From 849b7142aa30344569eede4f442a9d202822b466 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 1 Jun 2011 10:40:17 -0400 Subject: [PATCH 118/150] - use "get" wrappers when we use templates provided by NSS --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 33 +++++++++++++++-------- 1 files changed, 21 insertions(+), 12 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 855f80e..332ed9f 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -978,7 +978,7 @@ secitem_to_dh_pubval(SECItem *item, unsigned char **out, unsigned int *len) memset(&uinteger, 0, sizeof(uinteger)); if (SEC_ASN1EncodeItem(pool, &uinteger, uval, - SEC_IntegerTemplate) != &uinteger) { + SEC_ASN1_GET(SEC_IntegerTemplate)) != &uinteger) { PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } @@ -1001,12 +1001,14 @@ secitem_from_dh_pubval(PLArenaPool *pool, tmp.len = dh_pubkey_len; memset(&uinteger, 0, sizeof(uinteger)); if (SEC_ASN1DecodeItem(pool, &uinteger, - SEC_BitStringTemplate, &tmp) != SECSuccess) { + SEC_ASN1_GET(SEC_BitStringTemplate), + &tmp) != SECSuccess) { return ENOMEM; } memset(bits, 0, sizeof(*bits)); if (SEC_ASN1DecodeItem(pool, bits, - SEC_IntegerTemplate, &uinteger) != SECSuccess) { + SEC_ASN1_GET(SEC_IntegerTemplate), + &uinteger) != SECSuccess) { return ENOMEM; } return 0; @@ -1650,7 +1652,8 @@ server_process_dh(krb5_context context, * public value. */ pub2 = *pub; if (SEC_ASN1DecodeItem(pool, &pub2.u.dh.publicValue, - SEC_IntegerTemplate, &pubval) != SECSuccess) { + SEC_ASN1_GET(SEC_IntegerTemplate), + &pubval) != SECSuccess) { SECKEY_DestroyPrivateKey(priv); SECKEY_DestroyPublicKey(pub); PK11_FreeSlot(slot); @@ -3037,7 +3040,8 @@ cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc) /* Decode the list of OIDs. */ pool = PORT_NewArena(sizeof(double)); oids = NULL; - if (SEC_ASN1DecodeItem(pool, &oids, SEC_SequenceOfObjectIDTemplate, + if (SEC_ASN1DecodeItem(pool, &oids, + SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate), ext) != SECSuccess) { PORT_FreeArena(pool, PR_TRUE); return 0; @@ -3082,9 +3086,9 @@ crypto_cert_get_matching_data(krb5_context context, } md->ch = cert_handle; md->subject_dn = strdup(cert_handle->cert->subjectName); - /* FIXME: these are not RFC2253 */ + /* FIXME: string representation varies from OpenSSL's */ md->issuer_dn = strdup(cert_handle->cert->issuerName); - /* FIXME: these are not RFC2253 */ + /* FIXME: string representation varies from OpenSSL's */ md->ku_bits = cert_get_ku_bits(context, cert_handle->cert); md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, PR_FALSE); if (cert_retrieve_cert_sans(context, cert_handle->cert, @@ -3421,8 +3425,9 @@ pkinit_process_td_dh_params(krb5_context context, struct domain_parameters params; SECItem item; int i, size; - /* Initial guess is a hard-coded lower bound. */ - *new_dh_size = 512; + /* Set an initial reasonable guess if we got no hints that we could + * parse. */ + *new_dh_size = 2048; for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) { /* Decode the domain parameters. */ item.len = algId[i]->parameters.length; @@ -3436,7 +3441,9 @@ pkinit_process_td_dh_params(krb5_context context, /* Count the size of the prime by finding the first non-zero * byte and working out the size of the integer. */ size = get_integer_bits(¶ms.p); - if (size > *new_dh_size) { + /* If this is the first parameter set, or the current parameter + * size is lower than our previous guess, use it. */ + if ((i == 0) || (size < *new_dh_size)) { *new_dh_size = size; } } @@ -3878,7 +3885,8 @@ cert_add_upn(PLArenaPool *pool, krb5_context context, /* Decode the string. */ memset(&decoded, 0, sizeof(decoded)); - if (SEC_ASN1DecodeItem(pool, &decoded, SEC_UTF8StringTemplate, + if (SEC_ASN1DecodeItem(pool, &decoded, + SEC_ASN1_GET(SEC_UTF8StringTemplate), name) != SECSuccess) { return ENOMEM; } @@ -3985,7 +3993,8 @@ cert_retrieve_cert_sans(krb5_context context, return ENOMEM; } encoded_names = NULL; - if (SEC_ASN1DecodeItem(pool, &encoded_names, SEC_SequenceOfAnyTemplate, + if (SEC_ASN1DecodeItem(pool, &encoded_names, + SEC_ASN1_GET(SEC_SequenceOfAnyTemplate), ext) != SECSuccess) { PORT_FreeArena(pool, PR_TRUE); return ENOMEM; -- 1.7.6.4