summaryrefslogtreecommitdiff
path: root/security/nss/lib
diff options
context:
space:
mode:
authorrelyea%netscape.com <devnull@localhost>2003-10-16 23:49:15 +0000
committerrelyea%netscape.com <devnull@localhost>2003-10-16 23:49:15 +0000
commitcdcfd55f514b4111cfebcca82e7392e53df249bd (patch)
tree2c48f25c2671fd5bbcb45b4d98dcd0319812d149 /security/nss/lib
parent6d2af5f21db152c5f17be4f720f101f1519de438 (diff)
downloadnss-hg-cdcfd55f514b4111cfebcca82e7392e53df249bd.tar.gz
Bug 156770 When we do a file import and give a bad password we get wrong errors back
When we fail to decode based on a bad password, don't continue. So once we've tried failed to decode a ANS.1 stream, don't continue collecting more data. On microsoft.pfx files, we would wind up decoding to the end of the encrypted stream, then fail in the padding in PKCS #7. This code bypasses this problem by making sure we don't continue to try to decode data once we've hit a bad password failure.
Diffstat (limited to 'security/nss/lib')
-rw-r--r--security/nss/lib/nss/nss.def2
-rw-r--r--security/nss/lib/pkcs12/p12d.c1
-rw-r--r--security/nss/lib/pkcs7/p7decode.c13
-rw-r--r--security/nss/lib/pkcs7/p7encode.c12
-rw-r--r--security/nss/lib/pkcs7/secpkcs7.h7
-rw-r--r--security/nss/lib/smime/smime.def7
-rw-r--r--security/nss/lib/util/secasn1.h2
-rw-r--r--security/nss/lib/util/secasn1d.c11
-rw-r--r--security/nss/lib/util/secasn1e.c10
9 files changed, 65 insertions, 0 deletions
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 01f496377..e65fbf04b 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -766,6 +766,8 @@ PK11_ExportEncryptedPrivKeyInfo;
PK11_FindSlotsByAliases;
SECMOD_GetDeadModuleList;
SECMOD_GetDBModuleList;
+SEC_ASN1DecoderAbort;
+SEC_ASN1EncoderAbort;
SEC_DupCrl;
;+ local:
;+ *;
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
index dade3417b..b88962cd0 100644
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -716,6 +716,7 @@ sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
* we didn't have the correct password. */
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+ SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx,SEC_ERROR_BAD_PASSWORD);
goto loser;
}
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index 14f4358c7..6bf8307fc 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -1249,6 +1249,19 @@ SEC_PKCS7DecodeItem(SECItem *p7item,
return SEC_PKCS7DecoderFinish(p7dcx);
}
+/*
+ * Abort the ASN.1 stream. Used by pkcs 12
+ */
+void
+SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error)
+{
+ PORT_Assert(p7dcx);
+ if (!p7dcx) {
+ return;
+ }
+ SEC_ASN1DecoderAbort(p7dcx->dcx, error);
+}
+
/*
* If the thing contains any certs or crls return true; false otherwise.
diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c
index 662772427..04fc2621d 100644
--- a/security/nss/lib/pkcs7/p7encode.c
+++ b/security/nss/lib/pkcs7/p7encode.c
@@ -1165,6 +1165,18 @@ loser:
return rv;
}
+/*
+ * Abort the ASN.1 stream. Used by pkcs 12
+ */
+void
+SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7ecx, int error)
+{
+ PORT_Assert(p7ecx);
+ if (!p7ecx) {
+ return;
+ }
+ SEC_ASN1EncoderAbort(p7ecx->ecx, error);
+}
/*
* After this routine is called, the entire PKCS7 contentInfo is ready
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
index 8c210225b..47cb6d13b 100644
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -98,6 +98,10 @@ SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
extern SEC_PKCS7ContentInfo *
SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
+
+/* Abort the underlying ASN.1 stream & set an error */
+void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error);
+
extern SEC_PKCS7ContentInfo *
SEC_PKCS7DecodeItem(SECItem *p7item,
SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
@@ -547,6 +551,9 @@ extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
SECKEYGetPasswordKey pwfn,
void *pwfnarg);
+/* Abort the underlying ASN.1 stream & set an error */
+void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error);
+
/* retrieve the algorithm ID used to encrypt the content info
* for encrypted and enveloped data. The SECAlgorithmID pointer
* returned needs to be freed as it is a copy of the algorithm
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
index c220d38c0..78c79501b 100644
--- a/security/nss/lib/smime/smime.def
+++ b/security/nss/lib/smime/smime.def
@@ -240,3 +240,10 @@ SEC_PKCS12DecoderSetTargetTokenCAs;
;+ local:
;+ *;
;+};
+;+NSS_3.9 { # NSS 3.9 release
+;+ global:
+SEC_PKCS7DecoderAbort;
+SEC_PKCS7EncoderAbort;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h
index fe1501490..6858fc89b 100644
--- a/security/nss/lib/util/secasn1.h
+++ b/security/nss/lib/util/secasn1.h
@@ -69,6 +69,7 @@ extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
unsigned long len);
extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
+extern void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error);
extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
SEC_ASN1WriteProc fn,
@@ -109,6 +110,7 @@ extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
unsigned long len);
extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
+extern void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error);
extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
SEC_ASN1NotifyProc fn,
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
index 5812ba6c6..bba31c2d9 100644
--- a/security/nss/lib/util/secasn1d.c
+++ b/security/nss/lib/util/secasn1d.c
@@ -2845,6 +2845,17 @@ SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx)
cx->notify_arg = NULL; /* not necessary; just being clean */
}
+void
+SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
+{
+ PORT_Assert(cx);
+ if (!cx) {
+ return;
+ }
+ PORT_SetError(error);
+ cx->status = decodeError;
+}
+
SECStatus
SEC_ASN1Decode (PRArenaPool *poolp, void *dest,
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
index 7c5242c21..3d954d228 100644
--- a/security/nss/lib/util/secasn1e.c
+++ b/security/nss/lib/util/secasn1e.c
@@ -1325,6 +1325,16 @@ SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
cx->notify_arg = NULL; /* not necessary; just being clean */
}
+void
+SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
+{
+ PORT_Assert(cx);
+ if (!cx) {
+ return;
+ }
+ PORT_SetError(error);
+ cx->status = encodeError;
+}
void
SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
View Lorry Controller Status