diff options
author | kaie%kuix.de <devnull@localhost> | 2011-06-20 19:44:46 +0000 |
---|---|---|
committer | kaie%kuix.de <devnull@localhost> | 2011-06-20 19:44:46 +0000 |
commit | dbfe5c0cd26f2d1c3e670d1f283a748d75d7c9b4 (patch) | |
tree | e434e573133bfed60736f9340cb1d8af2a37d28a | |
parent | e15bdf395aafa1377958056b3dc2f2cc93242e55 (diff) | |
download | nss-hg-dbfe5c0cd26f2d1c3e670d1f283a748d75d7c9b4.tar.gz |
Bug 655850, lib crmf uses a hardcoded maximum size of 2048 for wrapped private keys (MAX_WRAPPED_KEY_LEN)
r=rrelyea
-rw-r--r-- | security/nss/lib/crmf/crmfi.h | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h index 1b8a311d6..5a4fbe469 100644 --- a/security/nss/lib/crmf/crmfi.h +++ b/security/nss/lib/crmf/crmfi.h @@ -46,10 +46,38 @@ #include "secasn1.h" #include "crmfit.h" #include "secerr.h" +#include "blapit.h" #define CRMF_DEFAULT_ARENA_SIZE 1024 -#define MAX_WRAPPED_KEY_LEN 2048 +/* + * Explanation for the definition of MAX_WRAPPED_KEY_LEN: + * + * It's used for internal buffers to transport a wrapped private key. + * The value is in BYTES. + * We want to define a reasonable upper bound for this value. + * Ideally this could be calculated, but in order to simplify the code + * we want to estimate the maximum requires size. + * See also bug 655850 for the full explanation. + * + * We know the largest wrapped keys are RSA keys. + * We'll estimate the maximum size needed for wrapped RSA keys, + * and assume it's sufficient for wrapped keys of any type we support. + * + * The maximum size of RSA keys in bits is defined elsewhere as + * RSA_MAX_MODULUS_BITS + * + * The idea is to define MAX_WRAPPED_KEY_LEN based on the above. + * + * A wrapped RSA key requires about + * ( ( RSA_MAX_MODULUS_BITS / 8 ) * 5.5) + 65 + * bytes. + * + * Therefore, a safe upper bound is: + * ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS + * + */ +#define MAX_WRAPPED_KEY_LEN RSA_MAX_MODULUS_BITS #define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8) #define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8) |