diff options
author | relyea%netscape.com <devnull@localhost> | 2003-10-16 23:49:15 +0000 |
---|---|---|
committer | relyea%netscape.com <devnull@localhost> | 2003-10-16 23:49:15 +0000 |
commit | cdcfd55f514b4111cfebcca82e7392e53df249bd (patch) | |
tree | 2c48f25c2671fd5bbcb45b4d98dcd0319812d149 /security/nss/lib | |
parent | 6d2af5f21db152c5f17be4f720f101f1519de438 (diff) | |
download | nss-hg-cdcfd55f514b4111cfebcca82e7392e53df249bd.tar.gz |
Bug 156770 When we do a file import and give a bad password we get wrong errors back
When we fail to decode based on a bad password, don't continue.
So once we've tried failed to decode a ANS.1 stream, don't continue collecting
more data.
On microsoft.pfx files, we would wind up decoding to the end of the encrypted
stream, then fail in the padding in PKCS #7. This code bypasses this problem by
making sure we don't continue to try to decode data once we've hit a bad
password failure.
Diffstat (limited to 'security/nss/lib')
-rw-r--r-- | security/nss/lib/nss/nss.def | 2 | ||||
-rw-r--r-- | security/nss/lib/pkcs12/p12d.c | 1 | ||||
-rw-r--r-- | security/nss/lib/pkcs7/p7decode.c | 13 | ||||
-rw-r--r-- | security/nss/lib/pkcs7/p7encode.c | 12 | ||||
-rw-r--r-- | security/nss/lib/pkcs7/secpkcs7.h | 7 | ||||
-rw-r--r-- | security/nss/lib/smime/smime.def | 7 | ||||
-rw-r--r-- | security/nss/lib/util/secasn1.h | 2 | ||||
-rw-r--r-- | security/nss/lib/util/secasn1d.c | 11 | ||||
-rw-r--r-- | security/nss/lib/util/secasn1e.c | 10 |
9 files changed, 65 insertions, 0 deletions
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 01f496377..e65fbf04b 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -766,6 +766,8 @@ PK11_ExportEncryptedPrivKeyInfo; PK11_FindSlotsByAliases; SECMOD_GetDeadModuleList; SECMOD_GetDBModuleList; +SEC_ASN1DecoderAbort; +SEC_ASN1EncoderAbort; SEC_DupCrl; ;+ local: ;+ *; diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index dade3417b..b88962cd0 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -716,6 +716,7 @@ sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf, * we didn't have the correct password. */ PORT_SetError(SEC_ERROR_BAD_PASSWORD); p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE; + SEC_PKCS7DecoderAbort(p12dcx->currentASafeP7Dcx,SEC_ERROR_BAD_PASSWORD); goto loser; } diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index 14f4358c7..6bf8307fc 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -1249,6 +1249,19 @@ SEC_PKCS7DecodeItem(SECItem *p7item, return SEC_PKCS7DecoderFinish(p7dcx); } +/* + * Abort the ASN.1 stream. Used by pkcs 12 + */ +void +SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error) +{ + PORT_Assert(p7dcx); + if (!p7dcx) { + return; + } + SEC_ASN1DecoderAbort(p7dcx->dcx, error); +} + /* * If the thing contains any certs or crls return true; false otherwise. diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c index 662772427..04fc2621d 100644 --- a/security/nss/lib/pkcs7/p7encode.c +++ b/security/nss/lib/pkcs7/p7encode.c @@ -1165,6 +1165,18 @@ loser: return rv; } +/* + * Abort the ASN.1 stream. Used by pkcs 12 + */ +void +SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7ecx, int error) +{ + PORT_Assert(p7ecx); + if (!p7ecx) { + return; + } + SEC_ASN1EncoderAbort(p7ecx->ecx, error); +} /* * After this routine is called, the entire PKCS7 contentInfo is ready diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h index 8c210225b..47cb6d13b 100644 --- a/security/nss/lib/pkcs7/secpkcs7.h +++ b/security/nss/lib/pkcs7/secpkcs7.h @@ -98,6 +98,10 @@ SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx, extern SEC_PKCS7ContentInfo * SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx); + +/* Abort the underlying ASN.1 stream & set an error */ +void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error); + extern SEC_PKCS7ContentInfo * SEC_PKCS7DecodeItem(SECItem *p7item, SEC_PKCS7DecoderContentCallback cb, void *cb_arg, @@ -547,6 +551,9 @@ extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx, SECKEYGetPasswordKey pwfn, void *pwfnarg); +/* Abort the underlying ASN.1 stream & set an error */ +void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error); + /* retrieve the algorithm ID used to encrypt the content info * for encrypted and enveloped data. The SECAlgorithmID pointer * returned needs to be freed as it is a copy of the algorithm diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def index c220d38c0..78c79501b 100644 --- a/security/nss/lib/smime/smime.def +++ b/security/nss/lib/smime/smime.def @@ -240,3 +240,10 @@ SEC_PKCS12DecoderSetTargetTokenCAs; ;+ local: ;+ *; ;+}; +;+NSS_3.9 { # NSS 3.9 release +;+ global: +SEC_PKCS7DecoderAbort; +SEC_PKCS7EncoderAbort; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h index fe1501490..6858fc89b 100644 --- a/security/nss/lib/util/secasn1.h +++ b/security/nss/lib/util/secasn1.h @@ -69,6 +69,7 @@ extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx, unsigned long len); extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx); +extern void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error); extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx, SEC_ASN1WriteProc fn, @@ -109,6 +110,7 @@ extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx, unsigned long len); extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx); +extern void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error); extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx, SEC_ASN1NotifyProc fn, diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index 5812ba6c6..bba31c2d9 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -2845,6 +2845,17 @@ SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx) cx->notify_arg = NULL; /* not necessary; just being clean */ } +void +SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error) +{ + PORT_Assert(cx); + if (!cx) { + return; + } + PORT_SetError(error); + cx->status = decodeError; +} + SECStatus SEC_ASN1Decode (PRArenaPool *poolp, void *dest, diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c index 7c5242c21..3d954d228 100644 --- a/security/nss/lib/util/secasn1e.c +++ b/security/nss/lib/util/secasn1e.c @@ -1325,6 +1325,16 @@ SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx) cx->notify_arg = NULL; /* not necessary; just being clean */ } +void +SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error) +{ + PORT_Assert(cx); + if (!cx) { + return; + } + PORT_SetError(error); + cx->status = encodeError; +} void SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx) |