diff options
Diffstat (limited to 'nss/lib/smime/cmsdecode.c')
| -rw-r--r-- | nss/lib/smime/cmsdecode.c | 759 |
1 files changed, 379 insertions, 380 deletions
diff --git a/nss/lib/smime/cmsdecode.c b/nss/lib/smime/cmsdecode.c index 0c2ca68..d965111 100644 --- a/nss/lib/smime/cmsdecode.c +++ b/nss/lib/smime/cmsdecode.c @@ -17,33 +17,36 @@ #include "secerr.h" struct NSSCMSDecoderContextStr { - SEC_ASN1DecoderContext * dcx; /* ASN.1 decoder context */ - NSSCMSMessage * cmsg; /* backpointer to the root message */ - SECOidTag type; /* type of message */ - NSSCMSContent content; /* pointer to message */ - NSSCMSDecoderContext * childp7dcx; /* inner CMS decoder context */ - PRBool saw_contents; - int error; - NSSCMSContentCallback cb; - void * cb_arg; - PRBool first_decoded; - PRBool need_indefinite_finish; + SEC_ASN1DecoderContext *dcx; /* ASN.1 decoder context */ + NSSCMSMessage *cmsg; /* backpointer to the root message */ + SECOidTag type; /* type of message */ + NSSCMSContent content; /* pointer to message */ + NSSCMSDecoderContext *childp7dcx; /* inner CMS decoder context */ + PRBool saw_contents; + int error; + NSSCMSContentCallback cb; + void *cb_arg; + PRBool first_decoded; + PRBool need_indefinite_finish; }; struct NSSCMSDecoderDataStr { - SECItem data; /* must be first */ + SECItem data; /* must be first */ unsigned int totalBufferSize; }; typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData; -static void nss_cms_decoder_update_filter (void *arg, const char *data, - unsigned long len, int depth, SEC_ASN1EncodingPart data_kind); +static void nss_cms_decoder_update_filter(void *arg, const char *data, + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind); static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx); -static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, - const unsigned char *data, unsigned long len, PRBool final); +static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, + const unsigned char *data, + unsigned long len, + PRBool final); static NSSCMSDecoderData *nss_cms_create_decoder_data(PLArenaPool *poolp); extern const SEC_ASN1Template NSSCMSMessageTemplate[]; @@ -54,9 +57,9 @@ nss_cms_create_decoder_data(PLArenaPool *poolp) NSSCMSDecoderData *decoderData = NULL; decoderData = (NSSCMSDecoderData *) - PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData)); + PORT_ArenaAlloc(poolp, sizeof(NSSCMSDecoderData)); if (!decoderData) { - return NULL; + return NULL; } decoderData->data.data = NULL; decoderData->data.len = 0; @@ -64,7 +67,7 @@ nss_cms_create_decoder_data(PLArenaPool *poolp) return decoderData; } -/* +/* * nss_cms_decoder_notify - * this is the driver of the decoding process. It gets called by the ASN.1 * decoder before and after an object is decoded. @@ -81,106 +84,107 @@ nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth) p7dcx = (NSSCMSDecoderContext *)arg; rootcinfo = &(p7dcx->cmsg->contentInfo); - /* XXX error handling: need to set p7dcx->error */ +/* XXX error handling: need to set p7dcx->error */ -#ifdef CMSDEBUG - fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth); +#ifdef CMSDEBUG + fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" + : "after", + dest, depth); #endif /* so what are we working on right now? */ if (p7dcx->type == SEC_OID_UNKNOWN) { - /* - * right now, we are still decoding the OUTER (root) cinfo - * As soon as we know the inner content type, set up the info, - * but NO inner decoder or filter. The root decoder handles the first - * level children by itself - only for encapsulated contents (which - * are encoded as DER inside of an OCTET STRING) we need to set up a - * child decoder... - */ - if (after && dest == &(rootcinfo->contentType)) { - p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); - p7dcx->content = rootcinfo->content; - /* is this ready already ? need to alloc? */ - /* XXX yes we need to alloc -- continue here */ - } + /* + * right now, we are still decoding the OUTER (root) cinfo + * As soon as we know the inner content type, set up the info, + * but NO inner decoder or filter. The root decoder handles the first + * level children by itself - only for encapsulated contents (which + * are encoded as DER inside of an OCTET STRING) we need to set up a + * child decoder... + */ + if (after && dest == &(rootcinfo->contentType)) { + p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); + p7dcx->content = rootcinfo->content; + /* is this ready already ? need to alloc? */ + /* XXX yes we need to alloc -- continue here */ + } } else if (NSS_CMSType_IsData(p7dcx->type)) { - /* this can only happen if the outermost cinfo has DATA in it */ - /* otherwise, we handle this type implicitely in the inner decoders */ - - if (before && dest == &(rootcinfo->content)) { - /* cause the filter to put the data in the right place... - ** We want the ASN.1 decoder to deliver the decoded bytes to us - ** from now on - */ - SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, - nss_cms_decoder_update_filter, - p7dcx, - (PRBool)(p7dcx->cb != NULL)); - } else if (after && dest == &(rootcinfo->content.data)) { - /* remove the filter */ - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - } + /* this can only happen if the outermost cinfo has DATA in it */ + /* otherwise, we handle this type implicitely in the inner decoders */ + + if (before && dest == &(rootcinfo->content)) { + /* cause the filter to put the data in the right place... + ** We want the ASN.1 decoder to deliver the decoded bytes to us + ** from now on + */ + SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, + nss_cms_decoder_update_filter, + p7dcx, + (PRBool)(p7dcx->cb != NULL)); + } else if (after && dest == &(rootcinfo->content.data)) { + /* remove the filter */ + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + } } else if (NSS_CMSType_IsWrapper(p7dcx->type)) { - if (!before || dest != &(rootcinfo->content)) { - - if (p7dcx->content.pointer == NULL) - p7dcx->content = rootcinfo->content; - - /* get this data type's inner contentInfo */ - cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, - p7dcx->type); - - if (before && dest == &(cinfo->contentType)) { - /* at this point, set up the &%$&$ back pointer */ - /* we cannot do it later, because the content itself - * is optional! */ - switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - p7dcx->content.signedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - p7dcx->content.digestedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - p7dcx->content.envelopedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - p7dcx->content.encryptedData->cmsg = p7dcx->cmsg; - break; - default: - p7dcx->content.genericData->cmsg = p7dcx->cmsg; - break; - } - } - - if (before && dest == &(cinfo->rawContent)) { - /* we want the ASN.1 decoder to deliver the decoded bytes to us - ** from now on - */ - SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, - nss_cms_decoder_update_filter, - p7dcx, (PRBool)(p7dcx->cb != NULL)); - - - /* we're right in front of the data */ - if (nss_cms_before_data(p7dcx) != SECSuccess) { - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - /* stop all processing */ - p7dcx->error = PORT_GetError(); - } - } - if (after && dest == &(cinfo->rawContent)) { - /* we're right after of the data */ - if (nss_cms_after_data(p7dcx) != SECSuccess) - p7dcx->error = PORT_GetError(); - - /* we don't need to see the contents anymore */ - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - } - } + if (!before || dest != &(rootcinfo->content)) { + + if (p7dcx->content.pointer == NULL) + p7dcx->content = rootcinfo->content; + + /* get this data type's inner contentInfo */ + cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, + p7dcx->type); + + if (before && dest == &(cinfo->contentType)) { + /* at this point, set up the &%$&$ back pointer */ + /* we cannot do it later, because the content itself + * is optional! */ + switch (p7dcx->type) { + case SEC_OID_PKCS7_SIGNED_DATA: + p7dcx->content.signedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + p7dcx->content.digestedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + p7dcx->content.envelopedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + p7dcx->content.encryptedData->cmsg = p7dcx->cmsg; + break; + default: + p7dcx->content.genericData->cmsg = p7dcx->cmsg; + break; + } + } + + if (before && dest == &(cinfo->rawContent)) { + /* we want the ASN.1 decoder to deliver the decoded bytes to us + ** from now on + */ + SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, + nss_cms_decoder_update_filter, + p7dcx, (PRBool)(p7dcx->cb != NULL)); + + /* we're right in front of the data */ + if (nss_cms_before_data(p7dcx) != SECSuccess) { + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + /* stop all processing */ + p7dcx->error = PORT_GetError(); + } + } + if (after && dest == &(cinfo->rawContent)) { + /* we're right after of the data */ + if (nss_cms_after_data(p7dcx) != SECSuccess) + p7dcx->error = PORT_GetError(); + + /* we don't need to see the contents anymore */ + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + } + } } else { - /* unsupported or unknown message type - fail gracefully */ - p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE; + /* unsupported or unknown message type - fail gracefully */ + p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE; } } @@ -198,58 +202,58 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) const SEC_ASN1Template *template; void *mark = NULL; size_t size; - + poolp = p7dcx->cmsg->poolp; /* call _Decode_BeforeData handlers */ switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* we're decoding a signedData, so set up the digests */ - rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - /* we're encoding a digestedData, so set up the digest */ - rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Decode_BeforeData( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Decode_BeforeData( - p7dcx->content.encryptedData); - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type, - p7dcx->content.genericData); + case SEC_OID_PKCS7_SIGNED_DATA: + /* we're decoding a signedData, so set up the digests */ + rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + /* we're encoding a digestedData, so set up the digest */ + rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Decode_BeforeData( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Decode_BeforeData( + p7dcx->content.encryptedData); + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type, + p7dcx->content.genericData); } if (rv != SECSuccess) - return SECFailure; + return SECFailure; /* ok, now we have a pointer to cinfo */ /* find out what kind of data is encapsulated */ - + cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); if (NSS_CMSType_IsData(childtype)) { - cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp); - if (cinfo->content.pointer == NULL) - /* set memory error */ - return SECFailure; + cinfo->content.pointer = (void *)nss_cms_create_decoder_data(poolp); + if (cinfo->content.pointer == NULL) + /* set memory error */ + return SECFailure; - p7dcx->childp7dcx = NULL; - return SECSuccess; + p7dcx->childp7dcx = NULL; + return SECSuccess; } /* set up inner decoder */ if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL) - return SECFailure; + return SECFailure; childp7dcx = PORT_ZNew(NSSCMSDecoderContext); if (childp7dcx == NULL) - return SECFailure; + return SECFailure; mark = PORT_ArenaMark(poolp); @@ -257,37 +261,37 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) size = NSS_CMSUtil_GetSizeByTypeTag(childtype); childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size); if (childp7dcx->content.pointer == NULL) - goto loser; + goto loser; /* give the parent a copy of the pointer so that it doesn't get lost */ cinfo->content.pointer = childp7dcx->content.pointer; /* start the child decoder */ - childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, + childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, template); if (childp7dcx->dcx == NULL) - goto loser; + goto loser; /* the new decoder needs to notify, too */ - SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, + SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, childp7dcx); /* tell the parent decoder that it needs to feed us the content data */ p7dcx->childp7dcx = childp7dcx; - childp7dcx->type = childtype; /* our type */ + childp7dcx->type = childtype; /* our type */ - childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */ + childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */ - /* should the child decoder encounter real data, - ** it must give it to the caller + /* should the child decoder encounter real data, + ** it must give it to the caller */ childp7dcx->cb = p7dcx->cb; childp7dcx->cb_arg = p7dcx->cb_arg; childp7dcx->first_decoded = PR_FALSE; childp7dcx->need_indefinite_finish = PR_FALSE; if (childtype == SEC_OID_PKCS7_SIGNED_DATA) { - childp7dcx->first_decoded = PR_TRUE; + childp7dcx->first_decoded = PR_TRUE; } /* now set up the parent to hand decoded data to the next level decoder */ @@ -300,9 +304,8 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) loser: if (mark) - PORT_ArenaRelease(poolp, mark); - if (childp7dcx) - PORT_Free(childp7dcx); + PORT_ArenaRelease(poolp, mark); + PORT_Free(childp7dcx); p7dcx->childp7dcx = NULL; return SECFailure; } @@ -319,52 +322,52 @@ nss_cms_after_data(NSSCMSDecoderContext *p7dcx) /* finish any "inner" decoders - there's no more data coming... */ if (p7dcx->childp7dcx != NULL) { - childp7dcx = p7dcx->childp7dcx; - if (childp7dcx->dcx != NULL) { - /* we started and indefinite sequence somewhere, not complete it */ - if (childp7dcx->need_indefinite_finish) { - static const char lbuf[2] = { 0, 0 }; - NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf)); - childp7dcx->need_indefinite_finish = PR_FALSE; - } - - if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) { - /* do what? free content? */ - rv = SECFailure; - } else { - rv = nss_cms_after_end(childp7dcx); - } - if (rv != SECSuccess) - goto done; - } - PORT_Free(p7dcx->childp7dcx); - p7dcx->childp7dcx = NULL; + childp7dcx = p7dcx->childp7dcx; + if (childp7dcx->dcx != NULL) { + /* we started and indefinite sequence somewhere, not complete it */ + if (childp7dcx->need_indefinite_finish) { + static const char lbuf[2] = { 0, 0 }; + NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf)); + childp7dcx->need_indefinite_finish = PR_FALSE; + } + + if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) { + /* do what? free content? */ + rv = SECFailure; + } else { + rv = nss_cms_after_end(childp7dcx); + } + if (rv != SECSuccess) + goto done; + } + PORT_Free(p7dcx->childp7dcx); + p7dcx->childp7dcx = NULL; } switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* this will finish the digests and verify */ - rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Decode_AfterData( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - rv = NSS_CMSDigestedData_Decode_AfterData( - p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Decode_AfterData( - p7dcx->content.encryptedData); - break; - case SEC_OID_PKCS7_DATA: - /* do nothing */ - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type, - p7dcx->content.genericData); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + /* this will finish the digests and verify */ + rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Decode_AfterData( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + rv = NSS_CMSDigestedData_Decode_AfterData( + p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Decode_AfterData( + p7dcx->content.encryptedData); + break; + case SEC_OID_PKCS7_DATA: + /* do nothing */ + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type, + p7dcx->content.genericData); + break; } done: return rv; @@ -376,31 +379,31 @@ nss_cms_after_end(NSSCMSDecoderContext *p7dcx) SECStatus rv = SECSuccess; switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - if (p7dcx->content.signedData) - rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - if (p7dcx->content.envelopedData) - rv = NSS_CMSEnvelopedData_Decode_AfterEnd( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - if (p7dcx->content.digestedData) - rv = NSS_CMSDigestedData_Decode_AfterEnd( - p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - if (p7dcx->content.encryptedData) - rv = NSS_CMSEncryptedData_Decode_AfterEnd( - p7dcx->content.encryptedData); - break; - case SEC_OID_PKCS7_DATA: - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type, - p7dcx->content.genericData); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + if (p7dcx->content.signedData) + rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + if (p7dcx->content.envelopedData) + rv = NSS_CMSEnvelopedData_Decode_AfterEnd( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + if (p7dcx->content.digestedData) + rv = NSS_CMSDigestedData_Decode_AfterEnd( + p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + if (p7dcx->content.encryptedData) + rv = NSS_CMSEncryptedData_Decode_AfterEnd( + p7dcx->content.encryptedData); + break; + case SEC_OID_PKCS7_DATA: + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type, + p7dcx->content.genericData); + break; } return rv; } @@ -412,9 +415,9 @@ nss_cms_after_end(NSSCMSDecoderContext *p7dcx) * on it, then either stores it or passes it on to the next level decoder. */ static void -nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, - const unsigned char *data, unsigned long len, - PRBool final) +nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, + const unsigned char *data, unsigned long len, + PRBool final) { NSSCMSContentInfo *cinfo; unsigned char *buf = NULL; @@ -429,129 +432,129 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, * proves they do it right. But it could find a bug in future * modifications/development, that is why it is here.) */ - PORT_Assert ((data != NULL && len) || final); + PORT_Assert((data != NULL && len) || final); cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); if (!cinfo) { - /* The original programmer didn't expect this to happen */ - p7dcx->error = SEC_ERROR_LIBRARY_FAILURE; - goto loser; + /* The original programmer didn't expect this to happen */ + p7dcx->error = SEC_ERROR_LIBRARY_FAILURE; + goto loser; } if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) { - /* - * we are decrypting. - * - * XXX If we get an error, we do not want to do the digest or callback, - * but we want to keep decoding. Or maybe we want to stop decoding - * altogether if there is a callback, because obviously we are not - * sending the data back and they want to know that. - */ - - unsigned int outlen = 0; /* length of decrypted data */ - unsigned int buflen; /* length available for decrypted data */ - - /* find out about the length of decrypted data */ - buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final); - - /* - * it might happen that we did not provide enough data for a full - * block (decryption unit), and that there is no output available - */ - - /* no output available, AND no input? */ - if (buflen == 0 && len == 0) - goto loser; /* bail out */ - - /* - * have inner decoder: pass the data on (means inner content type is NOT data) - * no inner decoder: we have DATA in here: either call callback or store - */ - if (buflen != 0) { - /* there will be some output - need to make room for it */ - /* allocate buffer from the heap */ - buf = (unsigned char *)PORT_Alloc(buflen); - if (buf == NULL) { - p7dcx->error = SEC_ERROR_NO_MEMORY; - goto loser; - } - } - - /* - * decrypt incoming data - * buf can still be NULL here (and buflen == 0) here if we don't expect - * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to - * keep track of incoming data - */ - rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, - data, len, final); - if (rv != SECSuccess) { - p7dcx->error = PORT_GetError(); - goto loser; - } - - PORT_Assert (final || outlen == buflen); - - /* swap decrypted data in */ - data = buf; - len = outlen; + /* + * we are decrypting. + * + * XXX If we get an error, we do not want to do the digest or callback, + * but we want to keep decoding. Or maybe we want to stop decoding + * altogether if there is a callback, because obviously we are not + * sending the data back and they want to know that. + */ + + unsigned int outlen = 0; /* length of decrypted data */ + unsigned int buflen; /* length available for decrypted data */ + + /* find out about the length of decrypted data */ + buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final); + + /* + * it might happen that we did not provide enough data for a full + * block (decryption unit), and that there is no output available + */ + + /* no output available, AND no input? */ + if (buflen == 0 && len == 0) + goto loser; /* bail out */ + + /* + * have inner decoder: pass the data on (means inner content type is NOT data) + * no inner decoder: we have DATA in here: either call callback or store + */ + if (buflen != 0) { + /* there will be some output - need to make room for it */ + /* allocate buffer from the heap */ + buf = (unsigned char *)PORT_Alloc(buflen); + if (buf == NULL) { + p7dcx->error = SEC_ERROR_NO_MEMORY; + goto loser; + } + } + + /* + * decrypt incoming data + * buf can still be NULL here (and buflen == 0) here if we don't expect + * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to + * keep track of incoming data + */ + rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, + data, len, final); + if (rv != SECSuccess) { + p7dcx->error = PORT_GetError(); + goto loser; + } + + PORT_Assert(final || outlen == buflen); + + /* swap decrypted data in */ + data = buf; + len = outlen; } if (len == 0) - goto done; /* nothing more to do */ + goto done; /* nothing more to do */ /* * Update the running digests with plaintext bytes (if we need to). */ if (cinfo->privateInfo && cinfo->privateInfo->digcx) - NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); + NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); - /* at this point, we have the plain decoded & decrypted data - ** which is either more encoded DER (which we need to hand to the child - ** decoder) or data we need to hand back to our caller + /* at this point, we have the plain decoded & decrypted data + ** which is either more encoded DER (which we need to hand to the child + ** decoder) or data we need to hand back to our caller */ /* pass the content back to our caller or */ /* feed our freshly decrypted and decoded data into child decoder */ if (p7dcx->cb != NULL) { - (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); + (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); } #if 1 else #endif - if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { - /* store it in "inner" data item as well */ - /* find the DATA item in the encapsulated cinfo and store it there */ - NSSCMSDecoderData *decoderData = - (NSSCMSDecoderData *)cinfo->content.pointer; - SECItem *dataItem = &decoderData->data; - - offset = dataItem->len; - if (dataItem->len+len > decoderData->totalBufferSize) { - int needLen = (dataItem->len+len) * 2; - dest = (unsigned char *) - PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); - if (dest == NULL) { - p7dcx->error = SEC_ERROR_NO_MEMORY; - goto loser; - } - - if (dataItem->len) { - PORT_Memcpy(dest, dataItem->data, dataItem->len); - } - decoderData->totalBufferSize = needLen; - dataItem->data = dest; - } - - /* copy it in */ - PORT_Memcpy(dataItem->data + offset, data, len); - dataItem->len += len; + if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { + /* store it in "inner" data item as well */ + /* find the DATA item in the encapsulated cinfo and store it there */ + NSSCMSDecoderData *decoderData = + (NSSCMSDecoderData *)cinfo->content.pointer; + SECItem *dataItem = &decoderData->data; + + offset = dataItem->len; + if (dataItem->len + len > decoderData->totalBufferSize) { + int needLen = (dataItem->len + len) * 2; + dest = (unsigned char *) + PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); + if (dest == NULL) { + p7dcx->error = SEC_ERROR_NO_MEMORY; + goto loser; + } + + if (dataItem->len) { + PORT_Memcpy(dest, dataItem->data, dataItem->len); + } + decoderData->totalBufferSize = needLen; + dataItem->data = dest; + } + + /* copy it in */ + PORT_Memcpy(dataItem->data + offset, data, len); + dataItem->len += len; } done: loser: if (buf) - PORT_Free (buf); + PORT_Free(buf); } /* @@ -563,23 +566,23 @@ loser: * nss_cms_decoder_work_data(). */ static void -nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len, - int depth, SEC_ASN1EncodingPart data_kind) +nss_cms_decoder_update_filter(void *arg, const char *data, unsigned long len, + int depth, SEC_ASN1EncodingPart data_kind) { NSSCMSDecoderContext *p7dcx; - PORT_Assert (len); /* paranoia */ + PORT_Assert(len); /* paranoia */ if (len == 0) - return; + return; - p7dcx = (NSSCMSDecoderContext*)arg; + p7dcx = (NSSCMSDecoderContext *)arg; p7dcx->saw_contents = PR_TRUE; /* pass on the content bytes only */ if (data_kind == SEC_ASN1_Contents) - nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, - PR_FALSE); + nss_cms_decoder_work_data(p7dcx, (const unsigned char *)data, len, + PR_FALSE); } /* @@ -592,35 +595,35 @@ nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len, */ NSSCMSDecoderContext * NSS_CMSDecoder_Start(PLArenaPool *poolp, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, - void *decrypt_key_cb_arg) + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, + void *decrypt_key_cb_arg) { NSSCMSDecoderContext *p7dcx; NSSCMSMessage *cmsg; cmsg = NSS_CMSMessage_Create(poolp); if (cmsg == NULL) - return NULL; + return NULL; - NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, + NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg, NULL, NULL); p7dcx = PORT_ZNew(NSSCMSDecoderContext); if (p7dcx == NULL) { - NSS_CMSMessage_Destroy(cmsg); - return NULL; + NSS_CMSMessage_Destroy(cmsg); + return NULL; } p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate); if (p7dcx->dcx == NULL) { - PORT_Free (p7dcx); - NSS_CMSMessage_Destroy(cmsg); - return NULL; + PORT_Free(p7dcx); + NSS_CMSMessage_Destroy(cmsg); + return NULL; } - SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx); + SEC_ASN1DecoderSetNotifyProc(p7dcx->dcx, nss_cms_decoder_notify, p7dcx); p7dcx->cmsg = cmsg; p7dcx->type = SEC_OID_UNKNOWN; @@ -636,51 +639,49 @@ NSS_CMSDecoder_Start(PLArenaPool *poolp, * NSS_CMSDecoder_Update - feed DER-encoded data to decoder */ SECStatus -NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, +NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len) { SECStatus rv = SECSuccess; - if (p7dcx->dcx != NULL && p7dcx->error == 0) { - /* if error is set already, don't bother */ - if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) - && (p7dcx->first_decoded==PR_TRUE) - && (buf[0] == SEC_ASN1_INTEGER)) { - /* Microsoft Windows 2008 left out the Sequence wrapping in some - * of their kerberos replies. If we are here, we most likely are - * dealing with one of those replies. Supply the Sequence wrap - * as indefinite encoding (since we don't know the total length - * yet) */ - static const char lbuf[2] = - { SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED, 0x80 }; - rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf)); - if (rv != SECSuccess) { - goto loser; - } - /* ok, we're going to need the indefinite finish when we are done */ - p7dcx->need_indefinite_finish = PR_TRUE; - } - - rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len); + if (p7dcx->dcx != NULL && p7dcx->error == 0) { + /* if error is set already, don't bother */ + if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) && (p7dcx->first_decoded == PR_TRUE) && (buf[0] == SEC_ASN1_INTEGER)) { + /* Microsoft Windows 2008 left out the Sequence wrapping in some + * of their kerberos replies. If we are here, we most likely are + * dealing with one of those replies. Supply the Sequence wrap + * as indefinite encoding (since we don't know the total length + * yet) */ + static const char lbuf[2] = + { SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED, 0x80 }; + rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf)); + if (rv != SECSuccess) { + goto loser; + } + /* ok, we're going to need the indefinite finish when we are done */ + p7dcx->need_indefinite_finish = PR_TRUE; + } + + rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len); } loser: p7dcx->first_decoded = PR_FALSE; if (rv != SECSuccess) { - p7dcx->error = PORT_GetError(); - PORT_Assert (p7dcx->error); - if (p7dcx->error == 0) - p7dcx->error = -1; + p7dcx->error = PORT_GetError(); + PORT_Assert(p7dcx->error); + if (p7dcx->error == 0) + p7dcx->error = -1; } if (p7dcx->error == 0) - return SECSuccess; + return SECSuccess; /* there has been a problem, let's finish the decoder */ if (p7dcx->dcx != NULL) { - (void) SEC_ASN1DecoderFinish (p7dcx->dcx); - p7dcx->dcx = NULL; + (void)SEC_ASN1DecoderFinish(p7dcx->dcx); + p7dcx->dcx = NULL; } - PORT_SetError (p7dcx->error); + PORT_SetError(p7dcx->error); return SECFailure; } @@ -692,7 +693,7 @@ void NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx) { if (p7dcx->dcx != NULL) - (void)SEC_ASN1DecoderFinish(p7dcx->dcx); + (void)SEC_ASN1DecoderFinish(p7dcx->dcx); NSS_CMSMessage_Destroy(p7dcx->cmsg); PORT_Free(p7dcx); } @@ -707,12 +708,11 @@ NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx) cmsg = p7dcx->cmsg; - if (p7dcx->dcx == NULL || + if (p7dcx->dcx == NULL || SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess || - nss_cms_after_end(p7dcx) != SECSuccess) - { - NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */ - cmsg = NULL; + nss_cms_after_end(p7dcx) != SECSuccess) { + NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */ + cmsg = NULL; } PORT_Free(p7dcx); @@ -721,19 +721,18 @@ NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx) NSSCMSMessage * NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, - void *decrypt_key_cb_arg) + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, + void *decrypt_key_cb_arg) { NSSCMSDecoderContext *p7dcx; /* first arg(poolp) == NULL => create our own pool */ - p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, + p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg); if (p7dcx == NULL) - return NULL; + return NULL; NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len); return NSS_CMSDecoder_Finish(p7dcx); } - |