diff options
author | Martin Thomson <martin.thomson@gmail.com> | 2017-11-23 12:05:35 +1100 |
---|---|---|
committer | Martin Thomson <martin.thomson@gmail.com> | 2017-11-23 12:05:35 +1100 |
commit | 82f5248254af24e94dd0955297cd5259ca45b1b8 (patch) | |
tree | 9296417df06d845ad740f45b6ba9f1634a8bd656 /lib/pk11wrap | |
parent | 7bdd85eefb8ae0a63bf8228886b9c2b13a857dd1 (diff) | |
parent | 6280b248e57fa54bcd197edd6491962c9fc0e772 (diff) | |
download | nss-hg-82f5248254af24e94dd0955297cd5259ca45b1b8.tar.gz |
Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH
Diffstat (limited to 'lib/pk11wrap')
-rw-r--r-- | lib/pk11wrap/pk11merge.c | 5 | ||||
-rw-r--r-- | lib/pk11wrap/pk11pbe.c | 19 | ||||
-rw-r--r-- | lib/pk11wrap/pk11util.c | 9 |
3 files changed, 31 insertions, 2 deletions
diff --git a/lib/pk11wrap/pk11merge.c b/lib/pk11wrap/pk11merge.c index d14f44c78..b2101b819 100644 --- a/lib/pk11wrap/pk11merge.c +++ b/lib/pk11wrap/pk11merge.c @@ -68,8 +68,11 @@ pk11_copyAttributes(PLArenaPool *arena, copyTemplate, copyTemplateCount); /* if we have missing attributes, just skip them and create the object */ if (crv == CKR_ATTRIBUTE_TYPE_INVALID) { - int i, j; + CK_ULONG i, j; newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount); + if (!newTemplate) { + return SECFailure; + } /* remove the unknown attributes. If we don't have enough attributes * PK11_CreateNewObject() will fail */ for (i = 0, j = 0; i < copyTemplateCount; i++) { diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c index bea9333f6..5f68f399e 100644 --- a/lib/pk11wrap/pk11pbe.c +++ b/lib/pk11wrap/pk11pbe.c @@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { - length = sec_pkcs5v2_aes_key_length(cipherAlg); + /* Previously, the PKCS#12 files created with the old NSS + * releases encoded the maximum key size of AES (that is 32) + * in the keyLength field of PBKDF2-params. That resulted in + * always performing AES-256 even if AES-128-CBC or + * AES-192-CBC is specified in the encryptionScheme field of + * PBES2-params. This is wrong, but for compatibility reasons, + * check the keyLength field and use the value if it is 32. + */ + if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); + } + /* If the keyLength field is present and contains a value + * other than 32, that means the file is created outside of + * NSS, which we don't care about. Note that the following + * also handles the case when the field is absent. */ + if (length != 32) { + length = sec_pkcs5v2_aes_key_length(cipherAlg); + } } else if (p5_param.keyLength.data != NULL) { length = DER_GetInteger(&p5_param.keyLength); } else { diff --git a/lib/pk11wrap/pk11util.c b/lib/pk11wrap/pk11util.c index a962e9bb3..e316f1f1a 100644 --- a/lib/pk11wrap/pk11util.c +++ b/lib/pk11wrap/pk11util.c @@ -437,6 +437,11 @@ SECMOD_DeleteInternalModule(const char *name) return rv; } +#ifdef NSS_FIPS_DISABLED + PORT_SetError(PR_OPERATION_NOT_SUPPORTED_ERROR); + return rv; +#endif + SECMOD_GetWriteLock(moduleLock); for (mlpp = &modules, mlp = modules; mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { @@ -955,7 +960,11 @@ SECMOD_DestroyModuleList(SECMODModuleList *list) PRBool SECMOD_CanDeleteInternalModule(void) { +#ifdef NSS_FIPS_DISABLED + return PR_FALSE; +#else return (PRBool)(pendingModule == NULL); +#endif } /* |