Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37046544
en ru br
Репозитории ALT
S:3.93.0-alt1
5.1: 3.12.9.0-alt1.M50P.1
4.1: 3.12.1-alt0.20080628.M41.2
4.0: 3.11.4-alt1
www.altlinux.org/Changes

Группа :: Система/Библиотеки
Пакет: nss

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

Патч: nss-3.12.1-CVE-2009-2409.patch
Скачать


Index: mozilla/security/nss/lib/certhigh/certvfy.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v
retrieving revision 1.68
diff -p -u -r1.68 certvfy.c
--- mozilla/security/nss/lib/certhigh/certvfy.c	6 Mar 2009 01:27:44 -0000	1.68
+++ mozilla/security/nss/lib/certhigh/certvfy.c	10 Mar 2009 22:31:23 -0000
@@ -76,6 +76,7 @@ CERT_VerifySignedDataWithPublicKey(CERTS
 {
     SECStatus        rv;
     SECItem          sig;
+    SECOidTag        hashAlg = SEC_OID_UNKNOWN;
 
     if ( !pubKey || !sd ) {
 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
@@ -88,9 +89,18 @@ CERT_VerifySignedDataWithPublicKey(CERTS
     DER_ConvertBitString(&sig);
 
     rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, 
-			&sig, &sd->signatureAlgorithm, NULL, wincx);
-
-    return rv ? SECFailure : SECSuccess;
+			&sig, &sd->signatureAlgorithm, &hashAlg, wincx);
+    if (rv == SECSuccess) {
+        /* Are we honoring signatures for this algorithm?  */
+	PRUint32 policyFlags = 0;
+	rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
+	if (rv == SECSuccess && 
+	    !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    rv = SECFailure;
+	}
+    }
+    return rv;
 }
 
 /*
Index: mozilla/security/nss/lib/util/nssutil.def
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/nssutil.def,v
retrieving revision 1.8
diff -p -u -r1.8 nssutil.def
--- mozilla/security/nss/lib/util/nssutil.def	3 Feb 2009 05:34:47 -0000	1.8
+++ mozilla/security/nss/lib/util/nssutil.def	10 Mar 2009 22:31:23 -0000
@@ -234,6 +234,8 @@ NSS_Get_sgn_DigestInfoTemplate_Util;
 NSS_Get_SEC_UTF8StringTemplate_Util;
 NSS_Get_SECOID_AlgorithmIDTemplate_Util;
 NSS_Get_sgn_DigestInfoTemplate_Util;
+NSS_GetAlgorithmPolicy;
+NSS_SetAlgorithmPolicy;
 ;+    local:
 ;+       *;
 ;+};
Index: mozilla/security/nss/lib/util/secoid.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoid.c,v
retrieving revision 1.46
diff -p -u -r1.46 secoid.c
--- mozilla/security/nss/lib/util/secoid.c	3 Feb 2009 05:34:47 -0000	1.46
+++ mozilla/security/nss/lib/util/secoid.c	10 Mar 2009 22:31:23 -0000
@@ -39,6 +39,7 @@
 #include "pkcs11t.h"
 #include "secitem.h"
 #include "secerr.h"
+#include "prenv.h"
 #include "plhash.h"
 #include "nssrwlk.h"
 
@@ -590,7 +591,7 @@ CONST_OID seed_CBC[]				= { SEED_OID, 4 
 /*
  * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
  */
-const static SECOidData oids[] = {
+const static SECOidData oids[SEC_OID_TOTAL] = {
     { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
 	"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
     OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
@@ -1587,6 +1588,20 @@ const static SECOidData oids[] = {
 
 };
 
+/* PRIVATE EXTENDED SECOID Table
+ * This table is private. Its structure is opaque to the outside.
+ * It is indexed by the same SECOidTag as the oids table above.
+ * Every member of this struct must have accessor functions (set, get)
+ * and those functions must operate by value, not by reference.
+ * The addresses of the contents of this table must not be exposed 
+ * by the accessor functions.
+ */
+typedef struct privXOidStr {
+    PRUint32	notPolicyFlags; /* ones complement of policy flags */
+} privXOid;
+
+static privXOid xOids[SEC_OID_TOTAL];
+
 /*
  * now the dynamic table. The dynamic table gets build at init time.
  * and conceivably gets modified if the user loads new crypto modules.
@@ -1599,10 +1614,16 @@ const static SECOidData oids[] = {
  * uninitialized, it is allocated in BSS, and does NOT increase the 
  * library size. 
  */
+
+typedef struct dynXOidStr {
+    SECOidData  data;
+    privXOid    priv;
+} dynXOid;
+
 static NSSRWLock   * dynOidLock;
 static PLArenaPool * dynOidPool;
 static PLHashTable * dynOidHash;
-static SECOidData ** dynOidTable;	/* not in the pool */
+static dynXOid    ** dynOidTable;	/* not in the pool */
 static int           dynOidEntriesAllocated;
 static int           dynOidEntriesUsed;
 
@@ -1666,10 +1687,10 @@ secoid_FindDynamic(const SECItem *key) 
     return ret;
 }
 
-static SECOidData *
+static dynXOid *
 secoid_FindDynamicByTag(SECOidTag tagnum)
 {
-    SECOidData *data = NULL;
+    dynXOid *dxo = NULL;
     int tagNumDiff;
 
     if (tagnum < SEC_OID_TOTAL) {
@@ -1682,14 +1703,14 @@ secoid_FindDynamicByTag(SECOidTag tagnum
 	NSSRWLock_LockRead(dynOidLock);
 	if (dynOidTable != NULL && /* must check it again with lock held. */
 	    tagNumDiff < dynOidEntriesUsed) {
-	    data = dynOidTable[tagNumDiff];
+	    dxo = dynOidTable[tagNumDiff];
 	}
 	NSSRWLock_UnlockRead(dynOidLock);
     }
-    if (data == NULL) {
+    if (dxo == NULL) {
 	PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
     }
-    return data;
+    return dxo;
 }
 
 /*
@@ -1699,7 +1720,7 @@ SECOidTag
 SECOID_AddEntry(const SECOidData * src)
 {
     SECOidData * dst;
-    SECOidData **table;
+    dynXOid    **table;
     SECOidTag    ret         = SEC_OID_UNKNOWN;
     SECStatus    rv;
     int          tableEntries;
@@ -1746,11 +1767,11 @@ SECOID_AddEntry(const SECOidData * src)
     used         = dynOidEntriesUsed;
 
     if (used + 1 > tableEntries) {
-	SECOidData **newTable;
+	dynXOid   ** newTable;
 	int          newTableEntries = tableEntries + 16;
 
-	newTable = (SECOidData **)PORT_Realloc(table, 
-				       newTableEntries * sizeof(SECOidData *));
+	newTable = (dynXOid **)PORT_Realloc(table, 
+				       newTableEntries * sizeof(dynXOid *));
 	if (newTable == NULL) {
 	    goto done;
 	}
@@ -1759,7 +1780,7 @@ SECOID_AddEntry(const SECOidData * src)
     }
 
     /* copy oid structure */
-    dst = PORT_ArenaNew(dynOidPool, SECOidData);
+    dst = (SECOidData *)PORT_ArenaZNew(dynOidPool, dynXOid);
     if (!dst) {
     	goto done;
     }
@@ -1776,8 +1797,8 @@ SECOID_AddEntry(const SECOidData * src)
     dst->supportedExtension = src->supportedExtension;
 
     rv = secoid_HashDynamicOiddata(dst);
-    if ( rv == SECSuccess ) {
-	table[used++] = dst;
+    if (rv == SECSuccess) {
+	table[used++] = (dynXOid *)dst;
 	dynOidEntriesUsed = used;
 	ret = dst->offset;
     }
@@ -1809,6 +1830,15 @@ SECOID_Init(void)
 	return SECSuccess; /* already initialized */
     }
 
+    if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
+	/* initialize any policy flags that are disabled by default */
+	xOids[SEC_OID_MD2                           ].notPolicyFlags = ~0;
+	xOids[SEC_OID_MD4                           ].notPolicyFlags = ~0;
+	xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
+	xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
+	xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
+    }
+
     if (secoid_InitDynOidData() != SECSuccess) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         PORT_Assert(0); /* this function should never fail */
@@ -1826,7 +1856,7 @@ SECOID_Init(void)
 	return(SECFailure);
     }
 
-    for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
+    for ( i = 0; i < SEC_OID_TOTAL; i++ ) {
 	oid = &oids[i];
 
 	PORT_Assert ( oid->offset == i );
@@ -1903,12 +1933,11 @@ SECOID_FindOIDTag(const SECItem *oid)
 SECOidData *
 SECOID_FindOIDByTag(SECOidTag tagnum)
 {
-
     if (tagnum >= SEC_OID_TOTAL) {
-	return secoid_FindDynamicByTag(tagnum);
+	return (SECOidData *)secoid_FindDynamicByTag(tagnum);
     }
 
-    PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
+    PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
     return (SECOidData *)(&oids[tagnum]);
 }
 
@@ -1931,6 +1960,66 @@ SECOID_FindOIDTagDescription(SECOidTag t
   return oidData ? oidData->desc : 0;
 }
 
+/* --------- opaque extended OID table accessor functions ---------------*/
+/*
+ * Any of these functions may return SECSuccess or SECFailure with the error 
+ * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
+ */
+
+static privXOid *
+secoid_FindXOidByTag(SECOidTag tagnum)
+{
+    if (tagnum >= SEC_OID_TOTAL) {
+	dynXOid *dxo = secoid_FindDynamicByTag(tagnum);
+	return (dxo ? &dxo->priv : NULL);
+    }
+
+    PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
+    return &xOids[tagnum];
+}
+
+/* The Get function outputs the 32-bit value associated with the SECOidTag.
+ * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
+ * Default value for any algorithm is 0xffffffff (enabled for all purposes).
+ * No value is output if function returns SECFailure.
+ */
+SECStatus 
+NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
+{
+    privXOid * pxo = secoid_FindXOidByTag(tag);
+    if (!pxo)
+    	return SECFailure;
+    if (!pValue) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    *pValue = ~(pxo->notPolicyFlags);
+    return SECSuccess;
+}
+
+/* The Set function modifies the stored value according to the following
+ * algorithm:
+ *   policy[tag] = (policy[tag] & ~clearBits) | setBits;
+ */
+SECStatus
+NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
+{
+    privXOid * pxo = secoid_FindXOidByTag(tag);
+    PRUint32   policyFlags;
+    if (!pxo)
+    	return SECFailure;
+    /* The stored policy flags are the ones complement of the flags as 
+     * seen by the user.  This is not atomic, but these changes should 
+     * be done rarely, e.g. at initialization time. 
+     */
+    policyFlags = ~(pxo->notPolicyFlags);
+    policyFlags = (policyFlags & ~clearBits) | setBits;
+    pxo->notPolicyFlags = ~policyFlags;
+    return SECSuccess;
+}
+
+/* --------- END OF opaque extended OID table accessor functions ---------*/
+
 /*
  * free up the oid tables.
  */
@@ -1988,6 +2077,7 @@ SECOID_Shutdown(void)
 	dynOidEntriesAllocated = 0;
 	dynOidEntriesUsed = 0;
     }
+    memset(xOids, 0, sizeof xOids);
     return SECSuccess;
 }
 
Index: mozilla/security/nss/lib/util/secoid.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoid.h,v
retrieving revision 1.11
diff -p -u -r1.11 secoid.h
--- mozilla/security/nss/lib/util/secoid.h	3 Feb 2009 05:34:47 -0000	1.11
+++ mozilla/security/nss/lib/util/secoid.h	10 Mar 2009 22:31:23 -0000
@@ -149,6 +149,27 @@ extern SECStatus SEC_StringToOID(PLArena
 
 extern void UTIL_SetForkState(PRBool forked);
 
+/*
+ * Accessor functions for new opaque extended SECOID table.
+ * Any of these functions may return SECSuccess or SECFailure with the error 
+ * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
+ */
+
+/* The Get function outputs the 32-bit value associated with the SECOidTag.
+ * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
+ * Default value for any algorithm is 0xffffffff (enabled for all purposes).
+ * No value is output if function returns SECFailure.
+ */
+extern SECStatus NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue);
+
+/* The Set function modifies the stored value according to the following
+ * algorithm:
+ *   policy[tag] = (policy[tag] & ~clearBits) | setBits;
+ */
+extern SECStatus
+NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits);
+
+
 SEC_END_PROTOS
 
 #endif /* _SECOID_H_ */
Index: mozilla/security/nss/lib/util/secoidt.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoidt.h,v
retrieving revision 1.28
diff -p -u -r1.28 secoidt.h
--- mozilla/security/nss/lib/util/secoidt.h	17 Dec 2008 06:09:21 -0000	1.28
+++ mozilla/security/nss/lib/util/secoidt.h	10 Mar 2009 22:31:23 -0000
@@ -475,4 +475,18 @@ struct SECOidDataStr {
 				   extensions that we don't even support */
 };
 
+/* New Opaque extended OID table API.  
+ * These are algorithm policy Flags, used with functions
+ * NSS_SetAlgorithmPolicy & NSS_GetAlgorithmPolicy.
+ */
+#define NSS_USE_ALG_IN_CERT_SIGNATURE  0x00000001  /* CRLs and OCSP, too */
+#define NSS_USE_ALG_IN_CMS_SIGNATURE   0x00000002  /* used in S/MIME */
+#define NSS_USE_ALG_RESERVED           0xfffffffc  /* may be used in future */
+
+/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
+ * being all zeros or having any other known value.  The reserved bits
+ * must be ignored.
+ */
+
+
 #endif /* _SECOIDT_H_ */
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin