7ca545e8ec
Fix QE discovered issues: 1) need parameter to test certificate compression in selfserv and tstclient. 2) pkcs12 encoding for pbamac adding a spurious IV as a parameter instead of an NULL.
122 lines
4.4 KiB
Diff
122 lines
4.4 KiB
Diff
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
|
|
--- a/lib/pk11wrap/pk11mech.c
|
|
+++ b/lib/pk11wrap/pk11mech.c
|
|
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
|
|
case CKM_BATON_ECB96:
|
|
case CKM_BATON_CBC128:
|
|
case CKM_BATON_COUNTER:
|
|
case CKM_BATON_SHUFFLE:
|
|
case CKM_JUNIPER_ECB128:
|
|
case CKM_JUNIPER_CBC128:
|
|
case CKM_JUNIPER_COUNTER:
|
|
case CKM_JUNIPER_SHUFFLE:
|
|
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
|
- SEC_ASN1_GET(SEC_OctetStringTemplate));
|
|
- if (newParams == NULL)
|
|
- break;
|
|
+ /* if no parameters have been supplied, then encode a NULL params
|
|
+ */
|
|
+ if (param && param->len > 0) {
|
|
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
|
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
|
+ if (newParams == NULL)
|
|
+ break;
|
|
+ } else {
|
|
+ newParams = NULL;
|
|
+ }
|
|
rv = SECSuccess;
|
|
break;
|
|
}
|
|
|
|
if (rv != SECSuccess) {
|
|
if (newParams)
|
|
SECITEM_FreeItem(newParams, PR_TRUE);
|
|
return rv;
|
|
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
|
|
--- a/lib/pk11wrap/pk11pbe.c
|
|
+++ b/lib/pk11wrap/pk11pbe.c
|
|
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
|
* algorithm is). We use choose this algorithm oid based on the
|
|
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
|
|
*/
|
|
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
|
|
/* choose mac or pbes */
|
|
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
|
|
}
|
|
|
|
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
|
+
|
|
/* set the PKCS5v2 specific parameters */
|
|
if (keyLength == 0) {
|
|
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
|
if (hashAlg != SEC_OID_UNKNOWN) {
|
|
keyLength = HASH_ResultLenByOidTag(hashAlg);
|
|
} else {
|
|
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
|
|
}
|
|
if (keyLength <= 0) {
|
|
goto loser;
|
|
}
|
|
}
|
|
/* currently SEC_OID_HMAC_SHA1 is the default */
|
|
if (prfAlg == SEC_OID_UNKNOWN) {
|
|
prfAlg = SEC_OID_HMAC_SHA1;
|
|
}
|
|
|
|
- /* build the PKCS5v2 cipher algorithm id */
|
|
- cipherParams = pk11_GenerateNewParamWithKeyLen(
|
|
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
|
- if (!cipherParams) {
|
|
- goto loser;
|
|
+ /* build the PKCS5v2 cipher algorithm id, if cipher
|
|
+ * is an HMAC, the cipherParams should be NULL */
|
|
+ if (hashAlg == SEC_OID_UNKNOWN) {
|
|
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
|
|
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
|
+ if (!cipherParams) {
|
|
+ goto loser;
|
|
+ }
|
|
+ } else {
|
|
+ cipherParams = NULL;
|
|
}
|
|
|
|
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
|
|
|
|
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
|
|
poolp, &pbeV2_param.cipherAlgId);
|
|
- SECITEM_FreeItem(cipherParams, PR_TRUE);
|
|
+ if (cipherParams) {
|
|
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
|
|
+ }
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
}
|
|
|
|
/* generate the parameter */
|
|
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
|
|
keyLength, prfAlg);
|
|
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
|
|
--- a/lib/util/secalgid.c
|
|
+++ b/lib/util/secalgid.c
|
|
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
|
|
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
|
return SECFailure;
|
|
}
|
|
|
|
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
|
|
return SECFailure;
|
|
|
|
if ((secoid_IsRSAPKCS1(which)) ||
|
|
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
|
|
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
|
|
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
|
|
add_null_param = PR_TRUE;
|
|
} else {
|
|
add_null_param = PR_FALSE;
|
|
}
|
|
|
|
if (params) {
|
|
/*
|
|
* I am specifically *not* enforcing the following assertion
|