diff options
| author | Moonchild <moonchild@palemoon.org> | 2020-12-23 19:02:52 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2020-12-23 19:02:52 +0000 |
| commit | 029bcfe189eae5eebbaf58ccff4e1200dd78b228 (patch) | |
| tree | 1c226a334ea1a88e2d1c6f949c9320eb0c3bff59 /security/nss/lib/cryptohi/secsign.c | |
| parent | 149d2ffa779826cb48a381099858e76e4624d471 (diff) | |
| download | UXP-029bcfe189eae5eebbaf58ccff4e1200dd78b228.tar UXP-029bcfe189eae5eebbaf58ccff4e1200dd78b228.tar.gz UXP-029bcfe189eae5eebbaf58ccff4e1200dd78b228.tar.lz UXP-029bcfe189eae5eebbaf58ccff4e1200dd78b228.tar.xz UXP-029bcfe189eae5eebbaf58ccff4e1200dd78b228.zip | |
Issue #1693 - Update NSS to 3.59.1.1
This updates to MoonchildProductions/NSS@bd49b2b88 in the repo created for our
consumption of the library.
Diffstat (limited to 'security/nss/lib/cryptohi/secsign.c')
| -rw-r--r-- | security/nss/lib/cryptohi/secsign.c | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c index 8a8d0f664..c46b2b1e4 100644 --- a/security/nss/lib/cryptohi/secsign.c +++ b/security/nss/lib/cryptohi/secsign.c @@ -31,6 +31,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) SGNContext *cx; SECOidTag hashalg, signalg; KeyType keyType; + PRUint32 policyFlags; SECStatus rv; /* OK, map a PKCS #7 hash and encrypt algorithm into @@ -44,7 +45,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) rv = sec_DecodeSigAlg(NULL, alg, params, &signalg, &hashalg); if (rv != SECSuccess) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return 0; + return NULL; } keyType = seckey_GetKeyType(signalg); @@ -53,7 +54,19 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) !((key->keyType == dsaKey) && (keyType == fortezzaKey)) && !((key->keyType == rsaKey) && (keyType == rsaPssKey))) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return 0; + return NULL; + } + /* check the policy on the hash algorithm */ + if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || + !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { + PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + return NULL; + } + /* check the policy on the encryption algorithm */ + if ((NSS_GetAlgorithmPolicy(signalg, &policyFlags) == SECFailure) || + !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { + PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + return NULL; } cx = (SGNContext *)PORT_ZAlloc(sizeof(SGNContext)); @@ -452,9 +465,27 @@ SGN_Digest(SECKEYPrivateKey *privKey, SECItem digder; PLArenaPool *arena = 0; SGNDigestInfo *di = 0; + SECOidTag enctag; + PRUint32 policyFlags; result->data = 0; + /* check the policy on the hash algorithm */ + if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || + !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { + PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } + /* check the policy on the encryption algorithm */ + enctag = sec_GetEncAlgFromSigAlg( + SEC_GetSignatureAlgorithmOidTag(privKey->keyType, algtag)); + if ((enctag == SEC_OID_UNKNOWN) || + (NSS_GetAlgorithmPolicy(enctag, &policyFlags) == SECFailure) || + !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { + PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + return SECFailure; + } + if (privKey->keyType == rsaKey) { arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -727,7 +758,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, } /* The specified salt length is too long */ - if (saltLength > modBytes - hashLength - 2) { + if (saltLength > (unsigned long)(modBytes - hashLength - 2)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } |