Skip to content

Commit

Permalink
(xmlsec-nss) Added runtime check for the enabled algorithms in NSS (i…
Browse files Browse the repository at this point in the history 
…ssue #730) (#734)
  • Loading branch information
@lsh123
lsh123 authored Dec 21, 2023
1 parent ffb3273 commit 8fc21b2
Show file tree
Hide file tree
Showing 3 changed files with 213 additions and 4 deletions.
2 changes: 1 addition & 1 deletion configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -937,7 +937,7 @@ NSPR_LIB_MARKER="libnspr4$shrext"
NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
NSS_INCLUDE_MARKER="nss/nss.h"
NSS_LIB_MARKER="libnss3$shrext"
NSS_LIBS_LIST="-lnss3 -lsmime3"
NSS_LIBS_LIST="-lnss3 -lsmime3 -lnssutil3"

XMLSEC_NO_NSS="1"
NSPR_INCLUDE_PATH=
Expand Down
1 change: 1 addition & 0 deletions docs/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ <h1>XML Security Library</h1>
(xmlsec-openssl) Removed support for OpenSSL 1.1.0 (<a href="https://endoflife.date/openssl">end of life in Aug 2016</a>).
The minimum OpenSSL supported version is 1.1.1; the version 3.0.0 or greater is recommended.
</li>
<li>(xmlsec-nss) Added runtime check for the enabled algorithms in NSS.</li>
<li>(xmlsec-mscrypto) Removed NT4 support.</li>
<li>Several other small fixes (see <a href="https://github.com/lsh123/xmlsec/commits/master">more details</a>).</li>
</ul>
Expand Down
214 changes: 211 additions & 3 deletions src/nss/crypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
#include <nss.h>
#include <pk11func.h>
#include <prinit.h>
#include <prtypes.h>
#include <secoidt.h>


#include <xmlsec/xmlsec.h>
Expand All @@ -41,7 +43,35 @@

#include "../cast_helpers.h"

static xmlSecCryptoDLFunctionsPtr gXmlSecNssFunctions = NULL;
static xmlSecCryptoDLFunctionsPtr gXmlSecNssFunctions = NULL;


/* checks if a given algorithm is enabled in NSS */
static int
xmlSecNssCryptoCheckAlgorithm(SECOidTag alg) {
PRUint32 policyFlags = 0;
SECStatus rv;

rv = NSS_GetAlgorithmPolicy(alg, &policyFlags);
if (rv == SECFailure) {
return(0);
}
if((policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE) == 0) {
return(0);
}
return(1);
}
static int
xmlSecNssCryptoCheckMechanism(CK_MECHANISM_TYPE type) {
SECOidTag alg;

alg = PK11_MechanismToAlgtag(type);
if (alg == SEC_OID_UNKNOWN) {
return (0);
}
return (xmlSecNssCryptoCheckAlgorithm(alg));
}


/**
* xmlSecCryptoGetFunctions_nss:
Expand Down Expand Up @@ -88,7 +118,7 @@ xmlSecCryptoGetFunctions_nss(void) {
#endif /* XMLSEC_NO_DSA */

#ifndef XMLSEC_NO_EC
gXmlSecNssFunctions->keyDataEcGetKlass = xmlSecNsskeyDataEcGetKlass;
gXmlSecNssFunctions->keyDataEcGetKlass = xmlSecNsskeyDataEcGetKlass;
#endif /* XMLSEC_NO_EC */

#ifndef XMLSEC_NO_HMAC
Expand Down Expand Up @@ -127,29 +157,35 @@ xmlSecCryptoGetFunctions_nss(void) {

/******************************* AES ********************************/
#ifndef XMLSEC_NO_AES
/* cbc */
gXmlSecNssFunctions->transformAes128CbcGetKlass = xmlSecNssTransformAes128CbcGetKlass;
gXmlSecNssFunctions->transformAes192CbcGetKlass = xmlSecNssTransformAes192CbcGetKlass;
gXmlSecNssFunctions->transformAes256CbcGetKlass = xmlSecNssTransformAes256CbcGetKlass;

/* gcm */
gXmlSecNssFunctions->transformAes128GcmGetKlass = xmlSecNssTransformAes128GcmGetKlass;
gXmlSecNssFunctions->transformAes192GcmGetKlass = xmlSecNssTransformAes192GcmGetKlass;
gXmlSecNssFunctions->transformAes256GcmGetKlass = xmlSecNssTransformAes256GcmGetKlass;

/* kw: uses AES ECB */
gXmlSecNssFunctions->transformKWAes128GetKlass = xmlSecNssTransformKWAes128GetKlass;
gXmlSecNssFunctions->transformKWAes192GetKlass = xmlSecNssTransformKWAes192GetKlass;
gXmlSecNssFunctions->transformKWAes256GetKlass = xmlSecNssTransformKWAes256GetKlass;
#endif /* XMLSEC_NO_AES */

/******************************* DES ********************************/
#ifndef XMLSEC_NO_DES
/* cbc */
gXmlSecNssFunctions->transformDes3CbcGetKlass = xmlSecNssTransformDes3CbcGetKlass;

/* kw: uses DES3_CBC */
gXmlSecNssFunctions->transformKWDes3GetKlass = xmlSecNssTransformKWDes3GetKlass;
#endif /* XMLSEC_NO_DES */

/******************************* DSA ********************************/
#ifndef XMLSEC_NO_DSA
#ifndef XMLSEC_NO_SHA1
gXmlSecNssFunctions->transformDsaSha1GetKlass = xmlSecNssTransformDsaSha1GetKlass;
gXmlSecNssFunctions->transformDsaSha1GetKlass = xmlSecNssTransformDsaSha1GetKlass;
#endif /* XMLSEC_NO_SHA1 */
#ifndef XMLSEC_NO_SHA256
gXmlSecNssFunctions->transformDsaSha256GetKlass = xmlSecNssTransformDsaSha256GetKlass;
Expand Down Expand Up @@ -323,6 +359,175 @@ xmlSecCryptoGetFunctions_nss(void) {
return(gXmlSecNssFunctions);
}

static void
xmlSecNssUpdateAvailableCryptoTransforms(xmlSecCryptoDLFunctionsPtr functions) {
xmlSecAssert(functions != NULL);

/******************************* AES ********************************/
/* cbc */
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_128_CBC) == 0) {
functions->transformAes128CbcGetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_192_CBC) == 0) {
functions->transformAes192CbcGetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_256_CBC) == 0) {
functions->transformAes256CbcGetKlass = NULL;
}

/* gcm */
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_128_GCM) == 0) {
functions->transformAes128GcmGetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_192_GCM) == 0) {
functions->transformAes256GcmGetKlass = NULL;
}

/* kw: uses AES ECB */
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_128_ECB) == 0) {
functions->transformKWAes128GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_192_ECB) == 0) {
functions->transformKWAes192GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_256_ECB) == 0) {
functions->transformKWAes256GetKlass = NULL;
}

/******************************* DES ********************************/
/* cbc */
if (xmlSecNssCryptoCheckMechanism(CKM_DES3_CBC) == 0) {
functions->transformDes3CbcGetKlass = NULL;
}
/* kw: uses DES3_CBC */
if ((xmlSecNssCryptoCheckMechanism(CKM_DES3_CBC) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA1) == 0)) {
functions->transformKWDes3GetKlass = NULL;
}

/******************************* DSA ********************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) == 0) {
functions->transformDsaSha1GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) == 0) {
functions->transformDsaSha256GetKlass = NULL;
}

/******************************* ECDSA ******************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE) == 0) {
functions->transformEcdsaSha1GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE) == 0) {
functions->transformEcdsaSha224GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE) == 0) {
functions->transformEcdsaSha256GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE) == 0) {
functions->transformEcdsaSha384GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE) == 0) {
functions->transformEcdsaSha512GetKlass = NULL;
}

/******************************* HMAC ********************************/
if (xmlSecNssCryptoCheckMechanism(CKM_MD5_HMAC) == 0) {
functions->transformHmacMd5GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_RIPEMD160_HMAC) == 0) {
functions->transformHmacRipemd160GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_SHA_1_HMAC) == 0) {
functions->transformHmacSha1GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_SHA224_HMAC) == 0) {
functions->transformHmacSha224GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_SHA256_HMAC) == 0) {
functions->transformHmacSha256GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_SHA384_HMAC) == 0) {
functions->transformHmacSha384GetKlass = NULL;
}
if (xmlSecNssCryptoCheckMechanism(CKM_SHA512_HMAC) == 0) {
functions->transformHmacSha512GetKlass = NULL;
}

/******************************* PBKDF2 ********************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS5_PBKDF2) == 0) {
functions->transformPbkdf2GetKlass = NULL;
}

/******************************* RSA ********************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaMd5GetKlass = NULL;
}

if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaSha1GetKlass = NULL;
}

if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaSha224GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaSha256GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaSha384GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION) == 0) {
functions->transformRsaSha512GetKlass = NULL;
}

if ((xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_RSA_PSS_SIGNATURE) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA1) == 0)) {
functions->transformRsaPssSha1GetKlass = NULL;
}
if ((xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_RSA_PSS_SIGNATURE) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA224) == 0)) {
functions->transformRsaPssSha224GetKlass = NULL;
}
if ((xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_RSA_PSS_SIGNATURE) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA256) == 0)) {
functions->transformRsaPssSha256GetKlass = NULL;
}
if ((xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_RSA_PSS_SIGNATURE) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA384) == 0)) {
functions->transformRsaPssSha384GetKlass = NULL;
}
if ((xmlSecNssCryptoCheckAlgorithm(SEC_OID_PKCS1_RSA_PSS_SIGNATURE) == 0) || (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA512) == 0)) {
functions->transformRsaPssSha512GetKlass = NULL;
}

if (xmlSecNssCryptoCheckMechanism(CKM_RSA_PKCS) == 0) {
functions->transformRsaPkcs1GetKlass = NULL;
}

if (xmlSecNssCryptoCheckMechanism(CKM_RSA_PKCS_OAEP) == 0) {
functions->transformRsaOaepGetKlass = NULL;
functions->transformRsaOaepEnc11GetKlass = NULL;
}


/******************************* SHA ********************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA1) == 0) {
functions->transformSha1GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA224) == 0) {
functions->transformSha224GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA256) == 0) {
functions->transformSha256GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA384) == 0) {
functions->transformSha384GetKlass = NULL;
}
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_SHA512) == 0) {
functions->transformSha512GetKlass = NULL;
}

/******************************* MD5 ********************************/
if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_MD5) == 0) {
functions->transformMd5GetKlass = NULL;
}
}

/**
* xmlSecNssInit:
*
Expand All @@ -341,6 +546,9 @@ xmlSecNssInit (void) {
/* set default errors callback for xmlsec to us */
xmlSecErrorsSetCallback(xmlSecNssErrorsDefaultCallback);

/* update the avaialble algos based on NSS configs */
xmlSecNssUpdateAvailableCryptoTransforms(xmlSecCryptoGetFunctions_nss());

/* register our klasses */
if(xmlSecCryptoDLFunctionsRegisterKeyDataAndTransforms(xmlSecCryptoGetFunctions_nss()) < 0) {
xmlSecInternalError("xmlSecCryptoDLFunctionsRegisterKeyDataAndTransforms", NULL);
Expand Down

0 comments on commit 8fc21b2

Please sign in to comment.