Репозитории ALT
S: | 3.93.0-alt1 |
5.1: | 3.12.9.0-alt1.M50P.1 |
4.1: | 3.12.1-alt0.20080628.M41.2 |
4.0: | 3.11.4-alt1 |
Группа :: Система/Библиотеки
Пакет: nss
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: nss-3.12.1-CVE-2009-2409.patch
Скачать
Скачать
Index: mozilla/security/nss/lib/certhigh/certvfy.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v
retrieving revision 1.68
diff -p -u -r1.68 certvfy.c
--- mozilla/security/nss/lib/certhigh/certvfy.c 6 Mar 2009 01:27:44 -0000 1.68
+++ mozilla/security/nss/lib/certhigh/certvfy.c 10 Mar 2009 22:31:23 -0000
@@ -76,6 +76,7 @@ CERT_VerifySignedDataWithPublicKey(CERTS
{
SECStatus rv;
SECItem sig;
+ SECOidTag hashAlg = SEC_OID_UNKNOWN;
if ( !pubKey || !sd ) {
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
@@ -88,9 +89,18 @@ CERT_VerifySignedDataWithPublicKey(CERTS
DER_ConvertBitString(&sig);
rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey,
- &sig, &sd->signatureAlgorithm, NULL, wincx);
-
- return rv ? SECFailure : SECSuccess;
+ &sig, &sd->signatureAlgorithm, &hashAlg, wincx);
+ if (rv == SECSuccess) {
+ /* Are we honoring signatures for this algorithm? */
+ PRUint32 policyFlags = 0;
+ rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
+ if (rv == SECSuccess &&
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ rv = SECFailure;
+ }
+ }
+ return rv;
}
/*
Index: mozilla/security/nss/lib/util/nssutil.def
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/nssutil.def,v
retrieving revision 1.8
diff -p -u -r1.8 nssutil.def
--- mozilla/security/nss/lib/util/nssutil.def 3 Feb 2009 05:34:47 -0000 1.8
+++ mozilla/security/nss/lib/util/nssutil.def 10 Mar 2009 22:31:23 -0000
@@ -234,6 +234,8 @@ NSS_Get_sgn_DigestInfoTemplate_Util;
NSS_Get_SEC_UTF8StringTemplate_Util;
NSS_Get_SECOID_AlgorithmIDTemplate_Util;
NSS_Get_sgn_DigestInfoTemplate_Util;
+NSS_GetAlgorithmPolicy;
+NSS_SetAlgorithmPolicy;
;+ local:
;+ *;
;+};
Index: mozilla/security/nss/lib/util/secoid.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoid.c,v
retrieving revision 1.46
diff -p -u -r1.46 secoid.c
--- mozilla/security/nss/lib/util/secoid.c 3 Feb 2009 05:34:47 -0000 1.46
+++ mozilla/security/nss/lib/util/secoid.c 10 Mar 2009 22:31:23 -0000
@@ -39,6 +39,7 @@
#include "pkcs11t.h"
#include "secitem.h"
#include "secerr.h"
+#include "prenv.h"
#include "plhash.h"
#include "nssrwlk.h"
@@ -590,7 +591,7 @@ CONST_OID seed_CBC[] = { SEED_OID, 4
/*
* NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
*/
-const static SECOidData oids[] = {
+const static SECOidData oids[SEC_OID_TOTAL] = {
{ { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
@@ -1587,6 +1588,20 @@ const static SECOidData oids[] = {
};
+/* PRIVATE EXTENDED SECOID Table
+ * This table is private. Its structure is opaque to the outside.
+ * It is indexed by the same SECOidTag as the oids table above.
+ * Every member of this struct must have accessor functions (set, get)
+ * and those functions must operate by value, not by reference.
+ * The addresses of the contents of this table must not be exposed
+ * by the accessor functions.
+ */
+typedef struct privXOidStr {
+ PRUint32 notPolicyFlags; /* ones complement of policy flags */
+} privXOid;
+
+static privXOid xOids[SEC_OID_TOTAL];
+
/*
* now the dynamic table. The dynamic table gets build at init time.
* and conceivably gets modified if the user loads new crypto modules.
@@ -1599,10 +1614,16 @@ const static SECOidData oids[] = {
* uninitialized, it is allocated in BSS, and does NOT increase the
* library size.
*/
+
+typedef struct dynXOidStr {
+ SECOidData data;
+ privXOid priv;
+} dynXOid;
+
static NSSRWLock * dynOidLock;
static PLArenaPool * dynOidPool;
static PLHashTable * dynOidHash;
-static SECOidData ** dynOidTable; /* not in the pool */
+static dynXOid ** dynOidTable; /* not in the pool */
static int dynOidEntriesAllocated;
static int dynOidEntriesUsed;
@@ -1666,10 +1687,10 @@ secoid_FindDynamic(const SECItem *key)
return ret;
}
-static SECOidData *
+static dynXOid *
secoid_FindDynamicByTag(SECOidTag tagnum)
{
- SECOidData *data = NULL;
+ dynXOid *dxo = NULL;
int tagNumDiff;
if (tagnum < SEC_OID_TOTAL) {
@@ -1682,14 +1703,14 @@ secoid_FindDynamicByTag(SECOidTag tagnum
NSSRWLock_LockRead(dynOidLock);
if (dynOidTable != NULL && /* must check it again with lock held. */
tagNumDiff < dynOidEntriesUsed) {
- data = dynOidTable[tagNumDiff];
+ dxo = dynOidTable[tagNumDiff];
}
NSSRWLock_UnlockRead(dynOidLock);
}
- if (data == NULL) {
+ if (dxo == NULL) {
PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
}
- return data;
+ return dxo;
}
/*
@@ -1699,7 +1720,7 @@ SECOidTag
SECOID_AddEntry(const SECOidData * src)
{
SECOidData * dst;
- SECOidData **table;
+ dynXOid **table;
SECOidTag ret = SEC_OID_UNKNOWN;
SECStatus rv;
int tableEntries;
@@ -1746,11 +1767,11 @@ SECOID_AddEntry(const SECOidData * src)
used = dynOidEntriesUsed;
if (used + 1 > tableEntries) {
- SECOidData **newTable;
+ dynXOid ** newTable;
int newTableEntries = tableEntries + 16;
- newTable = (SECOidData **)PORT_Realloc(table,
- newTableEntries * sizeof(SECOidData *));
+ newTable = (dynXOid **)PORT_Realloc(table,
+ newTableEntries * sizeof(dynXOid *));
if (newTable == NULL) {
goto done;
}
@@ -1759,7 +1780,7 @@ SECOID_AddEntry(const SECOidData * src)
}
/* copy oid structure */
- dst = PORT_ArenaNew(dynOidPool, SECOidData);
+ dst = (SECOidData *)PORT_ArenaZNew(dynOidPool, dynXOid);
if (!dst) {
goto done;
}
@@ -1776,8 +1797,8 @@ SECOID_AddEntry(const SECOidData * src)
dst->supportedExtension = src->supportedExtension;
rv = secoid_HashDynamicOiddata(dst);
- if ( rv == SECSuccess ) {
- table[used++] = dst;
+ if (rv == SECSuccess) {
+ table[used++] = (dynXOid *)dst;
dynOidEntriesUsed = used;
ret = dst->offset;
}
@@ -1809,6 +1830,15 @@ SECOID_Init(void)
return SECSuccess; /* already initialized */
}
+ if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
+ /* initialize any policy flags that are disabled by default */
+ xOids[SEC_OID_MD2 ].notPolicyFlags = ~0;
+ xOids[SEC_OID_MD4 ].notPolicyFlags = ~0;
+ xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
+ xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
+ xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
+ }
+
if (secoid_InitDynOidData() != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
PORT_Assert(0); /* this function should never fail */
@@ -1826,7 +1856,7 @@ SECOID_Init(void)
return(SECFailure);
}
- for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
+ for ( i = 0; i < SEC_OID_TOTAL; i++ ) {
oid = &oids[i];
PORT_Assert ( oid->offset == i );
@@ -1903,12 +1933,11 @@ SECOID_FindOIDTag(const SECItem *oid)
SECOidData *
SECOID_FindOIDByTag(SECOidTag tagnum)
{
-
if (tagnum >= SEC_OID_TOTAL) {
- return secoid_FindDynamicByTag(tagnum);
+ return (SECOidData *)secoid_FindDynamicByTag(tagnum);
}
- PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
+ PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
return (SECOidData *)(&oids[tagnum]);
}
@@ -1931,6 +1960,66 @@ SECOID_FindOIDTagDescription(SECOidTag t
return oidData ? oidData->desc : 0;
}
+/* --------- opaque extended OID table accessor functions ---------------*/
+/*
+ * Any of these functions may return SECSuccess or SECFailure with the error
+ * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
+ */
+
+static privXOid *
+secoid_FindXOidByTag(SECOidTag tagnum)
+{
+ if (tagnum >= SEC_OID_TOTAL) {
+ dynXOid *dxo = secoid_FindDynamicByTag(tagnum);
+ return (dxo ? &dxo->priv : NULL);
+ }
+
+ PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
+ return &xOids[tagnum];
+}
+
+/* The Get function outputs the 32-bit value associated with the SECOidTag.
+ * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
+ * Default value for any algorithm is 0xffffffff (enabled for all purposes).
+ * No value is output if function returns SECFailure.
+ */
+SECStatus
+NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
+{
+ privXOid * pxo = secoid_FindXOidByTag(tag);
+ if (!pxo)
+ return SECFailure;
+ if (!pValue) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ *pValue = ~(pxo->notPolicyFlags);
+ return SECSuccess;
+}
+
+/* The Set function modifies the stored value according to the following
+ * algorithm:
+ * policy[tag] = (policy[tag] & ~clearBits) | setBits;
+ */
+SECStatus
+NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
+{
+ privXOid * pxo = secoid_FindXOidByTag(tag);
+ PRUint32 policyFlags;
+ if (!pxo)
+ return SECFailure;
+ /* The stored policy flags are the ones complement of the flags as
+ * seen by the user. This is not atomic, but these changes should
+ * be done rarely, e.g. at initialization time.
+ */
+ policyFlags = ~(pxo->notPolicyFlags);
+ policyFlags = (policyFlags & ~clearBits) | setBits;
+ pxo->notPolicyFlags = ~policyFlags;
+ return SECSuccess;
+}
+
+/* --------- END OF opaque extended OID table accessor functions ---------*/
+
/*
* free up the oid tables.
*/
@@ -1988,6 +2077,7 @@ SECOID_Shutdown(void)
dynOidEntriesAllocated = 0;
dynOidEntriesUsed = 0;
}
+ memset(xOids, 0, sizeof xOids);
return SECSuccess;
}
Index: mozilla/security/nss/lib/util/secoid.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoid.h,v
retrieving revision 1.11
diff -p -u -r1.11 secoid.h
--- mozilla/security/nss/lib/util/secoid.h 3 Feb 2009 05:34:47 -0000 1.11
+++ mozilla/security/nss/lib/util/secoid.h 10 Mar 2009 22:31:23 -0000
@@ -149,6 +149,27 @@ extern SECStatus SEC_StringToOID(PLArena
extern void UTIL_SetForkState(PRBool forked);
+/*
+ * Accessor functions for new opaque extended SECOID table.
+ * Any of these functions may return SECSuccess or SECFailure with the error
+ * code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
+ */
+
+/* The Get function outputs the 32-bit value associated with the SECOidTag.
+ * Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
+ * Default value for any algorithm is 0xffffffff (enabled for all purposes).
+ * No value is output if function returns SECFailure.
+ */
+extern SECStatus NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue);
+
+/* The Set function modifies the stored value according to the following
+ * algorithm:
+ * policy[tag] = (policy[tag] & ~clearBits) | setBits;
+ */
+extern SECStatus
+NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits);
+
+
SEC_END_PROTOS
#endif /* _SECOID_H_ */
Index: mozilla/security/nss/lib/util/secoidt.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secoidt.h,v
retrieving revision 1.28
diff -p -u -r1.28 secoidt.h
--- mozilla/security/nss/lib/util/secoidt.h 17 Dec 2008 06:09:21 -0000 1.28
+++ mozilla/security/nss/lib/util/secoidt.h 10 Mar 2009 22:31:23 -0000
@@ -475,4 +475,18 @@ struct SECOidDataStr {
extensions that we don't even support */
};
+/* New Opaque extended OID table API.
+ * These are algorithm policy Flags, used with functions
+ * NSS_SetAlgorithmPolicy & NSS_GetAlgorithmPolicy.
+ */
+#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */
+#define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */
+#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
+
+/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
+ * being all zeros or having any other known value. The reserved bits
+ * must be ignored.
+ */
+
+
#endif /* _SECOIDT_H_ */