From b62b0471bb55b5a8e79252e54d419a57d15b7866 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 4 Oct 2010 17:53:47 -0400 Subject: [PATCH 040/150] - try to check the encapsulated type when verifying signed-data or decrypting enveloped-data --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 42 ++++++++++++++++++++++- 1 files changed, 40 insertions(+), 2 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 750fe2b..d76b61e 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1978,7 +1978,8 @@ pkinit_process_td_dh_params(krb5_context context, &item) != SECSuccess) { continue; } - /* Count the size of the prime. */ + /* Count the size of the prime by finding the first non-zero + * byte and working out the size of the integer. */ size = 0; for (j = 0; j < params.p.len; j++) { c = params.p.data[j]; @@ -2752,6 +2753,7 @@ cms_envelopeddata_verify(krb5_context context, CERTCertDBHandle *certdb; PLArenaPool *pool; SECItem *plain, encoded; + SECOidTag expected_tag, encapsulated_tag; pool = PORT_NewArena(sizeof(double)); if (pool == NULL) { @@ -2796,6 +2798,14 @@ cms_envelopeddata_verify(krb5_context context, PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } + expected_tag = get_pkinit_data_rkey_data_tag(); + encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(info); + if (encapsulated_tag != expected_tag) { + NSS_CMSMessage_Destroy(msg); + PORT_FreeArena(pool, PR_TRUE); + return ENOMEM; /* FIXME */ + } + plain = NSS_CMSContentInfo_GetContent(info); /* Export the payload. */ @@ -2988,10 +2998,33 @@ cms_signeddata_verify(krb5_context context, CERTCertDBHandle *certdb; CERTCertificate *cert; SECCertUsage usage; + SECOidTag expected_tag, encapsulated_tag; SECStatus status; PLArenaPool *pool; SECItem *plain, encoded; + switch (cms_msg_type) { + case CMS_SIGN_DRAFT9: + usage = certUsageSSLClient; + expected_tag = get_pkinit_data_auth_data_tag(); + break; + case CMS_SIGN_CLIENT: + usage = certUsageSSLClient; + expected_tag = get_pkinit_data_auth_data_tag(); + break; + case CMS_SIGN_SERVER: + usage = certUsageSSLServer; + expected_tag = get_pkinit_data_dhkey_data_tag(); + break; + case CMS_ENVEL_SERVER: + usage = certUsageSSLServer; + expected_tag = get_pkinit_data_rkey_data_tag(); + break; + default: + return ENOSYS; + break; + } + pool = PORT_NewArena(sizeof(double)); if (pool == NULL) { return ENOMEM; @@ -3038,7 +3071,6 @@ cms_signeddata_verify(krb5_context context, return ENOMEM; } /* Verify the signer's certificate. */ - usage = certUsageSSLServer; /* FIXME */ status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb, usage); if (status != SECSuccess) { @@ -3053,6 +3085,12 @@ cms_signeddata_verify(krb5_context context, PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } + encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(info); + if (encapsulated_tag != expected_tag) { + NSS_CMSMessage_Destroy(msg); + PORT_FreeArena(pool, PR_TRUE); + return ENOMEM; /* FIXME */ + } plain = NSS_CMSContentInfo_GetContent(info); /* Save the peer cert -- we'll need it later. */ if (req_cryptoctx->peer_cert != NULL) { -- 1.7.6.4