[PATCH 3/7] Added functions to set and get numeric options for NSS.

Mon, 12 May 2014 00:24:06 -0700 

Currently the only options defined allow setting the minimum
acceptable sizes for RSA, DH, and DSA keys. The SSL DH key exchange
was modified to take account for the min DH value set.
---
 lib/nss/manifest.mn |  1 +
 lib/nss/nss.def     |  7 +++++++
 lib/nss/nss.h       | 13 +++++++++++++
 lib/ssl/ssl3con.c   | 11 ++++++++++-
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/lib/nss/manifest.mn b/lib/nss/manifest.mn
index 9e812e5..9133451 100644
--- a/lib/nss/manifest.mn
+++ b/lib/nss/manifest.mn
@@ -16,6 +16,7 @@ MODULE = nss
 
 CSRCS = \
        nssinit.c \
+       nssoptions.c \
        nssver.c \
        utilwrap.c \
        $(NULL)
diff --git a/lib/nss/nss.def b/lib/nss/nss.def
index fdb1cd0..70eee9d 100644
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1053,3 +1053,10 @@ SECMOD_InternaltoPubMechFlags;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.16.2 {         # NSS 3.16.2 release
+;+    global:
+NSS_OptionGet;
+NSS_OptionSet;
+;+    local:
+;+       *;
+;+};
diff --git a/lib/nss/nss.h b/lib/nss/nss.h
index 4733e25..982b6eb 100644
--- a/lib/nss/nss.h
+++ b/lib/nss/nss.h
@@ -294,6 +294,19 @@ SECStatus NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, 
void *appData);
  */
 SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
 
+/* Available options for NSS_OptionSet() and NSS_OptionGet().
+ */
+#define NSS_RSA_MIN_KEY_SIZE (1<<0)
+#define NSS_DH_MIN_KEY_SIZE  (1<<1)
+#define NSS_DSA_MIN_KEY_SIZE (1<<2)
+
+/*
+ * Set and get global options for the NSS library.
+ */
+SECStatus NSS_OptionSet(PRInt32 which, PRInt32 value);
+SECStatus NSS_OptionGet(PRInt32 which, PRInt32 *value);
+
+
 /* 
  * Close the Cert, Key databases.
  */
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index 4fc696b..5d9265c 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -24,6 +24,7 @@
 #include "prerror.h"
 #include "pratom.h"
 #include "prthread.h"
+#include "nss.h"
 
 #include "pk11func.h"
 #include "secmod.h"
@@ -6675,12 +6676,20 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque 
*b, PRUint32 length)
        SECItem          dh_p      = {siBuffer, NULL, 0};
        SECItem          dh_g      = {siBuffer, NULL, 0};
        SECItem          dh_Ys     = {siBuffer, NULL, 0};
+       PRInt32          minDH;
+
+        rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
+       if (rv != SECSuccess) {
+           minDH = 512/8;
+       } else {
+           minDH /= 8;
+       }
 
        rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
        if (rv != SECSuccess) {
            goto loser;         /* malformed. */
        }
-       if (dh_p.len < 512/8) {
+       if (dh_p.len < minDH) {
            errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
            goto alert_loser;
        }
-- 
1.9.0


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to