summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorian.mcgreer%sun.com <devnull@localhost>2003-10-30 17:47:22 +0000
committerian.mcgreer%sun.com <devnull@localhost>2003-10-30 17:47:22 +0000
commitc8b9e97cabb38965efced592742377e4b278b939 (patch)
tree207d052ffaed0f25d9563d009b00b57dcb2679f9
parentb08d9509e366bda77c9de31bd7c251832951f3e4 (diff)
downloadnss-hg-c8b9e97cabb38965efced592742377e4b278b939.tar.gz
set to 3.3.7beta, fixes for handling of invalid input
-rw-r--r--security/nss/lib/certdb/alg1485.c8
-rw-r--r--security/nss/lib/certdb/certdb.c1
-rw-r--r--security/nss/lib/freebl/rsa.c4
-rw-r--r--security/nss/lib/nss/nss.h6
-rw-r--r--security/nss/lib/softoken/pkcs11.c6
-rw-r--r--security/nss/lib/softoken/rsawrapr.c6
-rw-r--r--security/nss/lib/ssl/ssl3con.c21
-rw-r--r--security/nss/lib/util/dertime.c5
-rw-r--r--security/nss/lib/util/secasn1d.c33
9 files changed, 74 insertions, 16 deletions
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
index d3ca7fcef..409b17a69 100644
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -624,6 +624,11 @@ get_oid_string
/* end points to one past the legitimate data */
end = &d[ oid->len ];
+ if (oid->len > 1024) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (char *)NULL;
+ }
+
/*
* Check for our pseudo-encoded single-digit OIDs
*/
@@ -775,6 +780,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
default:
/* handle unknown attribute types per RFC 2253 */
tagName = unknownTag = get_oid_string(&ava->type);
+ if (!tagName) return SECFailure;
maxLen = 256;
break;
}
@@ -792,6 +798,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
/* Check value length */
if (avaValue->len > maxLen) {
if (unknownTag) PR_smprintf_free(unknownTag);
+ SECITEM_FreeItem(avaValue, PR_TRUE);
PORT_SetError(SEC_ERROR_INVALID_AVA);
return SECFailure;
}
@@ -799,6 +806,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
len = PORT_Strlen(tagName);
if (len+1 > sizeof(tmpBuf)) {
if (unknownTag) PR_smprintf_free(unknownTag);
+ SECITEM_FreeItem(avaValue, PR_TRUE);
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
return SECFailure;
}
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 5eb141378..4701e1e45 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1128,6 +1128,7 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
*/
if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
key = CERT_ExtractPublicKey(cert);
+ if (!key) return SECFailure;
if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) ||
( key->keyType == dhKey ) ) {
requiredUsage |= KU_KEY_AGREEMENT;
diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
index ba89c6ccc..588cfa6ec 100644
--- a/security/nss/lib/freebl/rsa.c
+++ b/security/nss/lib/freebl/rsa.c
@@ -226,7 +226,9 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
RSAPrivateKey *key = NULL;
PRArenaPool *arena = NULL;
/* Require key size to be a multiple of 16 bits. */
- if (!publicExponent || keySizeInBits % 16 != 0) {
+ if (!publicExponent || keySizeInBits % 16 != 0 ||
+ keySizeInBits == 0 || publicExponent->len == 0 ||
+ (publicExponent->len == 1 && publicExponent->data[0] == 1)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 9369fcecb..723379fc2 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -49,11 +49,11 @@ SEC_BEGIN_PROTOS
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>] [<Beta>]"
*/
-#define NSS_VERSION "3.3.6rtm"
+#define NSS_VERSION "3.3.7beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 3
-#define NSS_VPATCH 6
-#define NSS_BETA PR_FALSE
+#define NSS_VPATCH 7
+#define NSS_BETA PR_TRUE
/*
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 992feda19..546ebfc95 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -1956,9 +1956,15 @@ SECKEYLowPublicKey *pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key_type)
pubKey->keyType = rsaKey;
crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus,
object,CKA_MODULUS);
+ /* This requirement taken from rsa.c */
+ if (pubKey->u.rsa.modulus.len == 0 ||
+ SECKEY_LowPublicModulusLen(pubKey) % 16 != 0)
+ crv = CKR_ARGUMENTS_BAD;
if (crv != CKR_OK) break;
crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent,
object,CKA_PUBLIC_EXPONENT);
+ if (pubKey->u.rsa.publicExponent.len == 0)
+ crv = CKR_ARGUMENTS_BAD;
break;
case CKK_DSA:
pubKey->keyType = dsaKey;
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
index 5b1b8d894..bb6e454af 100644
--- a/security/nss/lib/softoken/rsawrapr.c
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -240,6 +240,10 @@ RSA_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
*/
padLen = modulusLen - data->len - 3;
PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+ PORT_Free(block);
+ return NULL;
+ }
for (i = 0; i < padLen; i++) {
/* Pad with non-zero random data. */
do {
@@ -776,6 +780,8 @@ RSA_EncryptBlock(SECKEYLowPublicKey *key,
SECItem unformatted;
formatted.data = NULL;
+ if (modulus_len == 0)
+ goto failure;
if (max_output_len < modulus_len)
goto failure;
PORT_Assert(key->keyType == rsaKey);
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 01cf2cc78..76731fa6c 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -1871,7 +1871,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
SSL_GETPID(), ss->fd));
- if (ws != wait_change_cipher && ws != wait_cert_verify) {
+ if (ws != wait_change_cipher) {
(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
return SECFailure;
@@ -7157,23 +7157,22 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
/* must be copied to msg_body and dealt with from there */
unsigned int bytes;
- bytes = PR_MIN(buf->len, ssl3->hs.msg_len);
+ PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len);
+ bytes = PR_MIN(buf->len, ssl3->hs.msg_len - ssl3->hs.msg_body.len);
/* Grow the buffer if needed */
- if (bytes > ssl3->hs.msg_body.space - ssl3->hs.msg_body.len) {
- rv = sslBuffer_Grow(&ssl3->hs.msg_body,
- ssl3->hs.msg_body.len + bytes);
- if (rv != SECSuccess) {
- /* sslBuffer_Grow has set a memory error code. */
- return SECFailure;
- }
+ rv = sslBuffer_Grow(&ssl3->hs.msg_body, ssl3->hs.msg_len);
+ if (rv != SECSuccess) {
+ /* sslBuffer_Grow has set a memory error code. */
+ return SECFailure;
}
+
PORT_Memcpy(ssl3->hs.msg_body.buf + ssl3->hs.msg_body.len,
- buf->buf, buf->len);
+ buf->buf, bytes);
+ ssl3->hs.msg_body.len += bytes;
buf->buf += bytes;
buf->len -= bytes;
- /* should not be more than one message in msg_body */
PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len);
/* if we have a whole message, do it */
diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c
index 5fbdca656..0a7613b7c 100644
--- a/security/nss/lib/util/dertime.c
+++ b/security/nss/lib/util/dertime.c
@@ -119,6 +119,11 @@ DER_AsciiToTime(int64 *dst, char *string)
{
long year, month, mday, hour, minute, second, hourOff, minOff, days;
int64 result, tmp1, tmp2;
+
+ PORT_Assert(string != NULL);
+ if (string == NULL) {
+ goto loser;
+ }
/* Verify time is formatted properly and capture information */
second = 0;
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
index f9ea07c48..f93f411db 100644
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -768,6 +768,15 @@ sec_asn1d_parse_length (sec_asn1d_state *state,
state->place = duringLength;
}
}
+ if (!state->indefinite) {
+ if (state->underlying_kind & SEC_ASN1_ANY ||
+ state->underlying_kind & SEC_ASN1_SKIP) {
+ if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) {
+ state->found_tag_modifiers &= ~SEC_ASN1_CONSTRUCTED;
+ return 1;
+ }
+ }
+ }
return 1;
}
@@ -863,6 +872,16 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state)
*/
state->pending = state->contents_length;
+ if (state->contents_length > 0) {
+ sec_asn1d_state *tmp = state->parent;
+ while (tmp && tmp->depth == state->depth) tmp = tmp->parent;
+ if (tmp && !tmp->indefinite && state->contents_length > tmp->pending)
+ {
+ state->top->status = decodeError;
+ return;
+ }
+ }
+
/*
* An EXPLICIT is nothing but an outer header, which we have
* already parsed and accepted. Now we need to do the inner
@@ -1296,6 +1315,10 @@ sec_asn1d_reuse_encoding (sec_asn1d_state *state)
if (SEC_ASN1DecoderUpdate (state->top,
(char *) item->data, item->len) != SECSuccess)
return;
+ if (state->top->status == needBytes) {
+ state->top->status = decodeError;
+ return;
+ }
PORT_Assert (state->top->current == state);
PORT_Assert (state->child == child);
@@ -1375,8 +1398,14 @@ static unsigned long
sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
const char *buf, unsigned long len)
{
- PORT_Assert (state->pending > 0);
+/* PORT_Assert (state->pending > 0);
PORT_Assert (state->place == duringBitString);
+*/
+ if (state->pending == 0 || state->place != duringBitString) {
+ PORT_SetError (SEC_ERROR_BAD_DER);
+ state->top->status = decodeError;
+ return 0;
+ }
len = sec_asn1d_parse_leaf (state, buf, len);
if (state->place == beforeEndOfContents && state->dest != NULL) {
@@ -2376,6 +2405,8 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx,
break;
case duringSaveEncoding:
sec_asn1d_reuse_encoding (state);
+ if (cx->status == decodeError)
+ return SECFailure;
break;
case duringSequence:
sec_asn1d_next_in_sequence (state);