summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/nss/lib/cryptohi/seckey.c221
-rw-r--r--security/nss/lib/pk11wrap/pk11pbe.c4
-rw-r--r--security/nss/lib/pk11wrap/pk11pk12.c23
-rw-r--r--security/nss/lib/pk11wrap/pk11sdr.c2
-rw-r--r--security/nss/lib/softoken/keydb.c37
5 files changed, 172 insertions, 115 deletions
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 23ed406c8..79185c6b1 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -577,44 +577,52 @@ SECKEY_UpdateCertPQG(CERTCertificate * subjectCert)
SECStatus
SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
SECItem *params) {
- SECStatus rv;
- SECKEYPQGDualParams dual_params;
+ SECStatus rv;
+ SECKEYPQGDualParams dual_params;
+ SECItem newparams;
+
+ PORT_Assert(arena);
if (params == NULL) return SECFailure;
if (params->data == NULL) return SECFailure;
+ /* make a copy of the data into the arena so QuickDER output is valid */
+ rv = SECITEM_CopyItem(arena, &newparams, params);
+
/* Check if params use the standard format.
* The value 0xa1 will appear in the first byte of the parameter data
* if the PQG parameters are not using the standard format. This
* code should be changed to use a better method to detect non-standard
* parameters. */
- if ((params->data[0] != 0xa1) &&
- (params->data[0] != 0xa0)) {
+ if ((newparams.data[0] != 0xa1) &&
+ (newparams.data[0] != 0xa0)) {
+ if (SECSuccess == rv) {
/* PQG params are in the standard format */
/* Store DSA PQG parameters */
prepare_pqg_params_for_asn1(&pubk->u.fortezza.params);
- rv = SEC_ASN1DecodeItem(arena, &pubk->u.fortezza.params,
+ rv = SEC_QuickDERDecodeItem(arena, &pubk->u.fortezza.params,
SECKEY_PQGParamsTemplate,
- params);
-
- if (rv == SECSuccess) {
+ &newparams);
+ }
- /* Copy the DSA PQG parameters to the KEA PQG parameters. */
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
- &pubk->u.fortezza.params.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
- &pubk->u.fortezza.params.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
- &pubk->u.fortezza.params.base);
- if (rv != SECSuccess) return rv;
- }
+ if (SECSuccess == rv) {
+ /* Copy the DSA PQG parameters to the KEA PQG parameters. */
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+ &pubk->u.fortezza.params.prime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+ &pubk->u.fortezza.params.subPrime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+ &pubk->u.fortezza.params.base);
+ }
} else {
dual_params.CommParams.prime.len = 0;
@@ -626,67 +634,79 @@ SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
/* else the old fortezza-only wrapped format is used. */
- if (params->data[0] == 0xa1) {
- rv = SEC_ASN1DecodeItem(arena, &dual_params,
- SECKEY_FortezzaPreParamTemplate, params);
- } else {
- rv = SEC_ASN1DecodeItem(arena, &dual_params,
- SECKEY_FortezzaAltPreParamTemplate, params);
+ if (SECSuccess == rv) {
+ if (newparams.data[0] == 0xa1) {
+ rv = SEC_QuickDERDecodeItem(arena, &dual_params,
+ SECKEY_FortezzaPreParamTemplate, &newparams);
+ } else {
+ rv = SEC_QuickDERDecodeItem(arena, &dual_params,
+ SECKEY_FortezzaAltPreParamTemplate, &newparams);
+ }
}
-
- if (rv < 0) return rv;
if ( (dual_params.CommParams.prime.len > 0) &&
(dual_params.CommParams.subPrime.len > 0) &&
(dual_params.CommParams.base.len > 0) ) {
/* copy in common params */
-
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
- &dual_params.CommParams.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
- &dual_params.CommParams.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
- &dual_params.CommParams.base);
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+ &dual_params.CommParams.prime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+ &dual_params.CommParams.subPrime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+ &dual_params.CommParams.base);
+ }
/* Copy the DSA PQG parameters to the KEA PQG parameters. */
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
- &pubk->u.fortezza.params.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
- &pubk->u.fortezza.params.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
- &pubk->u.fortezza.params.base);
- if (rv != SECSuccess) return rv;
-
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+ &pubk->u.fortezza.params.prime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+ &pubk->u.fortezza.params.subPrime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+ &pubk->u.fortezza.params.base);
+ }
} else {
/* else copy in different params */
/* copy DSA PQG parameters */
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
&dual_params.DiffParams.DiffDSAParams.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
&dual_params.DiffParams.DiffDSAParams.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
&dual_params.DiffParams.DiffDSAParams.base);
+ }
/* copy KEA PQG parameters */
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
&dual_params.DiffParams.DiffKEAParams.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
&dual_params.DiffParams.DiffKEAParams.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
&dual_params.DiffParams.DiffKEAParams.base);
+ }
}
-
}
return rv;
}
@@ -699,27 +719,35 @@ SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
SECStatus
SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) {
- SECStatus rv;
- SECKEYPQGDualParams dual_params;
+ SECStatus rv;
+ SECKEYPQGDualParams dual_params;
+ SECItem newparams;
if (params == NULL) return SECFailure;
if (params->data == NULL) return SECFailure;
+ PORT_Assert(arena);
+
+ /* make a copy of the data into the arena so QuickDER output is valid */
+ rv = SECITEM_CopyItem(arena, &newparams, params);
+
/* Check if params use the standard format.
* The value 0xa1 will appear in the first byte of the parameter data
* if the PQG parameters are not using the standard format. This
* code should be changed to use a better method to detect non-standard
* parameters. */
- if ((params->data[0] != 0xa1) &&
- (params->data[0] != 0xa0)) {
+ if ((newparams.data[0] != 0xa1) &&
+ (newparams.data[0] != 0xa0)) {
- /* PQG params are in the standard format */
- prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
- rv = SEC_ASN1DecodeItem(arena, &pubk->u.dsa.params,
- SECKEY_PQGParamsTemplate,
- params);
+ if (SECSuccess == rv) {
+ /* PQG params are in the standard format */
+ prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
+ rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params,
+ SECKEY_PQGParamsTemplate,
+ &newparams);
+ }
} else {
dual_params.CommParams.prime.len = 0;
@@ -729,52 +757,57 @@ SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params)
dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
dual_params.DiffParams.DiffDSAParams.base.len = 0;
- /* else the old fortezza-only wrapped format is used. */
- if (params->data[0] == 0xa1) {
- rv = SEC_ASN1DecodeItem(arena, &dual_params,
- SECKEY_FortezzaPreParamTemplate, params);
- } else {
- rv = SEC_ASN1DecodeItem(arena, &dual_params,
- SECKEY_FortezzaAltPreParamTemplate, params);
+ if (SECSuccess == rv) {
+ /* else the old fortezza-only wrapped format is used. */
+ if (newparams.data[0] == 0xa1) {
+ rv = SEC_QuickDERDecodeItem(arena, &dual_params,
+ SECKEY_FortezzaPreParamTemplate, &newparams);
+ } else {
+ rv = SEC_QuickDERDecodeItem(arena, &dual_params,
+ SECKEY_FortezzaAltPreParamTemplate, &newparams);
+ }
}
- if (rv < 0) return rv;
-
if ( (dual_params.CommParams.prime.len > 0) &&
(dual_params.CommParams.subPrime.len > 0) &&
(dual_params.CommParams.base.len > 0) ) {
/* copy in common params */
-
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
- &dual_params.CommParams.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
- &dual_params.CommParams.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
- &dual_params.CommParams.base);
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+ &dual_params.CommParams.prime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+ &dual_params.CommParams.subPrime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+ &dual_params.CommParams.base);
+ }
} else {
/* else copy in different params */
/* copy DSA PQG parameters */
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
- &dual_params.DiffParams.DiffDSAParams.prime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
- &dual_params.DiffParams.DiffDSAParams.subPrime);
- if (rv != SECSuccess) return rv;
- rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
- &dual_params.DiffParams.DiffDSAParams.base);
-
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+ &dual_params.DiffParams.DiffDSAParams.prime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+ &dual_params.DiffParams.DiffDSAParams.subPrime);
+ }
+ if (SECSuccess == rv) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+ &dual_params.DiffParams.DiffDSAParams.base);
+ }
}
}
return rv;
}
-
/* Decodes the DER encoded fortezza public key and stores the results in a
* structure of type SECKEYPublicKey. */
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
index 1ec9dd438..5cbb38a73 100644
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -422,10 +422,10 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech)
}
if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
- rv = SEC_ASN1DecodeItem(arena, &p5_param,
+ rv = SEC_QuickDERDecodeItem(arena, &p5_param,
SEC_V2PKCS12PBEParameterTemplate, &algid->parameters);
} else {
- rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate,
+ rv = SEC_QuickDERDecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate,
&algid->parameters);
}
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 35a4cbc07..fdfc0f229 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -250,11 +250,18 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI,
SECStatus rv = SECFailure;
temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!temparena) {
+ goto finish;
+ }
pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo);
+ if (!pki) {
+ goto finish;
+ }
pki->arena = temparena;
- rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
+ rv = SEC_QuickDERDecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
derPKI);
+
if( rv != SECSuccess ) {
goto finish;
}
@@ -263,9 +270,13 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI,
publicValue, isPerm, isPrivate, keyUsage, privk, wincx);
finish:
- if( pki != NULL ) {
- /* this zeroes the key and frees the arena */
- SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
+ if( temparena != NULL ) {
+ if (pki) {
+ /* this zeroes the key and frees the arena */
+ SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
+ } else {
+ PORT_FreeArena(temparena, PR_FALSE);
+ }
}
return rv;
}
@@ -522,12 +533,12 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
}
/* decode the private key and any algorithm parameters */
- rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+ rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
if(rv != SECSuccess) {
goto loser;
}
if(paramDest && paramTemplate) {
- rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
+ rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
if(rv != SECSuccess) {
goto loser;
diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c
index 28d7f2dae..2360c2b56 100644
--- a/security/nss/lib/pk11wrap/pk11sdr.c
+++ b/security/nss/lib/pk11wrap/pk11sdr.c
@@ -275,7 +275,7 @@ PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx)
/* Decode the incoming data */
memset(&sdrResult, 0, sizeof sdrResult);
- rv = SEC_ASN1DecodeItem(arena, &sdrResult, template, data);
+ rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data);
if (rv != SECSuccess) goto loser; /* Invalid format */
/* Find the slot and key for the given keyid */
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
index 0e6794f05..8ab56ec5b 100644
--- a/security/nss/lib/softoken/keydb.c
+++ b/security/nss/lib/softoken/keydb.c
@@ -1917,10 +1917,13 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki,
if(dest != NULL)
{
+ SECItem newPrivateKey;
+ SECItem newAlgParms;
+
SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1,
dest);
- rv = SEC_ASN1DecodeItem(temparena, pki,
+ rv = SEC_QuickDERDecodeItem(temparena, pki,
nsslowkey_PrivateKeyInfoTemplate, dest);
if(rv == SECSuccess)
{
@@ -1929,29 +1932,37 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki,
case SEC_OID_PKCS1_RSA_ENCRYPTION:
pk->keyType = NSSLOWKEYRSAKey;
prepare_low_rsa_priv_key_for_asn1(pk);
- rv = SEC_ASN1DecodeItem(permarena, pk,
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey) ) break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
nsslowkey_RSAPrivateKeyTemplate,
- &pki->privateKey);
+ &newPrivateKey);
break;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
pk->keyType = NSSLOWKEYDSAKey;
prepare_low_dsa_priv_key_for_asn1(pk);
- rv = SEC_ASN1DecodeItem(permarena, pk,
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey) ) break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
nsslowkey_DSAPrivateKeyTemplate,
- &pki->privateKey);
+ &newPrivateKey);
if (rv != SECSuccess)
goto loser;
prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
- rv = SEC_ASN1DecodeItem(permarena, &pk->u.dsa.params,
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms,
+ &pki->algorithm.parameters) ) break;
+ rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params,
nsslowkey_PQGParamsTemplate,
- &pki->algorithm.parameters);
+ &newAlgParms);
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
pk->keyType = NSSLOWKEYDHKey;
prepare_low_dh_priv_key_for_asn1(pk);
- rv = SEC_ASN1DecodeItem(permarena, pk,
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey) ) break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
nsslowkey_DHPrivateKeyTemplate,
- &pki->privateKey);
+ &newPrivateKey);
break;
#ifdef NSS_ENABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
@@ -1961,9 +1972,11 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki,
fordebug = &pki->privateKey;
SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey",
pk->keyType, fordebug);
- rv = SEC_ASN1DecodeItem(permarena, pk,
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey) ) break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
nsslowkey_ECPrivateKeyTemplate,
- &pki->privateKey);
+ &newPrivateKey);
if (rv != SECSuccess)
goto loser;
@@ -2059,7 +2072,7 @@ seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SECItem *pwitem)
goto loser;
}
- rv = SEC_ASN1DecodeItem(temparena, epki,
+ rv = SEC_QuickDERDecodeItem(temparena, epki,
nsslowkey_EncryptedPrivateKeyInfoTemplate,
&(dbkey->derPK));
if(rv != SECSuccess) {
View Lorry Controller Status