diff options
author | nelsonb%netscape.com <devnull@localhost> | 2004-01-16 21:33:16 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2004-01-16 21:33:16 +0000 |
commit | c0f38bfb4ce57ec5c34ed5951a6a199ef921d5e1 (patch) | |
tree | 87356ec2b54fb5d671c5f3ef9d3b6952b91b4290 | |
parent | 83aa25574f9a0c272f22baaef4b99a741dea2c37 (diff) | |
download | nss-hg-c0f38bfb4ce57ec5c34ed5951a6a199ef921d5e1.tar.gz |
Detect absent isCA flags in basic constraints. Detect and reject negative
or too large positive path length constraints in basic constraints.
Bug 221644. r=jpierre.
-rw-r--r-- | security/nss/lib/certdb/xbsconst.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c index fea0e5dc8..f7f893833 100644 --- a/security/nss/lib/certdb/xbsconst.c +++ b/security/nss/lib/certdb/xbsconst.c @@ -142,7 +142,9 @@ SECStatus CERT_DecodeBasicConstraintValue if (rv == SECFailure) break; - value->isCA = (PRBool)(*decodeContext.isCA.data); + value->isCA = decodeContext.isCA.data + ? (PRBool)(decodeContext.isCA.data[0] != 0) + : PR_FALSE; if (decodeContext.pathLenConstraint.data == NULL) { /* if the pathLenConstraint is not encoded, and the current setting is CA, then the pathLenConstraint should be set to a negative number @@ -150,10 +152,14 @@ SECStatus CERT_DecodeBasicConstraintValue */ if (value->isCA) value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT; - } - else if (value->isCA) - value->pathLenConstraint = DER_GetUInteger (&decodeContext.pathLenConstraint); - else { + } else if (value->isCA) { + long len = DER_GetInteger (&decodeContext.pathLenConstraint); + if (len < 0 || len == LONG_MAX) { + PORT_SetError (SEC_ERROR_BAD_DER); + GEN_BREAK (SECFailure); + } + value->pathLenConstraint = len; + } else { /* here we get an error where the subject is not a CA, but the pathLenConstraint is set */ PORT_SetError (SEC_ERROR_BAD_DER); |