1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
# HG changeset patch
# User John M. Schanck <jschanck@mozilla.com>
# Date 1675974326 0
# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18
# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4
Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D167443
CVE: CVE-2023-0767
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz]
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c
--- a/nss/lib/pkcs12/p12d.c
+++ b/nss/lib/pkcs12/p12d.c
@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void
unsigned long len, int depth,
SEC_ASN1EncodingPart data_kind)
{
sec_PKCS12SafeContentsContext *safeContentsCtx =
(sec_PKCS12SafeContentsContext *)arg;
SEC_PKCS12DecoderContext *p12dcx;
SECStatus rv;
- /* make sure that we are not skipping the current safeBag,
- * and that there are no errors. If so, just return rather
- * than continuing to process.
- */
- if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
return;
}
p12dcx = safeContentsCtx->p12dcx;
+ /* make sure that there are no errors and we are not skipping the current safeBag */
+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+ goto loser;
+ }
+
rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
if (rv != SECSuccess) {
p12dcx->errorValue = PORT_GetError();
+ p12dcx->error = PR_TRUE;
+ goto loser;
+ }
+
+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
+ * may not get another opportunity to clean up the decoder context.
+ */
+ if (safeContentsCtx->skipCurrentSafeBag) {
goto loser;
}
return;
loser:
- /* set the error, and finish the decoder context. because there
+ /* Finish the decoder context. Because there
* is not a way of returning an error message, it may be worth
* while to do a check higher up and finish any decoding contexts
* that are still open.
*/
- p12dcx->error = PR_TRUE;
SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
safeContentsCtx->currentSafeBagA1Dcx = NULL;
return;
}
/* notify function for decoding safeBags. This function is
* used to filter safeBag types which are not supported,
* initiate the decoding of nested safe contents, and decode
diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h
--- a/nss/lib/pkcs12/p12t.h
+++ b/nss/lib/pkcs12/p12t.h
@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr {
/* Dependent upon the type of bag being used. */
union {
SECKEYPrivateKeyInfo *pkcs8KeyBag;
SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
sec_PKCS12CertBag *certBag;
sec_PKCS12CRLBag *crlBag;
sec_PKCS12SecretBag *secretBag;
sec_PKCS12SafeContents *safeContents;
+ SECItem *unknownBag;
} safeBagContent;
sec_PKCS12Attribute **attribs;
/* used locally */
SECOidData *bagTypeTag;
PLArenaPool *arena;
unsigned int nAttribs;
diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c
--- a/nss/lib/pkcs12/p12tmpl.c
+++ b/nss/lib/pkcs12/p12tmpl.c
@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr
if (src_or_dest == NULL) {
return NULL;
}
safeBag = (sec_PKCS12SafeBag *)src_or_dest;
oiddata = SECOID_FindOID(&safeBag->safeBagType);
if (oiddata == NULL) {
- return SEC_ASN1_GET(SEC_AnyTemplate);
+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
}
switch (oiddata->offset) {
default:
- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
break;
case SEC_OID_PKCS12_V1_KEY_BAG_ID:
theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
break;
case SEC_OID_PKCS12_V1_CERT_BAG_ID:
theTemplate = sec_PKCS12PointerToCertBagTemplate;
break;
case SEC_OID_PKCS12_V1_CRL_BAG_ID:
|