStatus
285d04 
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
285d04 
+{
285d04 
+    PRInt32 opt = -1;
285d04 
+    PRInt32 optVal;
285d04 
+    SECStatus rv;
285d04 
+
285d04 
+    switch (keyType) {
285d04 
+        case rsaKey:
285d04 
+        case rsaPssKey:
285d04 
+        case rsaOaepKey:
285d04 
+            opt = NSS_RSA_MIN_KEY_SIZE;
285d04 
+            break;
285d04 
+        case dsaKey:
285d04 
+        case fortezzaKey:
285d04 
+            opt = NSS_DSA_MIN_KEY_SIZE;
285d04 
+            break;
285d04 
+        case dhKey:
285d04 
+        case keaKey:
285d04 
+            opt = NSS_DH_MIN_KEY_SIZE;
285d04 
+            break;
285d04 
+        case ecKey:
285d04 
+            opt = NSS_ECC_MIN_KEY_SIZE;
285d04 
+            break;
285d04 
+        case nullKey:
285d04 
+        default:
285d04 
+            PORT_SetError(SEC_ERROR_INVALID_KEY);
285d04 
+            return SECFailure;
285d04 
+    }
285d04 
+    PORT_Assert(opt != -1);
285d04 
+    rv = NSS_OptionGet(opt, &optVal);
285d04 
+    if (rv != SECSuccess) {
285d04 
+        return rv;
285d04 
+    }
285d04 
+    if (optVal < keyLength) {
285d04 
+        PORT_SetError(error);
285d04 
+        return SECFailure;
285d04 
+    }
285d04 
+    return SECSuccess;
285d04 
+}
285d04 
+
285d04 
+/*
285d04 
  * Use the private key to find a public key handle. The handle will be on
285d04 
  * the same slot as the private key.
285d04 
  */
285d04 
diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c
285d04 
--- ./lib/cryptohi/secsign.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/cryptohi/secsign.c	2022-06-20 16:47:35.025785641 -0700
285d04 
@@ -15,6 +15,7 @@
285d04 
 #include "pk11func.h"
285d04 
 #include "secerr.h"
285d04 
 #include "keyi.h"
285d04 
+#include "nss.h"
285d04
285d04 
 struct SGNContextStr {
285d04 
     SECOidTag signalg;
285d04 
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
285d04 
     SECOidTag hashalg, signalg;
285d04 
     KeyType keyType;
285d04 
     PRUint32 policyFlags;
285d04 
+    PRInt32 optFlags;
285d04 
     SECStatus rv;
285d04
285d04 
     /* OK, map a PKCS #7 hash and encrypt algorithm into
285d04 
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
285d04 
         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
285d04 
         return NULL;
285d04 
     }
285d04 
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
285d04 
+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
285d04 
+            rv = seckey_EnforceKeySize(key->keyType,
285d04 
+                                       SECKEY_PrivateKeyStrengthInBits(key),
285d04 
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
285d04 
+            if (rv != SECSuccess) {
285d04 
+                return NULL;
285d04 
+            }
285d04 
+        }
285d04 
+    }
285d04 
     /* check the policy on the hash algorithm */
285d04 
     if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
285d04 
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
285d04 
@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
285d04 
     SGNDigestInfo *di = 0;
285d04 
     SECOidTag enctag;
285d04 
     PRUint32 policyFlags;
285d04 
+    PRInt32 optFlags;
285d04
285d04 
     result->data = 0;
285d04
285d04 
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
285d04 
+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
285d04 
+            rv = seckey_EnforceKeySize(privKey->keyType,
285d04 
+                                       SECKEY_PrivateKeyStrengthInBits(privKey),
285d04 
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
285d04 
+            if (rv != SECSuccess) {
285d04 
+                return SECFailure;
285d04 
+            }
285d04 
+        }
285d04 
+    }
285d04 
     /* check the policy on the hash algorithm */
285d04 
     if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
285d04 
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
285d04 
diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c
285d04 
--- ./lib/cryptohi/secvfy.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/cryptohi/secvfy.c	2022-06-20 16:47:35.025785641 -0700
285d04 
@@ -16,6 +16,7 @@
285d04 
 #include "secdig.h"
285d04 
 #include "secerr.h"
285d04 
 #include "keyi.h"
285d04 
+#include "nss.h"
285d04
285d04 
 /*
285d04 
 ** Recover the DigestInfo from an RSA PKCS#1 signature.
285d04 
@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
285d04 
     unsigned int sigLen;
285d04 
     KeyType type;
285d04 
     PRUint32 policyFlags;
285d04 
+    PRInt32 optFlags;
285d04
285d04 
     /* make sure the encryption algorithm matches the key type */
285d04 
     /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
285d04 
@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
285d04 
         PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
285d04 
         return NULL;
285d04 
     }
285d04 
-
285d04 
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
285d04 
+        if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
285d04 
+            rv = seckey_EnforceKeySize(key->keyType,
285d04 
+                                       SECKEY_PublicKeyStrengthInBits(key),
285d04 
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
285d04 
+            if (rv != SECSuccess) {
285d04 
+                return NULL;
285d04 
+            }
285d04 
+        }
285d04 
+    }
285d04 
     /* check the policy on the encryption algorithm */
285d04 
     if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
285d04 
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
285d04 
diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h
285d04 
--- ./lib/freebl/blapit.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/freebl/blapit.h	2022-06-20 16:47:35.025785641 -0700
285d04 
@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
285d04 
  * These values come from the initial key size limits from the PKCS #11
285d04 
  * module. They may be arbitrarily adjusted to any value freebl supports.
285d04 
  */
285d04 
-#define RSA_MIN_MODULUS_BITS 128
285d04 
+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
285d04 
 #define RSA_MAX_MODULUS_BITS 16384
285d04 
 #define RSA_MAX_EXPONENT_BITS 64
285d04 
 #define DH_MIN_P_BITS 128
285d04 
diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h
285d04 
--- ./lib/nss/nss.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/nss/nss.h	2022-06-20 16:47:35.026785647 -0700
285d04 
@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
285d04 
 #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
285d04 
 #define NSS_DEFAULT_SSL_LOCK 1  /* lock the ssl default values */
285d04
285d04 
+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
285d04 
+ * the NSS_XXX_MIN_KEY_SIZE values.
285d04 
+ *    NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
285d04 
+ *                              value
285d04 
+ *     On get it returns all the flags
285d04 
+ *    NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
285d04 
+ *                                  does not affect the other flags
285d04 
+ *     On get it returns all the flags
285d04 
+ *    NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
285d04 
+ *                                    value and does not affect the other flags
285d04 
+ *     On get it returns all the compliment of all the flags
285d04 
+ *     (cleared flags == 1) */
285d04 
+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
285d04 
+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
285d04 
+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
285d04 
+/* currently defined flags */
285d04 
+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
285d04 
+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
285d04 
+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
285d04 
+
285d04 
+#define NSS_ECC_MIN_KEY_SIZE 0x011
285d04 
+
285d04 
 /*
285d04 
  * Set and get global options for the NSS library.
285d04 
  */
285d04 
diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c
285d04 
--- ./lib/nss/nssoptions.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/nss/nssoptions.c	2022-06-20 16:47:35.026785647 -0700
285d04 
@@ -26,6 +26,8 @@ struct nssOps {
285d04 
     PRInt32 dtlsVersionMaxPolicy;
285d04 
     PRInt32 pkcs12DecodeForceUnicode;
285d04 
     PRInt32 defaultLocks;
285d04 
+    PRInt32 keySizePolicyFlags;
285d04 
+    PRInt32 eccMinKeySize;
285d04 
 };
285d04
285d04 
 static struct nssOps nss_ops = {
285d04 
@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
285d04 
     1,
285d04 
     0xffff,
285d04 
     PR_FALSE,
285d04 
-    0
285d04 
+    0,
285d04 
+    NSS_KEY_SIZE_POLICY_SSL_FLAG,
285d04 
+    SSL_ECC_MIN_CURVE_BITS
285d04 
 };
285d04
285d04 
 SECStatus
285d04 
@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
285d04 
         case NSS_DEFAULT_LOCKS:
285d04 
             nss_ops.defaultLocks = value;
285d04 
             break;
285d04 
+        case NSS_KEY_SIZE_POLICY_FLAGS:
285d04 
+            nss_ops.keySizePolicyFlags = value;
285d04 
+            break;
285d04 
+        case NSS_KEY_SIZE_POLICY_SET_FLAGS:
285d04 
+            nss_ops.keySizePolicyFlags |= value;
285d04 
+            break;
285d04 
+        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
285d04 
+            nss_ops.keySizePolicyFlags &= ~value;
285d04 
+            break;
285d04 
+        case NSS_ECC_MIN_KEY_SIZE:
285d04 
+            nss_ops.eccMinKeySize = value;
285d04 
+            break;
285d04 
         default:
285d04 
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
285d04 
             rv = SECFailure;
285d04 
@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
285d04 
         case NSS_DEFAULT_LOCKS:
285d04 
             *value = nss_ops.defaultLocks;
285d04 
             break;
285d04 
+        case NSS_KEY_SIZE_POLICY_FLAGS:
285d04 
+        case NSS_KEY_SIZE_POLICY_SET_FLAGS:
285d04 
+            *value = nss_ops.keySizePolicyFlags;
285d04 
+            break;
285d04 
+        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
285d04 
+            *value = ~nss_ops.keySizePolicyFlags;
285d04 
+            break;
285d04 
+        case NSS_ECC_MIN_KEY_SIZE:
285d04 
+            *value = nss_ops.eccMinKeySize;
285d04 
+            break;
285d04 
         default:
285d04 
             rv = SECFailure;
285d04 
     }
285d04 
diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h
285d04 
--- ./lib/nss/nssoptions.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/nss/nssoptions.h	2022-06-20 16:47:35.026785647 -0700
285d04 
@@ -18,3 +18,5 @@
285d04 
  * happens because NSS used to count bit lengths incorrectly. */
285d04 
 #define SSL_DH_MIN_P_BITS 1023
285d04 
 #define SSL_DSA_MIN_P_BITS 1023
285d04 
+/* not really used by SSL, but define it here for consistency */
285d04 
+#define SSL_ECC_MIN_CURVE_BITS 256
285d04 
diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c
285d04 
--- ./lib/pk11wrap/pk11kea.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./lib/pk11wrap/pk11kea.c	2022-06-20 16:47:35.026785647 -0700
285d04 
@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
285d04 
         if (privKeyHandle == CK_INVALID_HANDLE) {
285d04 
             PK11RSAGenParams rsaParams;
285d04
285d04 
-            if (symKeyLength > 53) /* bytes */ {
285d04 
-                /* we'd have to generate an RSA key pair > 512 bits long,
285d04 
+            if (symKeyLength > 120) /* bytes */ {
285d04 
+                /* we'd have to generate an RSA key pair > 1024 bits long,
285d04 
                 ** and that's too costly.  Don't even try.
285d04 
                 */
285d04 
                 PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
285d04 
                 goto rsa_failed;
285d04 
             }
285d04 
-            rsaParams.keySizeInBits =
285d04 
-                (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
285d04 
+            rsaParams.keySizeInBits = 1024;
285d04 
             rsaParams.pe = 0x10001;
285d04 
             privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
285d04 
                                            &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
285d04 
diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c
285d04 
--- ./lib/pk11wrap/pk11pars.c.sign_policy	2022-06-20 16:47:35.004785510 -0700
285d04 
+++ ./lib/pk11wrap/pk11pars.c	2022-06-20 16:47:35.026785647 -0700
285d04 
@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[]
285d04 
     { CIPHER_NAME("DTLS1.3"), 0x304 },
285d04 
 };
285d04
285d04 
+static const optionFreeDef keySizeFlagsList[] = {
285d04 
+    { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
285d04 
+    { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
285d04 
+    { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
285d04 
+};
285d04 
+
285d04 
 static const optionFreeDef freeOptList[] = {
285d04
285d04 
     /* Restrictions for asymetric keys */
285d04 
     { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
285d04 
     { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
285d04 
     { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
285d04 
+    { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
285d04 
+    /* what operations doe the key size apply to */
285d04 
+    { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
285d04 
     /* constraints on SSL Protocols */
285d04 
     { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
285d04 
     { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
285d04 
@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol
285d04 
         *result = val;
285d04 
         return SECSuccess;
285d04 
     }
285d04 
+    /* handle any ssl strings */
285d04 
     for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
285d04 
         if (policyValueLength == sslOptList[i].name_size &&
285d04 
             PORT_Strncasecmp(sslOptList[i].name, policyValue,
285d04 
@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol
285d04 
             return SECSuccess;
285d04 
         }
285d04 
     }
285d04 
-    return SECFailure;
285d04 
+    /* handle key_size flags. Each flag represents a bit, which
285d04 
+     * gets or'd together. They can be separated by , | or + */
285d04 
+    val = 0;
285d04 
+    while (*policyValue) {
285d04 
+        PRBool found = PR_FALSE;
285d04 
+        for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
285d04 
+            if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
285d04 
+                                 keySizeFlagsList[i].name_size) == 0) {
285d04 
+                val |= keySizeFlagsList[i].option;
285d04 
+                found = PR_TRUE;
285d04 
+                policyValue += keySizeFlagsList[i].name_size;
285d04 
+                break;
285d04 
+            }
285d04 
+        }
285d04 
+        if (!found) {
285d04 
+            return SECFailure;
285d04 
+        }
285d04 
+        if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
285d04 
+            policyValue++;
285d04 
+        }
285d04 
+    }
285d04 
+    *result = val;
285d04 
+    return SECSuccess;
285d04 
 }
285d04
285d04 
 /* Policy operations:
285d04 
diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c
285d04 
--- ./lib/ssl/ssl3con.c.sign_policy	2022-06-20 16:47:34.998785473 -0700
285d04 
+++ ./lib/ssl/ssl3con.c	2022-06-20 16:47:35.028785660 -0700
285d04 
@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
285d04 
     unsigned dh_p_bits;
285d04 
     unsigned dh_g_bits;
285d04 
     PRInt32 minDH;
285d04 
+    PRInt32 optval;
285d04 
+    PRBool usePolicyLength = PR_FALSE;
285d04
285d04 
     SSL3Hashes hashes;
285d04 
     SECItem signature = { siBuffer, NULL, 0 };
285d04 
@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
285d04 
     if (rv != SECSuccess) {
285d04 
         goto loser; /* malformed. */
285d04 
     }
285d04 
+    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
285d04 
+    if (rv == SECSuccess) {
285d04 
+        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
285d04 
+    }
285d04
285d04 
-    rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
285d04 
+    rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
285d04 
+                         : SECFailure;
285d04 
     if (rv != SECSuccess || minDH <= 0) {
285d04 
         minDH = SSL_DH_MIN_P_BITS;
285d04 
     }
285d04 
@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
285d04 
     SECStatus rv;
285d04 
     PRUint32 minKey;
285d04 
     PRInt32 optval;
285d04 
+    PRBool usePolicyLength = PR_TRUE;
285d04 
+
285d04 
+    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
285d04 
+    if (rv == SECSuccess) {
285d04 
+        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
285d04 
+    }
285d04
285d04 
     ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
285d04 
     switch (SECKEY_GetPublicKeyType(pubKey)) {
285d04 
         case rsaKey:
285d04 
         case rsaPssKey:
285d04 
         case rsaOaepKey:
285d04 
-            rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
285d04 
+            rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
285d04 
+                                 : SECFailure;
285d04 
             if (rv == SECSuccess && optval > 0) {
285d04 
                 minKey = (PRUint32)optval;
285d04 
             } else {
285d04 
@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
285d04 
             break;
285d04
285d04 
         case dsaKey:
285d04 
-            rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
285d04 
+            rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
285d04 
+                                 : SECFailure;
285d04 
             if (rv == SECSuccess && optval > 0) {
285d04 
                 minKey = (PRUint32)optval;
285d04 
             } else {
285d04 
@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
285d04 
             break;
285d04
285d04 
         case dhKey:
285d04 
-            rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
285d04 
+            rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
285d04 
+                                 : SECFailure;
285d04 
             if (rv == SECSuccess && optval > 0) {
285d04 
                 minKey = (PRUint32)optval;
285d04 
             } else {
285d04 
@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
285d04 
             break;
285d04
285d04 
         case ecKey:
285d04 
-            /* Don't check EC strength here on the understanding that we only
285d04 
-             * support curves we like. */
285d04 
-            minKey = ss->sec.authKeyBits;
285d04 
+            rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
285d04 
+                                 : SECFailure;
285d04 
+            if (rv == SECSuccess && optval > 0) {
285d04 
+                minKey = (PRUint32)optval;
285d04 
+            } else {
285d04 
+                /* Don't check EC strength here on the understanding that we
285d04 
+                 * only support curves we like. */
285d04 
+                minKey = ss->sec.authKeyBits;
285d04 
+            }
285d04 
             break;
285d04
285d04 
         default:
285d04 
diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt
285d04 
--- ./tests/policy/crypto-policy.txt.sign_policy	2022-05-26 02:54:33.000000000 -0700
285d04 
+++ ./tests/policy/crypto-policy.txt	2022-06-20 16:47:35.028785660 -0700
285d04 
@@ -6,6 +6,8 @@
285d04 
 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
285d04 
 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
285d04 
 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
285d04 
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
285d04 
+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
285d04 
 2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
285d04 
 2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
285d04 
 2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
285d04 
diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
285d04 
--- ./tests/ssl/sslpolicy.txt.sign_policy	2022-06-20 16:47:35.028785660 -0700
285d04 
+++ ./tests/ssl/sslpolicy.txt	2022-06-20 16:50:08.958742135 -0700
285d04 
@@ -196,6 +196,11 @@
285d04 
 # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
285d04 
 # compatibility reasons
285d04 
 #  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
285d04 
+  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
285d04 
+  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
285d04 
+  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
285d04 
+  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
285d04 
+
285d04 
 # test default settings
285d04 
 # NOTE: tstclient will attempt to overide the defaults, so we detect we
285d04 
 # were successful by locking in our settings
285d04 
diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh
285d04 
--- ./tests/dbupgrade/dbupgrade.sh.sign_policy	2022-06-22 08:43:55.905407738 -0700
285d04 
+++ ./tests/dbupgrade/dbupgrade.sh	2022-06-22 08:43:58.837426779 -0700
285d04 
@@ -69,7 +69,7 @@ dbupgrade_main()
285d04 
 		echo $i
285d04 
 		if [ -d $i ]; then
285d04 
 			echo "upgrading db $i"
285d04 
-			${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
285d04 
+			${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
285d04 
 			html_msg $? 0 "Upgrading $i"
285d04 
 		else
285d04 
 			echo "skipping db $i"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation