|
 |
892aaa |
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
|
|
|
892aaa |
--- a/lib/cryptohi/secvfy.c
|
|
|
892aaa |
+++ b/lib/cryptohi/secvfy.c
|
|
|
892aaa |
@@ -164,6 +164,37 @@
|
|
|
892aaa |
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
+static unsigned int
|
|
|
892aaa |
+checkedSignatureLen(const SECKEYPublicKey *pubk)
|
|
|
892aaa |
+{
|
|
|
892aaa |
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
|
|
|
892aaa |
+ if (sigLen == 0) {
|
|
|
892aaa |
+ /* Error set by SECKEY_SignatureLen */
|
|
|
892aaa |
+ return sigLen;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ unsigned int maxSigLen;
|
|
|
892aaa |
+ switch (pubk->keyType) {
|
|
|
892aaa |
+ case rsaKey:
|
|
|
892aaa |
+ case rsaPssKey:
|
|
|
892aaa |
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
|
|
|
892aaa |
+ break;
|
|
|
892aaa |
+ case dsaKey:
|
|
|
892aaa |
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
|
|
|
892aaa |
+ break;
|
|
|
892aaa |
+ case ecKey:
|
|
|
892aaa |
+ maxSigLen = 2 * MAX_ECKEY_LEN;
|
|
|
892aaa |
+ break;
|
|
|
892aaa |
+ default:
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
|
|
892aaa |
+ return 0;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ if (sigLen > maxSigLen) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
|
892aaa |
+ return 0;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ return sigLen;
|
|
|
892aaa |
+}
|
|
|
892aaa |
+
|
|
|
892aaa |
/*
|
|
|
892aaa |
* decode the ECDSA or DSA signature from it's DER wrapping.
|
|
|
892aaa |
* The unwrapped/raw signature is placed in the buffer pointed
|
|
|
892aaa |
@@ -174,38 +205,38 @@
|
|
|
892aaa |
unsigned int len)
|
|
|
892aaa |
{
|
|
|
892aaa |
SECItem *dsasig = NULL; /* also used for ECDSA */
|
|
|
892aaa |
- SECStatus rv = SECSuccess;
|
|
|
892aaa |
|
|
|
892aaa |
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
|
|
|
892aaa |
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
|
|
|
892aaa |
- if (sig->len != len) {
|
|
|
892aaa |
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
|
892aaa |
- return SECFailure;
|
|
|
892aaa |
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
|
|
|
892aaa |
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
|
|
|
892aaa |
+ if (len > DSA_MAX_SIGNATURE_LEN) {
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
}
|
|
|
892aaa |
-
|
|
|
892aaa |
- PORT_Memcpy(dsig, sig->data, sig->len);
|
|
|
892aaa |
- return SECSuccess;
|
|
|
892aaa |
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
|
|
892aaa |
+ if (len > MAX_ECKEY_LEN * 2) {
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ } else {
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
|
|
892aaa |
- if (len > MAX_ECKEY_LEN * 2) {
|
|
|
892aaa |
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
|
892aaa |
- return SECFailure;
|
|
|
892aaa |
- }
|
|
|
892aaa |
+ /* Decode and pad to length */
|
|
|
892aaa |
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
|
|
892aaa |
+ if (dsasig == NULL) {
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
}
|
|
|
892aaa |
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
|
|
892aaa |
-
|
|
|
892aaa |
- if ((dsasig == NULL) || (dsasig->len != len)) {
|
|
|
892aaa |
- rv = SECFailure;
|
|
|
892aaa |
- } else {
|
|
|
892aaa |
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
|
|
|
892aaa |
+ if (dsasig->len != len) {
|
|
|
892aaa |
+ SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
- if (dsasig != NULL)
|
|
|
892aaa |
- SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
|
892aaa |
- if (rv == SECFailure)
|
|
|
892aaa |
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
|
892aaa |
- return rv;
|
|
|
892aaa |
+ PORT_Memcpy(dsig, dsasig->data, len);
|
|
|
892aaa |
+ SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
|
892aaa |
+
|
|
|
892aaa |
+ return SECSuccess;
|
|
|
892aaa |
+
|
|
|
892aaa |
+loser:
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_DER);
|
|
|
892aaa |
+ return SECFailure;
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
const SEC_ASN1Template hashParameterTemplate[] =
|
|
|
892aaa |
@@ -281,7 +312,7 @@
|
|
|
892aaa |
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
|
|
|
892aaa |
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
|
|
|
892aaa |
{
|
|
|
892aaa |
- int len;
|
|
|
892aaa |
+ unsigned int len;
|
|
|
892aaa |
PLArenaPool *arena;
|
|
|
892aaa |
SECStatus rv;
|
|
|
892aaa |
SECItem oid;
|
|
|
892aaa |
@@ -466,48 +497,52 @@
|
|
|
892aaa |
cx->pkcs1RSADigestInfo = NULL;
|
|
|
892aaa |
rv = SECSuccess;
|
|
|
892aaa |
if (sig) {
|
|
|
892aaa |
- switch (type) {
|
|
|
892aaa |
- case rsaKey:
|
|
|
892aaa |
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
|
|
892aaa |
- &cx->pkcs1RSADigestInfo,
|
|
|
892aaa |
- &cx->pkcs1RSADigestInfoLen,
|
|
|
892aaa |
- cx->key,
|
|
|
892aaa |
- sig, wincx);
|
|
|
892aaa |
- break;
|
|
|
892aaa |
- case rsaPssKey:
|
|
|
892aaa |
- sigLen = SECKEY_SignatureLen(key);
|
|
|
892aaa |
- if (sigLen == 0) {
|
|
|
892aaa |
- /* error set by SECKEY_SignatureLen */
|
|
|
892aaa |
- rv = SECFailure;
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
+ if (type == rsaKey) {
|
|
|
892aaa |
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
|
|
892aaa |
+ &cx->pkcs1RSADigestInfo,
|
|
|
892aaa |
+ &cx->pkcs1RSADigestInfoLen,
|
|
|
892aaa |
+ cx->key,
|
|
|
892aaa |
+ sig, wincx);
|
|
|
892aaa |
+ } else {
|
|
|
892aaa |
+ sigLen = checkedSignatureLen(key);
|
|
|
892aaa |
+ /* Check signature length is within limits */
|
|
|
892aaa |
+ if (sigLen == 0) {
|
|
|
892aaa |
+ /* error set by checkedSignatureLen */
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ if (sigLen > sizeof(cx->u)) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ switch (type) {
|
|
|
892aaa |
+ case rsaPssKey:
|
|
|
892aaa |
+ if (sig->len != sigLen) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
|
|
892aaa |
+ rv = SECSuccess;
|
|
|
892aaa |
break;
|
|
|
892aaa |
- }
|
|
|
892aaa |
- if (sig->len != sigLen) {
|
|
|
892aaa |
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
+ case ecKey:
|
|
|
892aaa |
+ case dsaKey:
|
|
|
892aaa |
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
|
|
|
892aaa |
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
|
|
892aaa |
+ break;
|
|
|
892aaa |
+ default:
|
|
|
892aaa |
+ /* Unreachable */
|
|
|
892aaa |
rv = SECFailure;
|
|
|
892aaa |
- break;
|
|
|
892aaa |
- }
|
|
|
892aaa |
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
|
|
892aaa |
- break;
|
|
|
892aaa |
- case dsaKey:
|
|
|
892aaa |
- case ecKey:
|
|
|
892aaa |
- sigLen = SECKEY_SignatureLen(key);
|
|
|
892aaa |
- if (sigLen == 0) {
|
|
|
892aaa |
- /* error set by SECKEY_SignatureLen */
|
|
|
892aaa |
- rv = SECFailure;
|
|
|
892aaa |
- break;
|
|
|
892aaa |
- }
|
|
|
892aaa |
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
|
|
892aaa |
- break;
|
|
|
892aaa |
- default:
|
|
|
892aaa |
- rv = SECFailure;
|
|
|
892aaa |
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
|
|
892aaa |
- break;
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ if (rv != SECSuccess) {
|
|
|
892aaa |
+ goto loser;
|
|
|
892aaa |
}
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
- if (rv)
|
|
|
892aaa |
- goto loser;
|
|
|
892aaa |
-
|
|
|
892aaa |
/* check hash alg again, RSA may have changed it.*/
|
|
|
892aaa |
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
|
|
|
892aaa |
/* error set by HASH_GetHashTypeByOidTag */
|
|
|
892aaa |
@@ -650,11 +685,16 @@
|
|
|
892aaa |
switch (cx->key->keyType) {
|
|
|
892aaa |
case ecKey:
|
|
|
892aaa |
case dsaKey:
|
|
|
892aaa |
- dsasig.data = cx->u.buffer;
|
|
|
892aaa |
- dsasig.len = SECKEY_SignatureLen(cx->key);
|
|
|
892aaa |
+ dsasig.len = checkedSignatureLen(cx->key);
|
|
|
892aaa |
if (dsasig.len == 0) {
|
|
|
892aaa |
return SECFailure;
|
|
|
892aaa |
}
|
|
|
892aaa |
+ if (dsasig.len > sizeof(cx->u)) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
+ return SECFailure;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ dsasig.data = cx->u.buffer;
|
|
|
892aaa |
+
|
|
|
892aaa |
if (sig) {
|
|
|
892aaa |
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
|
|
|
892aaa |
dsasig.len);
|
|
|
892aaa |
@@ -686,8 +726,13 @@
|
|
|
892aaa |
}
|
|
|
892aaa |
|
|
|
892aaa |
rsasig.data = cx->u.buffer;
|
|
|
892aaa |
- rsasig.len = SECKEY_SignatureLen(cx->key);
|
|
|
892aaa |
+ rsasig.len = checkedSignatureLen(cx->key);
|
|
|
892aaa |
if (rsasig.len == 0) {
|
|
|
892aaa |
+ /* Error set by checkedSignatureLen */
|
|
|
892aaa |
+ return SECFailure;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ if (rsasig.len > sizeof(cx->u)) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
return SECFailure;
|
|
|
892aaa |
}
|
|
|
892aaa |
if (sig) {
|
|
|
892aaa |
@@ -749,7 +794,6 @@
|
|
|
892aaa |
SECStatus rv;
|
|
|
892aaa |
VFYContext *cx;
|
|
|
892aaa |
SECItem dsasig; /* also used for ECDSA */
|
|
|
892aaa |
-
|
|
|
892aaa |
rv = SECFailure;
|
|
|
892aaa |
|
|
|
892aaa |
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
|
|
|
892aaa |
@@ -757,19 +801,25 @@
|
|
|
892aaa |
switch (key->keyType) {
|
|
|
892aaa |
case rsaKey:
|
|
|
892aaa |
rv = verifyPKCS1DigestInfo(cx, digest);
|
|
|
892aaa |
+ /* Error (if any) set by verifyPKCS1DigestInfo */
|
|
|
892aaa |
break;
|
|
|
892aaa |
- case dsaKey:
|
|
|
892aaa |
case ecKey:
|
|
|
892aaa |
+ case dsaKey:
|
|
|
892aaa |
dsasig.data = cx->u.buffer;
|
|
|
892aaa |
- dsasig.len = SECKEY_SignatureLen(cx->key);
|
|
|
892aaa |
+ dsasig.len = checkedSignatureLen(cx->key);
|
|
|
892aaa |
if (dsasig.len == 0) {
|
|
|
892aaa |
+ /* Error set by checkedSignatureLen */
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
break;
|
|
|
892aaa |
}
|
|
|
892aaa |
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
|
|
|
892aaa |
- SECSuccess) {
|
|
|
892aaa |
+ if (dsasig.len > sizeof(cx->u)) {
|
|
|
892aaa |
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
- } else {
|
|
|
892aaa |
- rv = SECSuccess;
|
|
|
892aaa |
+ rv = SECFailure;
|
|
|
892aaa |
+ break;
|
|
|
892aaa |
+ }
|
|
|
892aaa |
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
|
|
|
892aaa |
+ if (rv != SECSuccess) {
|
|
|
892aaa |
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
|
892aaa |
}
|
|
|
892aaa |
break;
|
|
|
892aaa |
default:
|
|
|
892aaa |
|