From 7f6b966d0061b15a92257e3858f507f629dcc0e1 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 30 Sep 2010 15:32:14 -0400 Subject: [PATCH 032/150] - NSS won't accept a requested DH prime size > "8" (= 1024 bits) --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index f66e3ee..8ff7e6b 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -461,9 +461,15 @@ client_create_dh(krb5_context context, * eventually be fed into PQG_INDEX_TO_PBITS (see blapit.h) to * determine the number of bits. */ pqg_size = ((dh_size_bits > 512) ? (dh_size_bits - 512) : 0) / 64; + if (pqg_size > 8) { + pqg_size = 8; /* FIXME: this is as high as NSS will accept */ + } + memset(&pqg_params, 0, sizeof(pqg_params)); + memset(&pqg_verify, 0, sizeof(pqg_verify)); if (PK11_PQG_ParamGen(pqg_size, &pqg_params, &pqg_verify) != SECSuccess) { PORT_FreeArena(pool, PR_TRUE); + pkiDebug("%s: error generating parameters\n", __FUNCTION__); return ENOMEM; } if ((PK11_PQG_VerifyParams(pqg_params, pqg_verify, @@ -472,6 +478,7 @@ client_create_dh(krb5_context context, PK11_PQG_DestroyParams(pqg_params); PK11_PQG_DestroyVerify(pqg_verify); PORT_FreeArena(pool, PR_TRUE); + pkiDebug("%s: error verifying parameters\n", __FUNCTION__); return ENOMEM; } PK11_PQG_DestroyVerify(pqg_verify); @@ -487,6 +494,7 @@ client_create_dh(krb5_context context, if (slot == NULL) { PK11_PQG_DestroyParams(pqg_params); PORT_FreeArena(pool, PR_TRUE); + pkiDebug("%s: error selecting slot\n", __FUNCTION__); return ENOMEM; } pub = NULL; @@ -504,6 +512,7 @@ client_create_dh(krb5_context context, PK11_FreeSlot(slot); PK11_PQG_DestroyParams(pqg_params); PORT_FreeArena(pool, PR_TRUE); + pkiDebug("%s: error encoding parameters\n", __FUNCTION__); return ENOMEM; } -- 1.7.6.4