Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj

Differential Revision: https://phabricator.services.mozilla.com/D75774

1 files changed, 4 insertions, 7 deletions

diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
index 9777829f5..bd8882680 100644
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -984,10 +984,6 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                 crv = CKR_KEY_TYPE_INCONSISTENT;
                 break;
             }
-            if (pMechanism->ulParameterLen < 8) {
-                crv = CKR_DOMAIN_PARAMS_INVALID;
-                break;
-            }
             t = NSS_DES_CBC;
             goto finish_des;
         case CKM_DES3_ECB:
@@ -1005,12 +1001,13 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                 crv = CKR_KEY_TYPE_INCONSISTENT;
                 break;
             }
-            if (pMechanism->ulParameterLen < 8) {
+            t = NSS_DES_EDE3_CBC;
+        finish_des:
+            if ((t != NSS_DES && t != NSS_DES_EDE3) && (pMechanism->pParameter == NULL ||
+                                                        pMechanism->ulParameterLen < 8)) {
                 crv = CKR_DOMAIN_PARAMS_INVALID;
                 break;
             }
-            t = NSS_DES_EDE3_CBC;
-        finish_des:
             context->blockSize = 8;
             att = sftk_FindAttribute(key, CKA_VALUE);
             if (att == NULL) {