diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2003-10-30 17:47:22 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-10-30 17:47:22 +0000 |
commit | c8b9e97cabb38965efced592742377e4b278b939 (patch) | |
tree | 207d052ffaed0f25d9563d009b00b57dcb2679f9 | |
parent | b08d9509e366bda77c9de31bd7c251832951f3e4 (diff) | |
download | nss-hg-c8b9e97cabb38965efced592742377e4b278b939.tar.gz |
set to 3.3.7beta, fixes for handling of invalid input
-rw-r--r-- | security/nss/lib/certdb/alg1485.c | 8 | ||||
-rw-r--r-- | security/nss/lib/certdb/certdb.c | 1 | ||||
-rw-r--r-- | security/nss/lib/freebl/rsa.c | 4 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 6 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 6 | ||||
-rw-r--r-- | security/nss/lib/softoken/rsawrapr.c | 6 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl3con.c | 21 | ||||
-rw-r--r-- | security/nss/lib/util/dertime.c | 5 | ||||
-rw-r--r-- | security/nss/lib/util/secasn1d.c | 33 |
9 files changed, 74 insertions, 16 deletions
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index d3ca7fcef..409b17a69 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -624,6 +624,11 @@ get_oid_string /* end points to one past the legitimate data */ end = &d[ oid->len ]; + if (oid->len > 1024) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (char *)NULL; + } + /* * Check for our pseudo-encoded single-digit OIDs */ @@ -775,6 +780,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) default: /* handle unknown attribute types per RFC 2253 */ tagName = unknownTag = get_oid_string(&ava->type); + if (!tagName) return SECFailure; maxLen = 256; break; } @@ -792,6 +798,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) /* Check value length */ if (avaValue->len > maxLen) { if (unknownTag) PR_smprintf_free(unknownTag); + SECITEM_FreeItem(avaValue, PR_TRUE); PORT_SetError(SEC_ERROR_INVALID_AVA); return SECFailure; } @@ -799,6 +806,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) len = PORT_Strlen(tagName); if (len+1 > sizeof(tmpBuf)) { if (unknownTag) PR_smprintf_free(unknownTag); + SECITEM_FreeItem(avaValue, PR_TRUE); PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 5eb141378..4701e1e45 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1128,6 +1128,7 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) */ if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) { key = CERT_ExtractPublicKey(cert); + if (!key) return SECFailure; if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) || ( key->keyType == dhKey ) ) { requiredUsage |= KU_KEY_AGREEMENT; diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c index ba89c6ccc..588cfa6ec 100644 --- a/security/nss/lib/freebl/rsa.c +++ b/security/nss/lib/freebl/rsa.c @@ -226,7 +226,9 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) RSAPrivateKey *key = NULL; PRArenaPool *arena = NULL; /* Require key size to be a multiple of 16 bits. */ - if (!publicExponent || keySizeInBits % 16 != 0) { + if (!publicExponent || keySizeInBits % 16 != 0 || + keySizeInBits == 0 || publicExponent->len == 0 || + (publicExponent->len == 1 && publicExponent->data[0] == 1)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 9369fcecb..723379fc2 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -49,11 +49,11 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>] [<Beta>]" */ -#define NSS_VERSION "3.3.6rtm" +#define NSS_VERSION "3.3.7beta" #define NSS_VMAJOR 3 #define NSS_VMINOR 3 -#define NSS_VPATCH 6 -#define NSS_BETA PR_FALSE +#define NSS_VPATCH 7 +#define NSS_BETA PR_TRUE /* diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 992feda19..546ebfc95 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1956,9 +1956,15 @@ SECKEYLowPublicKey *pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key_type) pubKey->keyType = rsaKey; crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus, object,CKA_MODULUS); + /* This requirement taken from rsa.c */ + if (pubKey->u.rsa.modulus.len == 0 || + SECKEY_LowPublicModulusLen(pubKey) % 16 != 0) + crv = CKR_ARGUMENTS_BAD; if (crv != CKR_OK) break; crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent, object,CKA_PUBLIC_EXPONENT); + if (pubKey->u.rsa.publicExponent.len == 0) + crv = CKR_ARGUMENTS_BAD; break; case CKK_DSA: pubKey->keyType = dsaKey; diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c index 5b1b8d894..bb6e454af 100644 --- a/security/nss/lib/softoken/rsawrapr.c +++ b/security/nss/lib/softoken/rsawrapr.c @@ -240,6 +240,10 @@ RSA_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType, */ padLen = modulusLen - data->len - 3; PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); + if (padLen < RSA_BLOCK_MIN_PAD_LEN) { + PORT_Free(block); + return NULL; + } for (i = 0; i < padLen; i++) { /* Pad with non-zero random data. */ do { @@ -776,6 +780,8 @@ RSA_EncryptBlock(SECKEYLowPublicKey *key, SECItem unformatted; formatted.data = NULL; + if (modulus_len == 0) + goto failure; if (max_output_len < modulus_len) goto failure; PORT_Assert(key->keyType == rsaKey); diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 01cf2cc78..76731fa6c 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -1871,7 +1871,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record", SSL_GETPID(), ss->fd)); - if (ws != wait_change_cipher && ws != wait_cert_verify) { + if (ws != wait_change_cipher) { (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); return SECFailure; @@ -7157,23 +7157,22 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) /* must be copied to msg_body and dealt with from there */ unsigned int bytes; - bytes = PR_MIN(buf->len, ssl3->hs.msg_len); + PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len); + bytes = PR_MIN(buf->len, ssl3->hs.msg_len - ssl3->hs.msg_body.len); /* Grow the buffer if needed */ - if (bytes > ssl3->hs.msg_body.space - ssl3->hs.msg_body.len) { - rv = sslBuffer_Grow(&ssl3->hs.msg_body, - ssl3->hs.msg_body.len + bytes); - if (rv != SECSuccess) { - /* sslBuffer_Grow has set a memory error code. */ - return SECFailure; - } + rv = sslBuffer_Grow(&ssl3->hs.msg_body, ssl3->hs.msg_len); + if (rv != SECSuccess) { + /* sslBuffer_Grow has set a memory error code. */ + return SECFailure; } + PORT_Memcpy(ssl3->hs.msg_body.buf + ssl3->hs.msg_body.len, - buf->buf, buf->len); + buf->buf, bytes); + ssl3->hs.msg_body.len += bytes; buf->buf += bytes; buf->len -= bytes; - /* should not be more than one message in msg_body */ PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len); /* if we have a whole message, do it */ diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c index 5fbdca656..0a7613b7c 100644 --- a/security/nss/lib/util/dertime.c +++ b/security/nss/lib/util/dertime.c @@ -119,6 +119,11 @@ DER_AsciiToTime(int64 *dst, char *string) { long year, month, mday, hour, minute, second, hourOff, minOff, days; int64 result, tmp1, tmp2; + + PORT_Assert(string != NULL); + if (string == NULL) { + goto loser; + } /* Verify time is formatted properly and capture information */ second = 0; diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index f9ea07c48..f93f411db 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -768,6 +768,15 @@ sec_asn1d_parse_length (sec_asn1d_state *state, state->place = duringLength; } } + if (!state->indefinite) { + if (state->underlying_kind & SEC_ASN1_ANY || + state->underlying_kind & SEC_ASN1_SKIP) { + if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) { + state->found_tag_modifiers &= ~SEC_ASN1_CONSTRUCTED; + return 1; + } + } + } return 1; } @@ -863,6 +872,16 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state) */ state->pending = state->contents_length; + if (state->contents_length > 0) { + sec_asn1d_state *tmp = state->parent; + while (tmp && tmp->depth == state->depth) tmp = tmp->parent; + if (tmp && !tmp->indefinite && state->contents_length > tmp->pending) + { + state->top->status = decodeError; + return; + } + } + /* * An EXPLICIT is nothing but an outer header, which we have * already parsed and accepted. Now we need to do the inner @@ -1296,6 +1315,10 @@ sec_asn1d_reuse_encoding (sec_asn1d_state *state) if (SEC_ASN1DecoderUpdate (state->top, (char *) item->data, item->len) != SECSuccess) return; + if (state->top->status == needBytes) { + state->top->status = decodeError; + return; + } PORT_Assert (state->top->current == state); PORT_Assert (state->child == child); @@ -1375,8 +1398,14 @@ static unsigned long sec_asn1d_parse_more_bit_string (sec_asn1d_state *state, const char *buf, unsigned long len) { - PORT_Assert (state->pending > 0); +/* PORT_Assert (state->pending > 0); PORT_Assert (state->place == duringBitString); +*/ + if (state->pending == 0 || state->place != duringBitString) { + PORT_SetError (SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return 0; + } len = sec_asn1d_parse_leaf (state, buf, len); if (state->place == beforeEndOfContents && state->dest != NULL) { @@ -2376,6 +2405,8 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, break; case duringSaveEncoding: sec_asn1d_reuse_encoding (state); + if (cx->status == decodeError) + return SECFailure; break; case duringSequence: sec_asn1d_next_in_sequence (state); |