Bug 1172128 - Restore freebl/softoken limits on key sizes, r=rrelyea NSS_3_19_2_BETA1
authorMartin Thomson <martin.thomson@gmail.com>
Wed, 10 Jun 2015 13:53:59 -0700
changeset 11475 2b29dfe134a5fd5ba2c4e80074b7cf8fc2d36cfd
parent 11474 2d066157b71c8266d1a363518828e9f9c3faa07e
child 11476 3d10de91d1de1f86aa86ecf5b36665d577b7314f
push id653
push usermartin.thomson@gmail.com
push dateWed, 10 Jun 2015 21:01:54 +0000
reviewersrrelyea
bugs1172128
Bug 1172128 - Restore freebl/softoken limits on key sizes, r=rrelyea
lib/freebl/blapit.h
lib/ssl/ssl3con.c
lib/ssl/sslimpl.h
--- a/lib/freebl/blapit.h
+++ b/lib/freebl/blapit.h
@@ -133,23 +133,20 @@ typedef int __BLAPI_DEPRECATED __attribu
 #define SEED_KEY_LENGTH 16              /* bytes */
 
 #define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
 
 /*
  * These values come from the initial key size limits from the PKCS #11
  * module. They may be arbitrarily adjusted to any value freebl supports.
  */
-#define RSA_MIN_MODULUS_BITS   512
+#define RSA_MIN_MODULUS_BITS   128
 #define RSA_MAX_MODULUS_BITS 16384
 #define RSA_MAX_EXPONENT_BITS   64
-/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
- * only 1023 bits and similar.  We don't have good data on whether this
- * happens because NSS used to count bit lengths incorrectly. */
-#define DH_MIN_P_BITS	      1023
+#define DH_MIN_P_BITS	       128
 #define DH_MAX_P_BITS        16384
 
 /*
  * The FIPS 186-1 algorithm for generating primes P and Q allows only 9
  * distinct values for the length of P, and only one value for the
  * length of Q.
  * The algorithm uses a variable j to indicate which of the 9 lengths
  * of P is to be used.
@@ -179,17 +176,17 @@ typedef int __BLAPI_DEPRECATED __attribu
  *      3072           256
  *
  * The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q
  * lengths as input and returns an error if they aren't in this list.
  */
 
 #define DSA1_Q_BITS      160
 #define DSA_MAX_P_BITS	3072
-#define DSA_MIN_P_BITS  1023
+#define DSA_MIN_P_BITS	 512
 #define DSA_MAX_Q_BITS   256
 #define DSA_MIN_Q_BITS   160
 
 #if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN*8
 #error "Inconsistent declaration of DSA SUBPRIME/Q parameters in blapit.h"
 #endif
 
 
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6738,17 +6738,17 @@ ssl3_HandleServerKeyExchange(sslSocket *
         unsigned dh_g_bits;
         unsigned dh_Ys_bits;
 
     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
         dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
-        if (dh_p_bits < DH_MIN_P_BITS) {
+        if (dh_p_bits < SSL_DH_MIN_P_BITS) {
 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
 	    goto alert_loser;
 	}
     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
         /* Abort if dh_g is 0, 1, or obviously too big. */
@@ -10045,25 +10045,25 @@ ssl3_AuthCertificate(sslSocket *ss)
 	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
 	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
 	if (pubKey) {
 	    KeyType pubKeyType;
 	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
 		SECKEY_PublicKeyStrengthInBits(pubKey);
             pubKeyType = SECKEY_GetPublicKeyType(pubKey);
             /* Too small: not good enough. Send a fatal alert. */
-            /* TODO: Use 1023 for RSA because a higher RSA_MIN_MODULUS_BITS
-             * breaks export cipher suites, not 1024 to be conservative; when
-             * export removed, increase RSA_MIN_MODULUS_BITS and use that. */
             /* We aren't checking EC here on the understanding that we only
              * support curves we like, a decision that might need revisiting. */
             if (((pubKeyType == rsaKey || pubKeyType == rsaPssKey ||
-                  pubKeyType == rsaOaepKey) && ss->sec.authKeyBits < 1023) ||
-                (pubKeyType == dsaKey && ss->sec.authKeyBits < DSA_MIN_P_BITS) ||
-                (pubKeyType == dhKey && ss->sec.authKeyBits < DH_MIN_P_BITS)) {
+                  pubKeyType == rsaOaepKey) &&
+                  ss->sec.authKeyBits < SSL_RSA_MIN_MODULUS_BITS) ||
+                (pubKeyType == dsaKey &&
+                 ss->sec.authKeyBits < SSL_DSA_MIN_P_BITS) ||
+                (pubKeyType == dhKey &&
+                 ss->sec.authKeyBits < SSL_DH_MIN_P_BITS)) {
                 PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY);
                 (void)SSL3_SendAlert(ss, alert_fatal,
                                      ss->version >= SSL_LIBRARY_VERSION_TLS_1_0
                                      ? insufficient_security
                                      : illegal_parameter);
                 SECKEY_DestroyPublicKey(pubKey);
                 return SECFailure;
             }
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -148,16 +148,25 @@ typedef enum { SSLAppOpRead = 0,
 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
 
 #ifndef BPB
 #define BPB 8 /* Bits Per Byte */
 #endif
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
 
+/* The minimum server key sizes accepted by the clients.
+ * Not 1024 to be conservative. */
+#define SSL_RSA_MIN_MODULUS_BITS 1023
+/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
+ * only 1023 bits and similar.  We don't have good data on whether this
+ * happens because NSS used to count bit lengths incorrectly. */
+#define SSL_DH_MIN_P_BITS 1023
+#define SSL_DSA_MIN_P_BITS 1023
+
 #define INITIAL_DTLS_TIMEOUT_MS   1000  /* Default value from RFC 4347 = 1s*/
 #define MAX_DTLS_TIMEOUT_MS      60000  /* 1 minute */
 #define DTLS_FINISHED_TIMER_MS  120000  /* Time to wait in FINISHED state */
 
 typedef struct sslBufferStr             sslBuffer;
 typedef struct sslConnectInfoStr        sslConnectInfo;
 typedef struct sslGatherStr             sslGather;
 typedef struct sslSecurityInfoStr       sslSecurityInfo;