mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche 

2020-10-26  Robert Relyea  <rrelyea@redhat.com>

	* lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled. r=mt

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).

	[035110dfa0b9] [tip]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* lib/certhigh/certvfypkix.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled.

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).
	[97f69f7a89a1]

2020-10-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_filter.cc:
	Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt

	This patch corrects the `SelectedCipherSuiteReplacer`filter to
	always parse the `session_id` variable (`legacy_session_id` for TLS
	1.3+). The previous code attempted to skip it in 1.3+ but did not
	account for DTLS wire versions, resulting in intermittent failures.

	[a79d14b06b4a]

2020-10-26  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt

	Summary: This flips the meaning of the flag for checking excessive
	CCS messages, so it only rejects multiple CCS messages while the
	first CCS message is always accepted.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1672703

	[b03a4fc5b902]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnssutil3.so.txt,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	lib/nss/nss.h, lib/ssl/ssl3con.c, lib/util/SECerrs.h,
	lib/util/nssutil.def, lib/util/secerr.h, tests/policy/policy.sh:
	Bug 1670835 Crypto Policy Support needs to be updated with
	disable/enable support

	Policy update

	Current state of the nss policy system:

	The initial policy patch focused on getting policy working well in
	handling ssl. The policy infrastructure used two existing NSS
	infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl
	policy constraints first created to handle export policy
	restrictions. To make loadable policies work, we added a couple of
	new things: 1) a policy parser to the secmod infrastructure which
	allows us to set algorithm policies based on a config file. This
	file had two sections: disallow= and allow=. Disallow turned off
	policy bits, and allow turned them on. Disallow was always parsed
	first, so you could very strictly control your policy map by saying
	disallow=all allow={exclusive list of allowed algorithms} 2) a new
	NSS_Option() value that allowed the policy parser to set integer
	values (like minimum tls version) based on the data in the policy
	parser. 3) SSL code which is run at ssl_init time that reads the
	algorithm policies and maps the results to SSL policies.

	The resulting loaded policy code, in general, sets the boundaries of
	what it possible, actually enable/disable of ssl cipher suites are
	still under program control, and the builtin NSS default values. The
	only consession to configuration is if a cipher is disallowed by
	policy, it is also disabled. Allowing a cipher suite by policy that
	wasn't already enabled, however, doesn't enable that policy by
	default. Inside the policy restrictions, applications can still make
	their own decisions on configuration and preference.

	At the time the policy system was designed, there were 3 additional
	features, which were designed, but not specified: disable, enable,
	and lock.

	disable and enable work just like disallow and allow, except the
	specify what the default settings are. This would allow the policy
	file to change the underlying default in the case where the
	application doesn't try to configure ssl on it's own.

	lock would make either the policy or configuration 'locked' meaning
	once the lock has been executed, no further changes to those
	configurations would be allowed.

	What is needed:

	We have a need for the following additional features:

	1) we want to turn more of the sha-1 hash function off by default.
	We still need sha-1 digest because it's used in many non-secure
	cases, but we do want to disable more sha-1 signature usage.
	Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers
	can be controlled by policy. We want to disallow a greater range of
	signature (that is signature use in general).

	2) we want to disable more ciphers by default, but need a way to
	have certain policies (like LEGACY) turn them back on, so that our
	shipped system is more secure by default.

	What this patch provides:

	1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The
	cryptohi code which exports the NSS sign/verify high level code now
	checks the hash and signing algorithm against this new policy flag
	and fails if the policy isn't available. New key words were added to
	the policy parser for 'all-signature', which implies all signature
	flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE.
	NOTE: disable=all/signature and disable=all/all-signature are
	effective equivalent because cert-signatures eventually call the low
	level signature functions, but disable=all allow=rsa-pss/all-
	signature and disable=all allow=rsa-pss/signature are different in
	that the latter allows all rsa-pss signature and the latter allows
	rsa-pss signatures, but no on certificates (or on smime in the
	future) Also new keywords were added for rsa-pkcs, rsa-pss, and
	ecdsa for signature algorithms (along with dsa).

	2) This patch implements disable and enable. These functions only
	work on SSL configuration. In the future SMIME/CMS configuration
	could also be added. Because the policy system is parsed and handled
	by NSS, and SSL configuration is handled in SSL, we use the same
	Apply code we used to apply ssl policy to set the inital
	configuration. The configured enable/disable state is configured in
	the ALGORTHIM policy system, where one bit says the enable/disable
	value is active and another bit which gives it's state.

	3) two locks have been implented, policy-lock and ssl-lock. These
	are specified in the parser as flags (flags=policy-lock,ssl-lock).
	The policy locks all the policy changes: ssl_policy, algorithm
	policy, and options. It is implemented by two new exported
	functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first
	allows applications to test if the policy is locked without having
	to try changing the policy. The various policy set functions check
	the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK
	if it's true. The ssl-lock changes the state of the policy to
	locked, and the state cannot be changed back without shutting down
	NSS. The second is implemented by setting a new Option called
	NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we
	can add an SMIME lock in the future. SSL checks the
	NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite
	value, and blocks the change if it's set.

	4) sslpolicy tests were updated to test the enable, disable, flags
	=policy-lock, flags=ssl-lock and the new signature primitives.

	5) policy tests were updated to be able to run standalone (like all
	the other all.sh tests), as well as new tests to detect when no
	signing algorithms have been enabled.

	 What is not in the patch

	1) S/MIME signature policy has been defined for a while, but never
	hooked up. 2) S/MIME export policy needs to be connected back to the
	algorithm policy system just like the ssl cipher suites already are.
	3) S/MIME default configuration needs to be connected back to the
	policy system. 4) ECC Curve policy needs to be hooked up with the
	signature policy (probably should create a generic 'key meets
	policy' function and have every call it).

	[6f79a7695812]

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c:
	Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism
	r=mt,rrelyea

	Summary

	This is useful for RSA-OAEP support.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubWrapSymKey lacks a way of providing this
	context and historically silently converted CKM_RSA_PKCS_OAEP to
	CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will
	let us indicate parameters and potentially support other mechanisms
	in the future. This call mirrors the earlier calls introduced for
	RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this
	context, and additionally lacked a way of indicating which mechanism
	type to use for the unwrap operation (instead detecting it by key
	type). Introducing a new call will let us indicate parameters and
	potentially support other mechanisms in the future.

	Signed-off-by: Alexander Scheel <ascheel@redhat.com>

	[33f920fcd175]

2020-10-23  Petr Sumbera  <petr.sumbera@oracle.com>

	* coreconf/config.gypi:
	Bug 1667989 - coreconf/config.gypi should allow correct linking on
	Solaris r=kjacobs,bbeurdouche

	[e3bd9c2f9259]

2020-10-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def:
	Bug 1668123 - Export CERT_AddCertToListHeadWithData and
	CERT_AddCertToListTailWithData. r=jcj

	[0f15b05daeed]

2020-07-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root
	CA. r=kjacobs

	[7076e78ddafe]

2020-10-14  J.C. Jones  <jjones@mozilla.com>

	* lib/util/secasn1d.c:
	Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1
	decoder r=kjacobs

	The streaming ASN.1 decoder had assertions that, on debug builds,
	blocked embedding indefinite-length fields inside of definite-length
	fields/contexts, however that behavior does work correctly, and is
	valid ASN.1: it tends to happen when wrapping a signature around
	existing ASN.1-encoded data, if that already-encoded data had an
	indefinite length.

	Really these two assertion were just overzealous. The conditional
	after the asserts handle the case well, and memory sanitizers have
	not found issue here either.

	[d0153cc0c464]

Differential Revision: https://phabricator.services.mozilla.com/D95093
This commit is contained in:
Kevin Jacobs 2020-11-02 18:04:59 +00:00
Родитель e6d2e5c167
Коммит b838f38de2
40 изменённых файлов: 966 добавлений и 196 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
58dc3216d518
035110dfa0b9

8
security/nss/automation/abi-check/expected-report-libnss3.so.txt
Просмотреть файл

@ -0,0 +1,8 @@
4 Added functions:
[A] 'function SECStatus CERT_AddCertToListHeadWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListHeadWithData@@NSS_3.59}
[A] 'function SECStatus CERT_AddCertToListTailWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListTailWithData@@NSS_3.59}
[A] 'function PK11SymKey* PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey*, CK_MECHANISM_TYPE, SECItem*, SECItem*, CK_MECHANISM_TYPE, CK_ATTRIBUTE_TYPE, int)' {PK11_PubUnwrapSymKeyWithMechanism@@NSS_3.59}
[A] 'function SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey*, CK_MECHANISM_TYPE, SECItem*, PK11SymKey*, SECItem*)' {PK11_PubWrapSymKeyWithMechanism@@NSS_3.59}

6
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
Просмотреть файл

@ -0,0 +1,6 @@
2 Added functions:
[A] 'function PRBool NSS_IsPolicyLocked()' {NSS_IsPolicyLocked@@NSSUTIL_3.59}
[A] 'function void NSS_LockPolicy()' {NSS_LockPolicy@@NSSUTIL_3.59}

12
security/nss/coreconf/config.gypi
Просмотреть файл

@ -37,7 +37,7 @@
},{
'use_system_sqlite%': 0,
}],
['OS=="mac" or OS=="ios" or OS=="win"', {
['OS=="mac" or OS=="ios" or OS=="solaris" or OS=="win"', {
'cc_use_gnu_ld%': 0,
}, {
'cc_use_gnu_ld%': 1,
@ -397,6 +397,11 @@
'_REENTRANT',
],
}],
[ 'OS!="mac" and OS!="ios" and OS!="solaris" and OS!="win"', {
'ldflags': [
'-z', 'noexecstack',
],
}],
[ 'OS!="mac" and OS!="ios" and OS!="win"', {
'cflags': [
'-fPIC',
@ -410,9 +415,6 @@
'cflags_cc': [
'-std=c++11',
],
'ldflags': [
'-z', 'noexecstack',
],
'conditions': [
[ 'target_arch=="ia32"', {
'cflags': ['-m32'],
@ -662,7 +664,7 @@
},
},
'conditions': [
[ 'cc_use_gnu_ld==1', {
[ 'cc_use_gnu_ld==1 or OS=="solaris"', {
'variables': {
'process_map_file': ['/bin/sh', '-c', '/usr/bin/env grep -v ";-" >(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'],
},

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

50
security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
Просмотреть файл

@ -7,9 +7,55 @@
#include "mozpkix/pkixder.h"
#include "secoid.h"
using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
/* These tests generate invalid certificates on the fly, We want to test
* validation of those certificates, not the generation, so we
* need to temporarily allow disallowed signature policies before
* we do the actual certificate or ocsp signing
*/
class HashAlgorithmPolicies
{
static const int numberOfHashes = 4; /* sigh */
static const SECOidTag hashOids[numberOfHashes];
PRUint32 savedPolicy[numberOfHashes];
public:
void EnableHashSignaturePolicy(void);
void RestoreHashSignaturePolicy(void);
};
const SECOidTag HashAlgorithmPolicies::hashOids[numberOfHashes] = {
SEC_OID_MD2,
SEC_OID_MD4,
SEC_OID_MD5,
SEC_OID_SHA1 };
void
HashAlgorithmPolicies::EnableHashSignaturePolicy(void)
{
for (int i=0;i < numberOfHashes; i++) {
ASSERT_EQ(SECSuccess,
NSS_GetAlgorithmPolicy(hashOids[i], &savedPolicy[i]));
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(hashOids[i], NSS_USE_ALG_IN_SIGNATURE, 0));
}
}
void
HashAlgorithmPolicies::RestoreHashSignaturePolicy(void)
{
for (int i=0;i < numberOfHashes; i++) {
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(hashOids[i], savedPolicy[i],
NSS_USE_ALG_IN_SIGNATURE));
}
}
static ByteString
CreateCert(const char* issuerCN,
const char* subjectCN,
@ -35,16 +81,20 @@ CreateCert(const char* issuerCN,
}
ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
HashAlgorithmPolicies policies;
policies.EnableHashSignaturePolicy();
ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
serialNumber, issuerDER,
oneDayBeforeNow, oneDayAfterNow,
subjectDER, *reusedKey,
extensions, *reusedKey,
signatureAlgorithm));
policies.RestoreHashSignaturePolicy();
EXPECT_FALSE(ENCODING_FAILED(certDER));
return certDER;
}
class AlgorithmTestsTrustDomain final : public DefaultCryptoTrustDomain
{
public:

20
security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
Просмотреть файл

@ -26,6 +26,8 @@
#include "mozpkix/pkixder.h"
#include "secoid.h"
using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
@ -338,6 +340,12 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
TEST_F(pkixocsp_VerifyEncodedResponse_successful,
good_unsupportedSignatureAlgorithm)
{
PRUint32 policyMd5;
ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
/* our encode won't work if MD5 isn't allowed by policy */
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
ByteString responseString(
CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
@ -347,6 +355,9 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful,
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
/* now restore the existing policy */
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
bool expired;
ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
@ -930,14 +941,23 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
// Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
// algorithm that will be used to sign the certificate that issues the OCSP
// responses, not the responses themselves.
PRUint32 policyMd5;
ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
/* our encode won't work if MD5 isn't allowed by policy */
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
ByteString responseString(
CreateEncodedIndirectOCSPSuccessfulResponse(
"good_indirect_unsupportedSignatureAlgorithm",
OCSPResponseContext::good, byKey,
md5WithRSAEncryption()));
Input response;
/* now restore the existing policy */
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
ASSERT_EQ(SECSuccess,
NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
bool expired;
ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),

35
security/nss/gtests/pk11_gtest/pk11_find_certs_unittest.cc
Просмотреть файл

@ -159,6 +159,41 @@ class PK11FindCertsTestBase : public ::testing::Test {
class PK11FindRawCertsBySubjectTest : public PK11FindCertsTestBase {};
TEST_F(PK11FindCertsTestBase, CertAddListWithData) {
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
ASSERT_TRUE(slot);
SECItem cert1_item = {siBuffer, const_cast<uint8_t*>(kTestCert1DER.data()),
(unsigned int)kTestCert1DER.size()};
SECItem cert2_item = {siBuffer, const_cast<uint8_t*>(kTestCert2DER.data()),
(unsigned int)kTestCert2DER.size()};
// Make certificates. ScopedCERTCertList will own.
ScopedCERTCertList list(CERT_NewCertList());
ASSERT_TRUE(list);
CERTCertificate* cert1 = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &cert1_item, nullptr, false, false);
CERTCertificate* cert2 = CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &cert2_item, nullptr, false, false);
ASSERT_NE(nullptr, cert1);
ASSERT_NE(nullptr, cert2);
ASSERT_NE(cert1, cert2);
SECStatus rv = CERT_AddCertToListHeadWithData(list.get(), cert1, cert1);
EXPECT_EQ(SECSuccess, rv);
rv = CERT_AddCertToListTailWithData(list.get(), cert2, cert2);
EXPECT_EQ(SECSuccess, rv);
CERTCertListNode* node = CERT_LIST_HEAD(list.get());
ASSERT_NE(nullptr, node);
EXPECT_EQ(node->cert, cert1);
EXPECT_EQ(node->appData, cert1);
node = CERT_LIST_TAIL(list.get());
ASSERT_NE(nullptr, node);
EXPECT_EQ(node->cert, cert2);
EXPECT_EQ(node->appData, cert2);
}
// If we don't have any certificates, we shouldn't get any when we search for
// them.
TEST_F(PK11FindRawCertsBySubjectTest, TestNoCertsImportedNoCertsFound) {

67
security/nss/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
Просмотреть файл

@ -116,4 +116,71 @@ INSTANTIATE_TEST_CASE_P(
INSTANTIATE_TEST_CASE_P(
WycheproofOaep2048Sha512Sha512Test, RsaOaepWycheproofTest,
::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors));
TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) {
const size_t kRsaKeyBits = 2048;
const size_t kwrappedBufLen = 4096;
SECStatus rv = SECFailure;
ScopedSECKEYPrivateKey priv;
ScopedSECKEYPublicKey pub;
PK11RSAGenParams rsa_params;
rsa_params.keySizeInBits = kRsaKeyBits;
rsa_params.pe = 65537;
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_NE(slot, nullptr);
SECKEYPublicKey* p_pub_tmp = nullptr;
priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsa_params, &p_pub_tmp, false, false,
nullptr));
pub.reset(p_pub_tmp);
ASSERT_NE(priv.get(), nullptr);
ASSERT_NE(pub.get(), nullptr);
ScopedPK11SymKey to_wrap(
PK11_KeyGen(slot.get(), CKM_AES_CBC, nullptr, 16, nullptr));
CK_RSA_PKCS_OAEP_PARAMS oaep_params = {CKM_SHA256, CKG_MGF1_SHA256,
CKZ_DATA_SPECIFIED, NULL, 0};
SECItem param = {siBuffer, (unsigned char*)&oaep_params, sizeof(oaep_params)};
ScopedSECItem wrapped(SECITEM_AllocItem(nullptr, nullptr, kwrappedBufLen));
rv = PK11_PubWrapSymKeyWithMechanism(pub.get(), CKM_RSA_PKCS_OAEP, &param,
to_wrap.get(), wrapped.get());
ASSERT_EQ(rv, SECSuccess);
PK11SymKey* p_unwrapped_tmp = nullptr;
// This fails because this method is broken and assumes CKM_RSA_PKCS and
// doesn't understand OAEP.
p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC,
CKA_DECRYPT, 16);
ASSERT_EQ(p_unwrapped_tmp, nullptr);
ScopedPK11SymKey unwrapped;
p_unwrapped_tmp = PK11_PubUnwrapSymKeyWithMechanism(
priv.get(), CKM_RSA_PKCS_OAEP, &param, wrapped.get(), CKM_AES_CBC,
CKA_DECRYPT, 16);
ASSERT_NE(p_unwrapped_tmp, nullptr);
unwrapped.reset(p_unwrapped_tmp);
// Extract key's value in order to validate decryption worked.
rv = PK11_ExtractKeyValue(to_wrap.get());
ASSERT_EQ(rv, SECSuccess);
rv = PK11_ExtractKeyValue(unwrapped.get());
ASSERT_EQ(rv, SECSuccess);
// References owned by PKCS#11 layer; no need to scope and free.
SECItem* expectedItem = PK11_GetKeyData(to_wrap.get());
SECItem* actualItem = PK11_GetKeyData(unwrapped.get());
ASSERT_EQ(SECITEM_CompareItem(actualItem, expectedItem), 0);
}
} // namespace nss_test

18
security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
Просмотреть файл

@ -348,8 +348,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHelloTwice) {
client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}
// The server rejects a ChangeCipherSpec if the client advertises an
// empty session ID.
// The server accepts a ChangeCipherSpec even if the client advertises
// an empty session ID.
TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
EnsureTlsSetup();
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
@ -358,9 +358,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
client_->Handshake(); // Send ClientHello
client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
server_->Handshake(); // Consume ClientHello and CCS
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
Handshake();
CheckConnected();
}
// The server rejects multiple ChangeCipherSpec even if the client
@ -381,7 +380,7 @@ TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) {
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
}
// The client rejects a ChangeCipherSpec if it advertises an empty
// The client accepts a ChangeCipherSpec even if it advertises an empty
// session ID.
TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
EnsureTlsSetup();
@ -398,9 +397,10 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
// send ServerHello..CertificateVerify
// Send CCS
server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
client_->Handshake(); // Consume ClientHello and CCS
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
// No alert is sent from the client. As Finished is dropped, we
// can't use Handshake() and CheckConnected().
client_->Handshake();
}
// The client rejects multiple ChangeCipherSpec in a row even if the

12
security/nss/gtests/ssl_gtest/tls_filter.cc
Просмотреть файл

@ -1147,13 +1147,13 @@ PacketFilter::Action SelectedCipherSuiteReplacer::FilterHandshake(
*output = input;
uint32_t temp = 0;
EXPECT_TRUE(input.Read(0, 2, &temp));
// Cipher suite is after version(2) and random(32).
EXPECT_EQ(header.version(), NormalizeTlsVersion(temp));
// Cipher suite is after version(2), random(32)
// and [legacy_]session_id(<0..32>).
size_t pos = 34;
if (temp < SSL_LIBRARY_VERSION_TLS_1_3) {
// In old versions, we have to skip a session_id too.
EXPECT_TRUE(input.Read(pos, 1, &temp));
pos += 1 + temp;
}
EXPECT_TRUE(input.Read(pos, 1, &temp));
pos += 1 + temp;
output->Write(pos, static_cast<uint32_t>(cipher_suite_), 2);
return CHANGE;
}

5
security/nss/lib/certhigh/certvfypkix.c
Просмотреть файл

@ -411,7 +411,7 @@ cleanup:
static PKIX_Error *
cert_CreatePkixProcessingParams(
CERTCertificate *cert,
PRBool checkSig, /* not used yet. See bug 391476 */
PRBool checkSig,
PRTime time,
void *wincx,
PRBool useArena,
@ -441,15 +441,12 @@ cert_CreatePkixProcessingParams(
*pplContext = plContext;
#ifdef PKIX_NOTDEF
/* Functions should be implemented in patch for 390532 */
PKIX_CHECK(
pkix_pl_NssContext_SetCertSignatureCheck(checkSig,
(PKIX_PL_NssContext *)plContext),
PKIX_NSSCONTEXTSETCERTSIGNCHECKFAILED);
#endif /* PKIX_NOTDEF */
PKIX_CHECK(
PKIX_ProcessingParams_Create(&procParams, plContext),
PKIX_PROCESSINGPARAMSCREATEFAILED);

4
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

@ -11241,7 +11241,9 @@ CKA_VALUE MULTILINE_OCTAL
\145\353\127\331\363\127\226\273\110\315\201
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\060\060\067\060\061\060\060\060\060\060\060\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Trustis FPS Root CA"

3
security/nss/lib/cryptohi/keyi.h
Просмотреть файл

@ -17,6 +17,9 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
/* just get the 'encryption' oid from the combined signature oid */
SECOidTag sec_GetEncAlgFromSigAlg(SECOidTag sigAlg);
/* extract the RSA-PSS hash algorithms and salt length from
* parameters, taking into account of the default implications.
*

35
security/nss/lib/cryptohi/secsign.c
Просмотреть файл

@ -31,6 +31,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
SGNContext *cx;
SECOidTag hashalg, signalg;
KeyType keyType;
PRUint32 policyFlags;
SECStatus rv;
/* OK, map a PKCS #7 hash and encrypt algorithm into
@ -44,7 +45,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return 0;
return NULL;
}
keyType = seckey_GetKeyType(signalg);
@ -53,7 +54,19 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
!((key->keyType == rsaKey) && (keyType == rsaPssKey))) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return 0;
return NULL;
}
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
return NULL;
}
/* check the policy on the encryption algorithm */
if ((NSS_GetAlgorithmPolicy(signalg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
return NULL;
}
cx = (SGNContext *)PORT_ZAlloc(sizeof(SGNContext));
@ -452,9 +465,27 @@ SGN_Digest(SECKEYPrivateKey *privKey,
SECItem digder;
PLArenaPool *arena = 0;
SGNDigestInfo *di = 0;
SECOidTag enctag;
PRUint32 policyFlags;
result->data = 0;
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
return SECFailure;
}
/* check the policy on the encryption algorithm */
enctag = sec_GetEncAlgFromSigAlg(
SEC_GetSignatureAlgorithmOidTag(privKey->keyType, algtag));
if ((enctag == SEC_OID_UNKNOWN) ||
(NSS_GetAlgorithmPolicy(enctag, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
return SECFailure;
}
if (privKey->keyType == rsaKey) {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

120
security/nss/lib/cryptohi/secvfy.c
Просмотреть файл

@ -216,6 +216,56 @@ const SEC_ASN1Template hashParameterTemplate[] =
{ 0 }
};
/*
* Get just the encryption algorithm from the signature algorithm
*/
SECOidTag
sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
{
/* get the "encryption" algorithm */
switch (sigAlg) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
return SEC_OID_PKCS1_RSA_ENCRYPTION;
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
return SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
/* what about normal DSA? */
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
return SEC_OID_ANSIX9_DSA_SIGNATURE;
case SEC_OID_MISSI_DSS:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_DSS_OLD:
return SEC_OID_MISSI_DSS;
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
return SEC_OID_ANSIX962_EC_PUBLIC_KEY;
/* we don't implement MD4 hashes */
case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
break;
}
return SEC_OID_UNKNOWN;
}
/*
* Pulls the hash algorithm, signing algorithm, and key type out of a
* composite algorithm.
@ -229,15 +279,16 @@ const SEC_ASN1Template hashParameterTemplate[] =
*/
SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
{
int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
SECOidTag encalg;
PR_ASSERT(hashalg != NULL);
PR_ASSERT(encalg != NULL);
PR_ASSERT(encalgp != NULL);
switch (sigAlg) {
/* We probably shouldn't be generating MD2 signatures either */
@ -354,52 +405,13 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
/* get the "encryption" algorithm */
switch (sigAlg) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
*encalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
break;
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
*encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
break;
/* what about normal DSA? */
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
*encalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
break;
case SEC_OID_MISSI_DSS:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_DSS_OLD:
*encalg = SEC_OID_MISSI_DSS;
break;
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
*encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
break;
/* we don't implement MD4 hashes */
case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
encalg = sec_GetEncAlgFromSigAlg(sigAlg);
if (encalg == SEC_OID_UNKNOWN) {
return SECFailure;
}
*encalgp = encalg;
return SECSuccess;
}
@ -423,6 +435,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
SECStatus rv;
unsigned int sigLen;
KeyType type;
PRUint32 policyFlags;
/* make sure the encryption algorithm matches the key type */
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
@ -433,6 +446,13 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
return NULL;
}
/* check the policy on the encryption algorithm */
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
return NULL;
}
cx = (VFYContext *)PORT_ZAlloc(sizeof(VFYContext));
if (cx == NULL) {
goto loser;
@ -493,6 +513,14 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
/* error set by HASH_GetHashTypeByOidTag */
goto loser;
}
/* check the policy on the hash algorithm. Do this after
* the rsa decode because some uses of this function get hash implicitly
* from the RSA signature itself. */
if ((NSS_GetAlgorithmPolicy(cx->hashAlg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
goto loser;
}
if (hash) {
*hash = cx->hashAlg;

70
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c
Просмотреть файл

@ -54,6 +54,7 @@ PKIX_PL_NssContext_Create(
context->crlReloadDelay = PKIX_DEFAULT_CRL_RELOAD_DELAY_SECONDS;
context->badDerCrlReloadDelay =
PKIX_DEFAULT_BAD_CRL_RELOAD_DELAY_SECONDS;
context->certSignatureCheck = PKIX_TRUE;
context->chainVerifyCallback.isChainValid = NULL;
context->chainVerifyCallback.isChainValidArg = NULL;
*pNssContext = context;
@ -160,6 +161,75 @@ pkix_pl_NssContext_SetCertUsage(
PKIX_RETURN(CONTEXT);
}
/*
* FUNCTION: pkix_pl_NssContext_GetCertSignatureCheck
* DESCRIPTION:
*
* This function obtains the platform-dependent flag to turn on or off
* signature checks.
*
* PARAMETERS:
* "nssContext"
* The address of the context object whose wincx parameter is to be
* obtained. Must be non-NULL.
* "pCheckSig"
* The address where the result is stored. Must be non-NULL.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_NssContext_GetCertSignatureCheck(
PKIX_PL_NssContext *nssContext,
PKIX_Boolean *pCheckSig)
{
void *plContext = NULL;
PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_GetCertUsage");
PKIX_NULLCHECK_TWO(nssContext, pCheckSig);
*pCheckSig = nssContext->certSignatureCheck;
PKIX_RETURN(CONTEXT);
}
/*
* FUNCTION: pkix_pl_NssContext_SetCertSignatureCheck
* DESCRIPTION:
*
* This function sets the check signature flag in
* the context object pointed to by "nssContext" to the value provided in
* "checkSig".
*
* PARAMETERS:
* "checkSig"
* Boolean that tells whether or not to check the signatues on certs.
* "nssContext"
* The address of the context object whose wincx parameter is to be
* obtained. Must be non-NULL.
* THREAD SAFETY:
* Thread Safe (see Thread Safety Definitions in Programmer's Guide)
* RETURNS:
* Returns NULL if the function succeeds.
* Returns a Fatal Error if the function fails in an unrecoverable way.
*/
PKIX_Error *
pkix_pl_NssContext_SetCertSignatureCheck(
PKIX_Boolean checkSig,
PKIX_PL_NssContext *nssContext)
{
void *plContext = NULL;
PKIX_ENTER(CONTEXT, "pkix_pl_NssContext_SetCertUsage");
PKIX_NULLCHECK_ONE(nssContext);
nssContext->certSignatureCheck = checkSig;
PKIX_RETURN(CONTEXT);
}
/*
* FUNCTION: pkix_pl_NssContext_GetWincx
* DESCRIPTION:

9
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h
Просмотреть файл

@ -27,6 +27,7 @@ struct PKIX_PL_NssContextStruct {
PRTime crlReloadDelay;
PRTime badDerCrlReloadDelay;
CERTChainVerifyCallback chainVerifyCallback;
PKIX_Boolean certSignatureCheck;
};
PKIX_Error *
@ -38,6 +39,14 @@ PKIX_Error *
pkix_pl_NssContext_SetCertUsage
(SECCertificateUsage certUsage, PKIX_PL_NssContext *nssContext);
PKIX_Error *
pkix_pl_NssContext_GetCertSignatureCheck
(PKIX_PL_NssContext *nssContext, PKIX_Boolean *pCheckSig);
PKIX_Error *
pkix_pl_NssContext_SetCertSignatureCheck
(PKIX_Boolean checkSig, PKIX_PL_NssContext *nssContext);
PKIX_Error *
pkix_pl_NssContext_GetWincx(PKIX_PL_NssContext *nssContext, void **pWincx);

10
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
Просмотреть файл

@ -2811,14 +2811,23 @@ PKIX_PL_Cert_VerifySignature(
PKIX_PL_Cert *cachedCert = NULL;
PKIX_Error *verifySig = NULL;
PKIX_Error *cachedSig = NULL;
PKIX_Error *checkSig = NULL;
SECStatus status;
PKIX_Boolean certEqual = PKIX_FALSE;
PKIX_Boolean certInHash = PKIX_FALSE;
PKIX_Boolean checkCertSig = PKIX_TRUE;
void* wincx = NULL;
PKIX_ENTER(CERT, "PKIX_PL_Cert_VerifySignature");
PKIX_NULLCHECK_THREE(cert, cert->nssCert, pubKey);
/* if the cert check flag is off, skip the check */
checkSig = pkix_pl_NssContext_GetCertSignatureCheck(
(PKIX_PL_NssContext *)plContext, &checkCertSig);
if ((checkCertSig == PKIX_FALSE) && (checkSig == NULL)) {
goto cleanup;
}
verifySig = PKIX_PL_HashTable_Lookup
(cachedCertSigTable,
(PKIX_PL_Object *) pubKey,
@ -2879,6 +2888,7 @@ cleanup:
}
PKIX_DECREF(cachedCert);
PKIX_DECREF(checkSig);
PKIX_DECREF(verifySig);
PKIX_DECREF(cachedSig);

4
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c
Просмотреть файл

@ -741,7 +741,9 @@ pkix_pl_OcspResponse_VerifyResponse(
PKIX_CERTVERIFYKEYUSAGEFAILED);
rv = SECSuccess;
} else {
rv = CERT_VerifyCert(response->handle, response->signerCert, PKIX_TRUE,
/* checkSig is !isRoot */
PRBool checkSig = response->signerCert->isRoot ? PR_FALSE : PR_TRUE;
rv = CERT_VerifyCert(response->handle, response->signerCert, checkSig,
certUsage, response->producedAt, NULL, NULL);
if (rv != SECSuccess) {
PKIX_ERROR(PKIX_CERTVERIFYKEYUSAGEFAILED);

9
security/nss/lib/nss/nss.def
Просмотреть файл

@ -1204,3 +1204,12 @@ PK11_ImportDataKey;
;+ local:
;+ *;
;+};
;+NSS_3.59 { # NSS 3.59 release
;+ global:
CERT_AddCertToListHeadWithData;
CERT_AddCertToListTailWithData;
PK11_PubWrapSymKeyWithMechanism;
PK11_PubUnwrapSymKeyWithMechanism;
;+ local:
;+ *;
;+};

2
security/nss/lib/nss/nss.h
Просмотреть файл

@ -299,6 +299,8 @@ SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
* old NSS versions. This option might be removed in the future NSS
* releases; don't rely on it. */
#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
/*
* Set and get global options for the NSS library.

17
security/nss/lib/nss/nssoptions.c
Просмотреть файл

@ -14,6 +14,7 @@
#include "secoid.h"
#include "nss.h"
#include "nssoptions.h"
#include "secerr.h"
struct nssOps {
PRInt32 rsaMinKeySize;
@ -24,6 +25,7 @@ struct nssOps {
PRInt32 dtlsVersionMinPolicy;
PRInt32 dtlsVersionMaxPolicy;
PRInt32 pkcs12DecodeForceUnicode;
PRInt32 defaultLocks;
};
static struct nssOps nss_ops = {
@ -34,7 +36,8 @@ static struct nssOps nss_ops = {
0xffff, /* set TLS max to more than the largest legal SSL value */
1,
0xffff,
PR_FALSE
PR_FALSE,
0
};
SECStatus
@ -42,6 +45,11 @@ NSS_OptionSet(PRInt32 which, PRInt32 value)
{
SECStatus rv = SECSuccess;
if (NSS_IsPolicyLocked()) {
PORT_SetError(SEC_ERROR_POLICY_LOCKED);
return SECFailure;
}
switch (which) {
case NSS_RSA_MIN_KEY_SIZE:
nss_ops.rsaMinKeySize = value;
@ -67,7 +75,11 @@ NSS_OptionSet(PRInt32 which, PRInt32 value)
case __NSS_PKCS12_DECODE_FORCE_UNICODE:
nss_ops.pkcs12DecodeForceUnicode = value;
break;
case NSS_DEFAULT_LOCKS:
nss_ops.defaultLocks = value;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
@ -104,6 +116,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *value)
case __NSS_PKCS12_DECODE_FORCE_UNICODE:
*value = nss_ops.pkcs12DecodeForceUnicode;
break;
case NSS_DEFAULT_LOCKS:
*value = nss_ops.defaultLocks;
break;
default:
rv = SECFailure;
}

205
security/nss/lib/pk11wrap/pk11pars.c
Просмотреть файл

@ -158,16 +158,17 @@ SECMOD_CreateModule(const char *library, const char *moduleName,
* Disallow values are parsed first, then allow values, independent of the
* order they appear.
*
* Future key words (not yet implemented):
* flags: turn on the following flags:
* policy-lock: turn off the ability for applications to change policy with
* the call NSS_SetAlgorithmPolicy or the other system policy
* calls (SSL_SetPolicy, etc.)
* ssl-lock: turn off the ability to change the ssl defaults.
*
* The following only apply to ssl cipher suites (future smime)
*
* enable: turn on ciphersuites by default.
* disable: turn off ciphersuites by default without disallowing them by policy.
* flags: turn on the following flags:
* ssl-lock: turn off the ability for applications to change policy with
* the SSL_SetCipherPolicy (or SSL_SetPolicy).
* policy-lock: turn off the ability for applications to change policy with
* the call NSS_SetAlgorithmPolicy.
* ssl-default-lock: turn off the ability for applications to change cipher
* suite states with SSL_EnableCipher, SSL_DisableCipher.
*
*
*/
@ -323,21 +324,21 @@ static const oidValDef curveOptList[] = {
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA256"), SEC_OID_SHA256,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA384"), SEC_OID_SHA384,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA512"), SEC_OID_SHA512,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }
};
static const oidValDef macOptList[] = {
@ -389,7 +390,13 @@ static const oidValDef kxOptList[] = {
static const oidValDef signOptList[] = {
/* Signatures */
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@ -405,7 +412,7 @@ static const algListsDef algOptLists[] = {
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
{ signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
{ signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
};
static const optionFreeDef sslOptList[] = {
@ -443,10 +450,19 @@ static const policyFlagDef policyFlagList[] = {
/* add other key exhanges in the future */
{ CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
/* add other signatures in the future */
{ CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
/* enable everything */
{ CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("CMS-SIGNATURE"), NSS_USE_ALG_IN_CMS_SIGNATURE },
{ CIPHER_NAME("ALL-SIGNATURE"), NSS_USE_ALG_IN_SIGNATURE },
/* sign turns off all signatures, but doesn't change the
* allowance for specific sigantures... for example:
* disallow=sha256/all allow=sha256/signature doesn't allow
* cert-sigantures, where disallow=sha256/all allow=sha256/all-signature
* does.
* however, disallow=sha356/signature and disallow=sha256/all-siganture are
* equivalent in effect */
{ CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_ANY_SIGNATURE },
/* enable/disable everything */
{ CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX |
NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("NONE"), 0 }
};
@ -538,8 +554,82 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
return SECFailure;
}
/* Policy operations:
* Disallow: operation is disallowed by policy. Implies disabled.
* Allow: operation is allowed by policy (but could be disabled).
* Disable: operation is turned off by default (but could be allowed).
* Enable: operation is enabled by default. Implies allowed.
*/
typedef enum {
NSS_DISALLOW,
NSS_ALLOW,
NSS_DISABLE,
NSS_ENABLE
} NSSPolicyOperation;
/* apply the operator specific policy */
SECStatus
secmod_setPolicyOperation(SECOidTag oid, NSSPolicyOperation operation,
PRUint32 value)
{
SECStatus rv = SECSuccess;
switch (operation) {
case NSS_DISALLOW:
/* clear the requested policy bits */
rv = NSS_SetAlgorithmPolicy(oid, 0, value);
break;
case NSS_ALLOW:
/* set the requested policy bits */
rv = NSS_SetAlgorithmPolicy(oid, value, 0);
break;
/* enable/disable only apply to SSL cipher suites (future S/MIME).
* Enable/disable is implemented by clearing the DEFAULT_NOT_VALID
* flag, then setting the NSS_USE_DEFAULT_SSL_ENABLE flag to the
* correct value. The ssl policy code will then sort out what to
* set based on ciphers and cipher suite values.*/
case NSS_DISABLE:
if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
/* clear not valid and enable */
rv = NSS_SetAlgorithmPolicy(oid, 0,
NSS_USE_DEFAULT_NOT_VALID |
NSS_USE_DEFAULT_SSL_ENABLE);
}
break;
case NSS_ENABLE:
if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
/* set enable, clear not valid. NOTE: enable implies allow! */
rv = NSS_SetAlgorithmPolicy(oid, value | NSS_USE_DEFAULT_SSL_ENABLE,
NSS_USE_DEFAULT_NOT_VALID);
}
break;
default:
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
break;
}
return rv;
}
const char *
secmod_getOperationString(NSSPolicyOperation operation)
{
switch (operation) {
case NSS_DISALLOW:
return "disallow";
case NSS_ALLOW:
return "allow";
case NSS_DISABLE:
return "disable";
case NSS_ENABLE:
return "enable";
default:
break;
}
return "invalid";
}
static SECStatus
secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
secmod_applyCryptoPolicy(const char *policyString, NSSPolicyOperation operation,
PRBool printPolicyFeedback)
{
const char *cipher, *currentString;
@ -573,18 +663,10 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
for (j = 0; j < algOptList->entries; j++) {
PRUint32 enable, disable;
if (!newValue) {
value = algOptList->list[j].val;
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
}
NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
}
}
continue;
@ -603,20 +685,12 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
if ((newOption || algOpt->name_size == length) &&
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
PRUint32 value = algOpt->val;
PRUint32 enable, disable;
if (newOption) {
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
length - name_size - 1,
printPolicyFeedback);
}
if (allow) {
enable = value;
disable = 0;
} else {
enable = 0;
disable = value;
}
rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
rv = secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
if (rv != SECSuccess) {
/* could not enable option */
/* NSS_SetAlgorithPolicy should have set the error code */
@ -666,7 +740,7 @@ secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
if (unknown && printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
allow ? "allow" : "disallow", length, cipher);
secmod_getOperationString(operation), length, cipher);
}
}
return rv;
@ -709,7 +783,8 @@ secmod_sanityCheckCryptoPolicy(void)
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
}
if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) &&
((value & NSS_USE_CERT_SIGNATURE_OK) == NSS_USE_CERT_SIGNATURE_OK)) {
++num_sig_enabled;
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
@ -740,7 +815,7 @@ secmod_sanityCheckCryptoPolicy(void)
static SECStatus
secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
{
char *disallow, *allow;
char *args;
SECStatus rv;
if (policyConfig == NULL) {
@ -752,20 +827,46 @@ secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
if (rv != SECSuccess) {
return rv;
}
disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
if (disallow)
PORT_Free(disallow);
args = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
rv = secmod_applyCryptoPolicy(args, NSS_DISALLOW, printPolicyFeedback);
if (args)
PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
if (allow)
PORT_Free(allow);
args = NSSUTIL_ArgGetParamValue("allow", policyConfig);
rv = secmod_applyCryptoPolicy(args, NSS_ALLOW, printPolicyFeedback);
if (args)
PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
args = NSSUTIL_ArgGetParamValue("disable", policyConfig);
rv = secmod_applyCryptoPolicy(args, NSS_DISABLE, printPolicyFeedback);
if (args)
PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
args = NSSUTIL_ArgGetParamValue("enable", policyConfig);
rv = secmod_applyCryptoPolicy(args, NSS_ENABLE, printPolicyFeedback);
if (args)
PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
/* this has to be last. Everything after this will be a noop */
if (NSSUTIL_ArgHasFlag("flags", "ssl-lock", policyConfig)) {
PRInt32 locks;
/* don't overwrite other (future) lock flags */
rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
if (rv == SECSuccess) {
NSS_OptionSet(NSS_DEFAULT_LOCKS, locks | NSS_DEFAULT_SSL_LOCK);
}
}
if (NSSUTIL_ArgHasFlag("flags", "policy-lock", policyConfig)) {
NSS_LockPolicy();
}
if (printPolicyFeedback) {
/* This helps to distinguish configurations that don't contain any
* policy config= statement. */

12
security/nss/lib/pk11wrap/pk11pub.h
Просмотреть файл

@ -357,6 +357,11 @@ void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
CK_MECHANISM_TYPE mechType,
SECItem *param,
PK11SymKey *symKey,
SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
@ -451,6 +456,13 @@ PK11SymKey *PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *key,
CK_MECHANISM_TYPE mechType,
SECItem *param,
SECItem *wrapppedKey,
CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation,
int keySize);
PK11SymKey *PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,

51
security/nss/lib/pk11wrap/pk11skey.c
Просмотреть файл

@ -1275,13 +1275,23 @@ PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx)
symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
}
/*
* This function does a straight public key wrap (which only RSA can do).
* Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
* Diffie-Hellman Ciphers. */
/* This function does a straight public key wrap with the CKM_RSA_PKCS
* mechanism. */
SECStatus
PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey)
{
CK_MECHANISM_TYPE inferred = pk11_mapWrapKeyType(pubKey->keyType);
return PK11_PubWrapSymKeyWithMechanism(pubKey, inferred, NULL, symKey,
wrappedKey);
}
/* This function wraps a symmetric key with a public key, such as with the
* CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP mechanisms. */
SECStatus
PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
CK_MECHANISM_TYPE mechType, SECItem *param,
PK11SymKey *symKey, SECItem *wrappedKey)
{
PK11SlotInfo *slot;
CK_ULONG len = wrappedKey->len;
@ -1298,7 +1308,7 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
}
/* if this slot doesn't support the mechanism, go to a slot that does */
newKey = pk11_ForceSlot(symKey, type, CKA_ENCRYPT);
newKey = pk11_ForceSlot(symKey, mechType, CKA_ENCRYPT);
if (newKey != NULL) {
symKey = newKey;
}
@ -1309,9 +1319,15 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
}
slot = symKey->slot;
mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
mechanism.pParameter = NULL;
mechanism.ulParameterLen = 0;
mechanism.mechanism = mechType;
if (param == NULL) {
mechanism.pParameter = NULL;
mechanism.ulParameterLen = 0;
} else {
mechanism.pParameter = param->data;
mechanism.ulParameterLen = param->len;
}
id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
if (id == CK_INVALID_HANDLE) {
@ -2883,20 +2899,33 @@ PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
wrappingKey->cx, keyTemplate, templateCount, isPerm);
}
/* unwrap a symetric key with a private key. */
/* unwrap a symmetric key with a private key. Only supports CKM_RSA_PKCS. */
PK11SymKey *
PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
{
CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
return PK11_PubUnwrapSymKeyWithMechanism(wrappingKey, wrapType, NULL,
wrappedKey, target, operation,
keySize);
}
/* unwrap a symmetric key with a private key with the given parameters. */
PK11SymKey *
PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *wrappingKey,
CK_MECHANISM_TYPE mechType, SECItem *param,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize)
{
PK11SlotInfo *slot = wrappingKey->pkcs11Slot;
if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
}
return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
wrapType, NULL, wrappedKey, target, operation, keySize,
return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, mechType, param,
wrappedKey, target, operation, keySize,
wrappingKey->wincx, NULL, 0, PR_FALSE);
}

101
security/nss/lib/ssl/ssl3con.c
Просмотреть файл

@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
/* TLS 1.3: We sent a session ID. The server's should match. */
if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
if (sidMatch) {
ss->ssl3.hs.allowCcs = PR_TRUE;
return PR_TRUE;
}
return PR_FALSE;
return sidMatch;
}
/* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
errCode = PORT_GetError();
goto alert_loser;
}
ss->ssl3.hs.allowCcs = PR_TRUE;
}
/* TLS 1.3 requires that compression include only null. */
@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
ss->ssl3.hs.ws != idle_handshake &&
cText->buf->len == 1 &&
cText->buf->buf[0] == change_cipher_spec_choice) {
if (ss->ssl3.hs.allowCcs) {
/* Ignore the first CCS. */
ss->ssl3.hs.allowCcs = PR_FALSE;
if (!ss->ssl3.hs.rejectCcs) {
/* Allow only the first CCS. */
ss->ssl3.hs.rejectCcs = PR_TRUE;
return SECSuccess;
} else {
alert = unexpected_message;
PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
}
/* Compatibility mode is not negotiated. */
alert = unexpected_message;
PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
}
if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
@ -13596,6 +13590,61 @@ ssl3_DestroySSL3Info(sslSocket *ss)
tls13_DestroyPskList(&ss->ssl3.hs.psks);
}
/*
* parse the policy value for a single algorithm in a cipher_suite,
* return TRUE if we disallow by the cipher suite by policy
* (we don't have to parse any more algorithm policies on this cipher suite),
* otherwise return FALSE.
* 1. If we don't have the required policy, disable by default, disallow by
* policy and return TRUE (no more processing needed).
* 2. If we have the required policy, and we are disabled, return FALSE,
* (if we are disabled, we only need to parse policy, not default).
* 3. If we have the required policy, and we aren't adjusting the defaults
* return FALSE. (only parsing the policy, not default).
* 4. We have the required policy and we are adjusting the defaults.
* If we are setting default = FALSE, set isDisabled to true so that
* we don't try to re-enable the cipher suite based on a different
* algorithm.
*/
PRBool
ssl_HandlePolicy(int cipher_suite, SECOidTag policyOid,
PRUint32 requiredPolicy, PRBool *isDisabled)
{
PRUint32 policy;
SECStatus rv;
/* first fetch the policy for this algorithm */
rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
if (rv != SECSuccess) {
return PR_FALSE; /* no policy value, continue to the next algorithm */
}
/* first, are we allowed by policy, if not turn off allow and disable */
if (!(policy & requiredPolicy)) {
ssl_CipherPrefSetDefault(cipher_suite, PR_FALSE);
ssl_CipherPolicySet(cipher_suite, SSL_NOT_ALLOWED);
return PR_TRUE;
}
/* If we are already disabled, or the policy isn't setting a default
* we are done processing this algorithm */
if (*isDisabled || (policy & NSS_USE_DEFAULT_NOT_VALID)) {
return PR_FALSE;
}
/* set the default value for the cipher suite. If we disable the cipher
* suite, remember that so we don't process the next default. This has
* the effect of disabling the whole cipher suite if any of the
* algorithms it uses are disabled by default. We still have to
* process the upper level because the cipher suite is still allowed
* by policy, and we may still have to disallow it based on other
* algorithms in the cipher suite. */
if (policy & NSS_USE_DEFAULT_SSL_ENABLE) {
ssl_CipherPrefSetDefault(cipher_suite, PR_TRUE);
} else {
*isDisabled = PR_TRUE;
ssl_CipherPrefSetDefault(cipher_suite, PR_FALSE);
}
return PR_FALSE;
}
#define MAP_NULL(x) (((x) != 0) ? (x) : SEC_OID_NULL_CIPHER)
SECStatus
@ -13614,30 +13663,30 @@ ssl3_ApplyNSSPolicy(void)
for (i = 1; i < PR_ARRAY_SIZE(cipher_suite_defs); ++i) {
const ssl3CipherSuiteDef *suite = &cipher_suite_defs[i];
SECOidTag policyOid;
PRBool isDisabled = PR_FALSE;
/* if we haven't explicitly disabled it below enable by policy */
ssl_CipherPolicySet(suite->cipher_suite, SSL_ALLOWED);
/* now check the various key exchange, ciphers and macs and
* if we ever disallow by policy, we are done, go to the next cipher
*/
policyOid = MAP_NULL(kea_defs[suite->key_exchange_alg].oid);
rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL_KX)) {
ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
ssl_CipherPolicySet(suite->cipher_suite, SSL_NOT_ALLOWED);
if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
NSS_USE_ALG_IN_SSL_KX, &isDisabled)) {
continue;
}
policyOid = MAP_NULL(ssl_GetBulkCipherDef(suite)->oid);
rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL)) {
ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
ssl_CipherPolicySet(suite->cipher_suite, SSL_NOT_ALLOWED);
if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
NSS_USE_ALG_IN_SSL, &isDisabled)) {
continue;
}
if (ssl_GetBulkCipherDef(suite)->type != type_aead) {
policyOid = MAP_NULL(ssl_GetMacDefByAlg(suite->mac_alg)->oid);
rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL)) {
ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
ssl_CipherPolicySet(suite->cipher_suite,
SSL_NOT_ALLOWED);
if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
NSS_USE_ALG_IN_SSL, &isDisabled)) {
continue;
}
}

5
security/nss/lib/ssl/sslimpl.h
Просмотреть файл

@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
* or received. */
PRBool receivedCcs; /* A server received ChangeCipherSpec
* before the handshake started. */
PRBool allowCcs; /* A server allows ChangeCipherSpec
* as the middlebox compatibility mode
* is explicitly indicarted by
* legacy_session_id in TLS 1.3 ClientHello. */
PRBool rejectCcs; /* Excessive ChangeCipherSpecs are rejected. */
PRBool clientCertRequested; /* True if CertificateRequest received. */
PRBool endOfFlight; /* Processed a full flight (DTLS 1.3). */
ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def

15
security/nss/lib/ssl/sslsock.c
Просмотреть файл

@ -1460,6 +1460,10 @@ SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
if (rv != SECSuccess) {
return rv;
}
if (NSS_IsPolicyLocked()) {
PORT_SetError(SEC_ERROR_POLICY_LOCKED);
return SECFailure;
}
return ssl_CipherPolicySet(which, policy);
}
@ -1506,10 +1510,15 @@ SECStatus
SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
{
SECStatus rv = ssl_Init();
PRInt32 locks;
if (rv != SECSuccess) {
return rv;
}
rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) {
return SECSuccess;
}
return ssl_CipherPrefSetDefault(which, enabled);
}
@ -1535,11 +1544,17 @@ SECStatus
SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
{
sslSocket *ss = ssl_FindSocket(fd);
PRInt32 locks;
SECStatus rv;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
return SECFailure;
}
rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) {
return SECSuccess;
}
if (ssl_IsRemovedCipherSuite(which))
return SECSuccess;
return ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);

6
security/nss/lib/util/SECerrs.h
Просмотреть файл

@ -552,3 +552,9 @@ ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178),
ER3(SEC_ERROR_INVALID_STATE, (SEC_ERROR_BASE + 179),
"The attempted operation is invalid for the current state.")
ER3(SEC_ERROR_POLICY_LOCKED, (SEC_ERROR_BASE + 180),
"Could not change the policy because the policy is now locked.")
ER3(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 181),
"Could not create or verify a signature using a signature algorithm that is disabled because it is not secure.")

7
security/nss/lib/util/nssutil.def
Просмотреть файл

@ -334,3 +334,10 @@ NSSUTIL_AddNSSFlagToModuleSpec;
;+ local:
;+ *;
;+};
;+NSSUTIL_3.59 { # NSS Utilities 3.59 release
;+ global:
NSS_IsPolicyLocked;
NSS_LockPolicy;
;+ local:
;+ *;
;+};

11
security/nss/lib/util/secasn1d.c
Просмотреть файл

@ -1982,8 +1982,15 @@ sec_asn1d_next_in_group(sec_asn1d_state *state)
* compensating for "offset", as is done a little farther below
* in the more normal case.
*/
PORT_Assert(state->indefinite);
PORT_Assert(state->pending == 0);
/*
* XXX We used to assert our overall state was that we were decoding
* an indefinite-length object here (state->indefinite == TRUE and no
* pending bytes in the decoder), but those assertions aren't correct
* as it's legitimate to wrap indefinite sequences inside definite ones
* and this code handles that case. Additionally, when compiled in
* release mode these assertions aren't checked anyway, yet function
* safely.
*/
if (child->dest && !state->subitems_head) {
sec_asn1d_add_to_subitems(state, child->dest, 0, PR_FALSE);
child->dest = NULL;

3
security/nss/lib/util/secerr.h
Просмотреть файл

@ -212,6 +212,9 @@ typedef enum {
SEC_ERROR_INVALID_STATE = (SEC_ERROR_BASE + 179),
SEC_ERROR_POLICY_LOCKED = (SEC_ERROR_BASE + 180),
SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 181),
/* Add new error codes above here. */
SEC_ERROR_END_OF_LIST
} SECErrorCodes;

24
security/nss/lib/util/secoid.c
Просмотреть файл

@ -2244,6 +2244,8 @@ NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
return SECSuccess;
}
static PRBool nss_policy_locked = PR_FALSE;
/* The Set function modifies the stored value according to the following
* algorithm:
* policy[tag] = (policy[tag] & ~clearBits) | setBits;
@ -2255,6 +2257,11 @@ NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
PRUint32 policyFlags;
if (!pxo)
return SECFailure;
if (nss_policy_locked) {
PORT_SetError(SEC_ERROR_POLICY_LOCKED);
return SECFailure;
}
/* The stored policy flags are the ones complement of the flags as
* seen by the user. This is not atomic, but these changes should
* be done rarely, e.g. at initialization time.
@ -2265,6 +2272,20 @@ NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
return SECSuccess;
}
/* Get the state of nss_policy_locked */
PRBool
NSS_IsPolicyLocked(void)
{
return nss_policy_locked;
}
/* Once the policy is locked, it can't be unlocked */
void
NSS_LockPolicy(void)
{
nss_policy_locked = PR_TRUE;
}
/* --------- END OF opaque extended OID table accessor functions ---------*/
/* for now, this is only used in a single place, so it can remain static */
@ -2326,6 +2347,9 @@ SECOID_Shutdown(void)
dynOidEntriesAllocated = 0;
dynOidEntriesUsed = 0;
}
/* we are trashing the old policy state now, also reenable changing
* the policy as well */
nss_policy_locked = PR_FALSE;
memset(xOids, 0, sizeof xOids);
return SECSuccess;
}

9
security/nss/lib/util/secoid.h
Просмотреть файл

@ -135,6 +135,15 @@ extern SECStatus NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue);
extern SECStatus
NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits);
/* Lock the policy so NSS_SetAlgorithmPolicy (and other policy functions)
* No longer function */
void
NSS_LockPolicy(void);
/* return true if policy changes are now locked out */
PRBool
NSS_IsPolicyLocked(void);
SEC_END_PROTOS
#endif /* _SECOID_H_ */

19
security/nss/lib/util/secoidt.h
Просмотреть файл

@ -538,7 +538,24 @@ struct SECOidDataStr {
#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */
#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record protocol */
#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL protocol */
#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
#define NSS_USE_ALG_IN_ANY_SIGNATURE 0x00000020 /* used in S/MIME */
#define NSS_USE_DEFAULT_NOT_VALID 0x80000000 /* clear to make the default flag valid */
#define NSS_USE_DEFAULT_SSL_ENABLE 0x40000000 /* default cipher suite setting 1=enable */
/* Combo policy bites */
#define NSS_USE_ALG_RESERVED 0x3fffffc0 /* may be used in future */
/* Alias of all the signature values. */
#define NSS_USE_ALG_IN_SIGNATURE (NSS_USE_ALG_IN_CERT_SIGNATURE | \
NSS_USE_ALG_IN_CMS_SIGNATURE | \
NSS_USE_ALG_IN_ANY_SIGNATURE)
/* all the bits needed for a certificate signature
* and only the bits needed for a certificate signature */
#define NSS_USE_CERT_SIGNATURE_OK (NSS_USE_ALG_IN_CERT_SIGNATURE | \
NSS_USE_ALG_IN_ANY_SIGNATURE)
/* all the bits needed for an SMIME signature
* and only the bits needed for an SMIME signature */
#define NSS_USE_CMS_SIGNATURE_OK (NSS_USE_ALG_IN_CMS_SIGNATURE | \
NSS_USE_ALG_IN_ANY_SIGNATURE)
/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
* being all zeros or having any other known value. The reserved bits

9
security/nss/tests/policy/crypto-policy.txt
Просмотреть файл

@ -3,14 +3,15 @@
# col 3: an extended regular expression, expected to match the output
# col 4: description of the test
#
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
1 disallow=all/signature NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all signatures
1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions

25
security/nss/tests/policy/policy.sh Normal file → Executable file
Просмотреть файл

@ -12,6 +12,28 @@
#
########################################################################
policy_init()
{
SCRIPTNAME=policy.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
fi
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
cd ../common
. ./init.sh
fi
SCRIPTNAME=policy.sh
}
policy_cleanup()
{
cd ${QADIR}
. common/cleanup.sh
}
ignore_blank_lines()
{
LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1"
@ -53,6 +75,9 @@ NSS=flags=policyOnly,moduleDB
html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
done
html "</TABLE><BR>"
}
policy_init
policy_run_tests
policy_cleanup

76
security/nss/tests/ssl/ssl.sh
Просмотреть файл

@ -886,6 +886,7 @@ ssl_policy_listsuites()
cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
# Disallow all explicitly
testname="listsuites with all cipher disallowed by policy"
setup_policy "disallow=all" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_'
@ -894,6 +895,7 @@ ssl_policy_listsuites()
"produced a returncode of $RET, expected is $RET_EXP"
# Disallow RSA in key exchange explicitly
testname="listsuites with rsa cipher disallowed by policy"
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_RSA_'
@ -901,11 +903,83 @@ ssl_policy_listsuites()
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
# allow by policy, but disable by default
testname="listsuites with all ciphers enabled by policy but disabled by default"
setup_policy "allow=all disable=all" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_'
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
# allow by policy, but disable by default just rsa-kea
testname="listsuites with all ciphers enabled by policy but rsa disabled by default"
setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_RSA_'
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
# list_enabled_suites tries to set a policy value explicitly, This will
# cause list_enabled_suites to fail if we lock the policy
testname="listsuites with policy locked"
setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR}
RET_EXP=1
SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
html "</TABLE><BR>"
}
ssl_policy_pkix_ocsp()
{
#verbose="-v"
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
NSS_ENABLE_PKIX_VERIFY="1"
export NSS_ENABLE_PKIX_VERIFY
testname=""
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
return 1;
fi
echo "Saving pkcs11.txt"
cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
# Disallow sha1 explicitly. This will test if we are trying to verify the sha1 signature
# on the GlobalSign root during OCSP processing
setup_policy "disallow=sha1" ${P_R_SERVERDIR}
RET_EXP=0
echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out"
vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out
# make sure we have the domain mismatch, not bad signature error
echo "grep 12276 ${P_R_SERVERDIR}/vfy.out"
grep 12276 ${P_R_SERVERDIR}/vfy.out
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
if [ "${PKIX_SAVE}" = "unset" ]; then
unset NSS_ENABLE_PKIX_VERIFY
else
NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
export NSS_ENABLE_PKIX_VERIFY
fi
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
html "</TABLE><BR>"
}
############################## ssl_policy_selfserv #####################
# local shell function to perform SSL Policy tests, using selfserv
########################################################################
@ -925,6 +999,7 @@ ssl_policy_selfserv()
cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
# Disallow RSA in key exchange explicitly
testname="Disallow RSA key exchange explicitly"
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@ -1522,6 +1597,7 @@ ssl_run_tests()
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
ssl_policy_listsuites
ssl_policy_selfserv
ssl_policy_pkix_ocsp
ssl_policy
fi
;;

65
security/nss/tests/ssl/sslpolicy.txt
Просмотреть файл

@ -7,8 +7,14 @@
# The policy string is set to the config= line in the pkcs11.txt
# it currently has 2 keywords:
#
# disallow= turn off the use of this algorithm by policy.
# disallow= turn off the use of this algorithm by policy. (implies disable)
# allow= allow this algorithm to by used if selected by policy.
# disable= turn off the use of this algorithm even if allowed by policy
# (application can override)
# enable= turn off this algorithm by default (implies allow)
# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy,
# NSS_SetOption, or SSL_SetCipherPolicy
# ssl-lock: can't change the cipher suite settings with the application.
#
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
# where {} signifies an optional element
@ -76,6 +82,9 @@
# SECT571R1
# Signatures:
# DSA
# RSA-PKCS
# RSA-PSS
# ECDSA
# Hashes:
# MD2
# MD4
@ -137,7 +146,8 @@
# ssl-key-exchange
# key-exchange (includes ssl-key-exchange)
# cert-signature
# signature (includes cert-signature)
# all-signature (includes cert-signature)
# signature (all signatures off, some signature allowed based on other option)
# all (includes all of the above)
#-----------------------------------------------
# In addition there are the following options:
@ -147,31 +157,48 @@
# they have the following syntax:
# allow=min-rsa=512:min-dh=1024
#
# in the following tests, we use the cipher suite 'd':
# d SSL3 RSA WITH 3DES EDE CBC SHA (=:000a).
# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
#
# Exp Enable Enable Cipher Config Policy Test Name
# Ret EC TLS
# turn on single cipher
0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
1 noECC SSL3 d disallow=all Disallow All Explicitly.
0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/all-signature:rsa-pkcs/all-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:dsa/all:rsa-pss/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
1 noECC SSL3 d disallow=all Disallow All Explicitly
# turn off signature only
1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
1 noECC SSL3 d disallow=all/signature Disallow all signatures with Explicitly
1 noECC SSL3 d disallow=sha256 Disallow SHA256 Explicitly
1 noECC SSL3 d disallow=sha256/cert-signature Disallow SHA256 Certificate signature Explicitly
1 noECC SSL3 d disallow=sha256/signature Disallow All SHA256 signatures Explicitly
1 noECC SSL3 d disallow=sha256/all-signature Disallow Any SHA256 signature Explicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:dsa/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly
# turn off single cipher
1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly
# turn off H-Mac
1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly
# turn off key exchange
1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchange Signatures Implicitly
# turn off version
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly.
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
# test default settings
# NOTE: tstclient will attempt to overide the defaults, so we detect we
# were successful by locking in our settings
0 noECC SSL3 d allow=all_disable=all Disable all by default, application override
1 noECC SSL3 d allow=all_disable=all_flags=ssl-lock,policy-lock Disable all by default, prevent application from enabling
0 noECC SSL3 d allow=all_disable=all_flags=policy-lock Disable all by default, lock policy (application can still change the ciphers)
# explicitly enable :002f RSA_AES_128_CBC_SHA1 and lock it in
0 noECC SSL3 d allow=all_disable=all_enable=hmac-sha1:sha256:rsa-pkcs:rsa:aes128-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0_flags=ssl-lock Lock in a different ciphersuite that the one the application asks for