[PATCH 3/7] Added functions to set and get numeric options for NSS. BUG1009429_BRANCH
authorElio Maldonado <emaldona@redhat.com>
Tue, 14 Apr 2015 14:25:29 -0700
branchBUG1009429_BRANCH
changeset 11424 28f6c4af66c5e4fbc339ae1ce7baf44948eb7b9e
parent 11423 56db76cc9047d6391fbe8e56a51a4f98c5d288af
child 11425 e6e9c562c9e2b56859a21725e82f0e8c927edbcb
push id613
push useremaldona@redhat.com
push dateTue, 14 Apr 2015 23:20:01 +0000
[PATCH 3/7] Added functions to set and get numeric options for NSS. Currently the only options defined allow setting the minimum acceptable sizes for RSA, DH, and DSA keys. The SSL DH key exchange was modified to take account for the min DH value set. From: Nikos Mavrogiannopoulos <nmav@redhat.com>
lib/nss/manifest.mn
lib/nss/nss.def
lib/nss/nss.h
lib/nss/nssoptions.c
lib/ssl/ssl3con.c
--- a/lib/nss/manifest.mn
+++ b/lib/nss/manifest.mn
@@ -11,16 +11,17 @@ PRIVATE_EXPORTS = \
 EXPORTS = \
 	nss.h \
 	$(NULL)
 
 MODULE = nss
 
 CSRCS = \
 	nssinit.c \
+	nssoptions.c \
 	nssver.c \
 	utilwrap.c \
 	$(NULL)
 
 MAPFILE = $(OBJDIR)/nss.def
 
 LIBRARY_NAME = nss
 LIBRARY_VERSION = 3
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1068,11 +1068,13 @@ PK11_PrivDecrypt;
 SEC_CheckCrlTimes;
 SEC_GetCrlTimes;
 ;+    local:
 ;+       *;
 ;+};
 ;+NSS_3.18.1 { 	# NSS 3.18.1 release
 ;+    global:
 CERT_GetImposedNameConstraints;
+NSS_OptionGet;
+NSS_OptionSet;
 ;+    local:
 ;+       *;
 ;+};
--- a/lib/nss/nss.h
+++ b/lib/nss/nss.h
@@ -289,16 +289,28 @@ typedef SECStatus (*NSS_ShutdownFunc)(vo
 SECStatus NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
 
 /*
  * Remove an existing shutdown function (you may do this if your library is
  * complete and going away, but NSS is still running).
  */
 SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
 
+/* Available options for NSS_OptionSet() and NSS_OptionGet().
+ */
+#define NSS_RSA_MIN_KEY_SIZE (1<<0)
+#define NSS_DH_MIN_KEY_SIZE  (1<<1)
+#define NSS_DSA_MIN_KEY_SIZE (1<<2)
+
+/*
+ * Set and get global options for the NSS library.
+ */
+SECStatus NSS_OptionSet(PRInt32 which, PRInt32 value);
+SECStatus NSS_OptionGet(PRInt32 which, PRInt32 *value);
+
 /* 
  * Close the Cert, Key databases.
  */
 extern SECStatus NSS_Shutdown(void);
 
 /*
  * set the PKCS #11 strings for the internal token.
  */
new file mode 100644
--- /dev/null
+++ b/lib/nss/nssoptions.c
@@ -0,0 +1,72 @@
+/*
+ * NSS utility functions
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <ctype.h>
+#include <string.h>
+#include <assert.h>
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secoid.h"
+#include "nss.h"
+
+struct nssOps {
+    PRInt32 rsaMinKeySize;
+    PRInt32 dhMinKeySize;
+    PRInt32 dsaMinKeySize;
+};
+
+static struct nssOps nss_ops = {
+    512,
+    512,
+    512
+};
+
+SECStatus
+NSS_OptionSet(PRInt32 which, PRInt32 value)
+{
+    SECStatus rv = SECSuccess;
+
+    switch (which) {
+      case NSS_RSA_MIN_KEY_SIZE:
+        nss_ops.rsaMinKeySize = value;
+        break;
+      case NSS_DH_MIN_KEY_SIZE:
+        nss_ops.dhMinKeySize = value;
+        break;
+      case NSS_DSA_MIN_KEY_SIZE:
+        nss_ops.dsaMinKeySize = value;
+        break;
+      default:
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+
+SECStatus
+NSS_OptionGet(PRInt32 which, PRInt32 *value)
+{
+    SECStatus rv = SECSuccess;
+
+    switch (which) {
+      case NSS_RSA_MIN_KEY_SIZE:
+        *value = nss_ops.rsaMinKeySize;
+        break;
+      case NSS_DH_MIN_KEY_SIZE:
+        *value = nss_ops.dhMinKeySize;
+        break;
+      case NSS_DSA_MIN_KEY_SIZE:
+        *value = nss_ops.dsaMinKeySize;
+        break;
+      default:
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -19,16 +19,17 @@
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
 #include "prtime.h"
 #include "prinrval.h"
 #include "prerror.h"
 #include "pratom.h"
 #include "prthread.h"
+#include "nss.h"
 
 #include "pk11func.h"
 #include "secmod.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 
 #include <stdio.h>
@@ -6745,22 +6746,30 @@ ssl3_HandleServerKeyExchange(sslSocket *
     	ss->ssl3.hs.ws = wait_cert_request;
     	return SECSuccess;
     }
 
     case kt_dh: {
 	SECItem          dh_p      = {siBuffer, NULL, 0};
 	SECItem          dh_g      = {siBuffer, NULL, 0};
 	SECItem          dh_Ys     = {siBuffer, NULL, 0};
+        PRInt32          minDH;
+
+        rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
+    	if (rv != SECSuccess) {
+            minDH = 512/8;
+        } else {
+            minDH /= 8;
+	}
 
     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
-	if (dh_p.len < 512/8) {
+        if (dh_p.len < minDH) {
 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
 	    goto alert_loser;
 	}
     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
 	if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))