Apply better input checking discipline.

2019-09-05 20:04:29 +03:00 · 2019-09-05 20:04:29 +03:00 · 86f2db3d82
parent 4e7b2bbbe4
commit 86f2db3d82
4 changed files with 22 additions and 7 deletions
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@ -639,6 +639,11 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
                    return pubk;
                break;
            case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+                /* A basic sanity check on inputs. */
+                if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
+                    PORT_SetError(SEC_ERROR_INPUT_LEN);
+                    break;
+                }
                pubk->keyType = ecKey;
                pubk->u.ec.size = 0;

--- a/security/nss/lib/freebl/dh.c
+++ b/security/nss/lib/freebl/dh.c
@ -210,7 +210,8 @@ DH_Derive(SECItem *publicValue,
    unsigned int len = 0;
    unsigned int nb;
    unsigned char *secret = NULL;
-    if (!publicValue || !prime || !privateValue || !derivedSecret) {
+    if (!publicValue || !publicValue->len || !prime || !prime->len ||
+        !privateValue || !privateValue->len || !derivedSecret) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@ -202,8 +202,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
 #endif
    MP_DIGITS(&k) = 0;

-    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0) ||
-        !ecParams->name) {
+    if (!ecParams || ecParams->name == ECCurve_noName ||
+        !privKey || !privKeyBytes || privKeyLen <= 0) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
@ -391,7 +391,7 @@ EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
    int len;
    unsigned char *privKeyBytes = NULL;

-    if (!ecParams) {
+    if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
@ -430,7 +430,8 @@ EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
    mp_err err = MP_OKAY;
    int len;

-    if (!ecParams || !publicValue || !ecParams->name) {
+    if (!ecParams || ecParams->name == ECCurve_noName ||
+        !publicValue || !publicValue->len) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
@ -536,8 +537,9 @@ ECDH_Derive(SECItem *publicValue,
    int i;
 #endif

-    if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
-        !ecParams->name) {
+    if (!publicValue || !publicValue->len ||
+        !ecParams || ecParams->name == ECCurve_noName ||
+        !privateValue || !privateValue->len || !derivedSecret) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
    }
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@ -757,6 +757,13 @@ DecodeItem(void* dest,
                        }

                        case SEC_ASN1_BIT_STRING: {
+                            /* Can't be 8 or more spare bits, or any spare bits
+                             * if there are no octets. */
+                            if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
+                                PORT_SetError(SEC_ERROR_BAD_DER);
+                                rv = SECFailure;
+                                break;
+                            }
                            /* change the length in the SECItem to be the number
                               of bits */
                            temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);