diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-02-03 21:18:35 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-02-03 21:18:35 +0000 |
| commit | 42e9b0cd1a1a85e60d6e4ab3ec997e4b79bab755 (patch) | |
| tree | 712464a7d19d8488493b4dd0044cd05ef56e46fa | |
| parent | 89e237457ef2f63e1915e803c5ed44648908deb7 (diff) | |
| download | nss-hg-42e9b0cd1a1a85e60d6e4ab3ec997e4b79bab755.tar.gz | |
bug 190865, PBE code leaks IV
r=relyea
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11skey.c | 10 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11slot.c | 24 | ||||
| -rw-r--r-- | security/nss/lib/softoken/pkcs11c.c | 9 |
3 files changed, 34 insertions, 9 deletions
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 83079c8ff..d52df806d 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -4107,6 +4107,8 @@ PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) return algid; } +#define PBE_IV_SIZE 8 + PK11SymKey * PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES, void *wincx) @@ -4136,9 +4138,17 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, return NULL; } + pbe_params->pInitVector = (CK_CHAR_PTR)PORT_ZAlloc(PBE_IV_SIZE); + if(pbe_params->pInitVector == NULL) { + PORT_ZFree(pbe_params->pPassword, pwitem->len); + SECITEM_ZfreeItem(mech, PR_TRUE); + return NULL; + } + symKey = PK11_KeyGen(slot, type, mech, 0, wincx); PORT_ZFree(pbe_params->pPassword, pwitem->len); + PORT_ZFree(pbe_params->pInitVector, PBE_IV_SIZE); SECITEM_ZfreeItem(mech, PR_TRUE); return symKey; } diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index f415f53fd..5abb593c9 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -4343,6 +4343,7 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, SECStatus rv = SECFailure; SECAlgorithmID temp_algid; SECItem param, *iv; + CK_CHAR_PTR ivBuf = NULL; if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) { return CKR_HOST_MEMORY; @@ -4352,7 +4353,7 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, iv_len = PK11_GetIVLength(pPBEMechanism->mechanism); if(pPBEparams->pInitVector == CK_NULL_PTR) { - pPBEparams->pInitVector = (CK_CHAR_PTR)PORT_ZAlloc(iv_len); + pPBEparams->pInitVector = ivBuf = (CK_CHAR_PTR)PORT_ZAlloc(iv_len); if(pPBEparams->pInitVector == NULL) { return CKR_HOST_MEMORY; } @@ -4363,11 +4364,15 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, ¶m, NULL, &temp_algid); if(rv != SECSuccess) { SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE); + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; return CKR_HOST_MEMORY; } else { iv = SEC_PKCS5GetIV(&temp_algid, pbe_pwd, faulty3DES); if((iv == NULL) && (iv_len != 0)) { SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE); + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; return CKR_HOST_MEMORY; } SECOID_DestroyAlgorithmID(&temp_algid, PR_FALSE); @@ -4395,6 +4400,10 @@ have_crypto_mechanism: pCryptoMechanism->pParameter = PORT_Alloc(iv_len); pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len; if(pCryptoMechanism->pParameter == NULL) { + if (ivBuf) { + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; + } return CKR_HOST_MEMORY; } PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter), @@ -4421,6 +4430,10 @@ have_key_len: pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR)PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS)); if(pCryptoMechanism->pParameter == NULL) { + if (ivBuf) { + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; + } return CKR_HOST_MEMORY; } rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter; @@ -4430,8 +4443,17 @@ have_key_len: rc2_params->ulEffectiveBits = rc2_key_len; break; default: + if (ivBuf) { + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; + } return CKR_MECHANISM_INVALID; } + if (ivBuf) { + PORT_ZFree(ivBuf, iv_len); + pPBEparams->pInitVector = NULL; + } + return CKR_OK; } diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 46c554617..31e59f070 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -2907,17 +2907,10 @@ pk11_pbe_key_gen(SECOidTag algtag,CK_MECHANISM_PTR pMechanism, SECITEM_ZfreeItem(pbe_key, PR_TRUE); pbe_key = NULL; - if (pbe_params->pInitVector == NULL) { + if (pbe_params->pInitVector != NULL) { pbe_key = SEC_PKCS5GetIV(&algid, &mech, faulty3DES); if (pbe_key == NULL) { SECOID_DestroyAlgorithmID(&algid, PR_FALSE); - SECITEM_ZfreeItem(pbe_key, PR_TRUE); - return CKR_HOST_MEMORY; - } - pbe_params->pInitVector = (CK_CHAR_PTR)PORT_ZAlloc(pbe_key->len); - if (pbe_params->pInitVector == NULL) { - SECOID_DestroyAlgorithmID(&algid, PR_FALSE); - SECITEM_ZfreeItem(pbe_key, PR_TRUE); return CKR_HOST_MEMORY; } PORT_Memcpy(pbe_params->pInitVector, pbe_key->data, pbe_key->len); |