120 lines
3.5 KiB
Diff
120 lines
3.5 KiB
Diff
From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Wed, 17 Oct 2012 16:35:43 -0400
|
|
Subject: [PATCH 23/41] Add sanity checking to make sure we don't emit
|
|
uninitialized hashes.
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
src/cms_common.c | 15 ++++++++++++++-
|
|
src/content_info.c | 11 +++++++++++
|
|
src/signer_info.c | 5 +++++
|
|
src/util.h | 13 +++++++++++++
|
|
4 files changed, 43 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/cms_common.c b/src/cms_common.c
|
|
index a1ed460..ab5a066 100644
|
|
--- a/src/cms_common.c
|
|
+++ b/src/cms_common.c
|
|
@@ -532,6 +532,10 @@ generate_empty_sequence(cms_context *cms, SECItem *encoded)
|
|
int
|
|
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
|
|
{
|
|
+ if (content_is_empty(original->data, original->len)) {
|
|
+ cms->log(cms, LOG_ERR, "content is empty, not encoding");
|
|
+ return -1;
|
|
+ }
|
|
if (SEC_ASN1EncodeItem(cms->arena, encoded, original,
|
|
SEC_OctetStringTemplate) == NULL)
|
|
return -1;
|
|
@@ -942,7 +946,16 @@ generate_signature(cms_context *cms)
|
|
{
|
|
int rc = 0;
|
|
|
|
- assert(cms->digests[cms->selected_digest].pe_digest != NULL);
|
|
+ if (cms->digests[cms->selected_digest].pe_digest == NULL) {
|
|
+ cms->log(cms, LOG_ERR, "pe digest has not been allocated");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
|
|
+ cms->digests[cms->selected_digest].pe_digest->len)) {
|
|
+ cms->log(cms, LOG_ERR, "pe binary has not been digested");
|
|
+ return -1;
|
|
+ }
|
|
|
|
SECItem sd_der;
|
|
memset(&sd_der, '\0', sizeof(sd_der));
|
|
diff --git a/src/content_info.c b/src/content_info.c
|
|
index 044e85e..7246d20 100644
|
|
--- a/src/content_info.c
|
|
+++ b/src/content_info.c
|
|
@@ -197,6 +197,11 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
|
|
int i = cms->selected_digest;
|
|
memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
|
|
|
|
+ if (content_is_empty(di.digest.data, di.digest.len)) {
|
|
+ cms->log(cms, LOG_ERR, "got empty digest");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (SEC_ASN1EncodeItem(cms->arena, dip, &di,
|
|
DigestInfoTemplate) == NULL) {
|
|
cms->log(cms, LOG_ERR, "could not encode DigestInfo: %s",
|
|
@@ -327,6 +332,12 @@ generate_cinfo_digest(cms_context *cms, SpcContentInfo *cip)
|
|
&cms->ci_digest->len,
|
|
digest_get_digest_size(cms)) != SECSuccess)
|
|
goto err;
|
|
+
|
|
+ if (content_is_empty(cms->ci_digest->data, cms->ci_digest->len)) {
|
|
+ cms->log(cms, LOG_ERR, "generated empty digest");
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
if (cms->ci_digest->len > digest_get_digest_size(cms))
|
|
goto err;
|
|
|
|
diff --git a/src/signer_info.c b/src/signer_info.c
|
|
index 7a73c26..932b896 100644
|
|
--- a/src/signer_info.c
|
|
+++ b/src/signer_info.c
|
|
@@ -207,6 +207,11 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
|
|
if (!sign_content)
|
|
return -1;
|
|
|
|
+ if (content_is_empty(sign_content->data, sign_content->len)) {
|
|
+ cms->log(cms, LOG_ERR, "not signing empty digest");
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
|
|
if (!oid)
|
|
goto err;
|
|
diff --git a/src/util.h b/src/util.h
|
|
index f495a0b..5e0ea34 100644
|
|
--- a/src/util.h
|
|
+++ b/src/util.h
|
|
@@ -110,6 +110,19 @@ free_poison(void *addrv, ssize_t len)
|
|
addr[x] = poison_pills[x % 2];
|
|
}
|
|
|
|
+static int
|
|
+__attribute__ ((unused))
|
|
+content_is_empty(uint8_t *data, ssize_t len)
|
|
+{
|
|
+ if (len < 1)
|
|
+ return 1;
|
|
+
|
|
+ for (int i = 0; i < len; i++)
|
|
+ if (data[i] != 0)
|
|
+ return 0;
|
|
+ return 1;
|
|
+}
|
|
+
|
|
#if defined(DAEMON_H)
|
|
static inline uint32_t
|
|
__attribute__ ((unused))
|
|
--
|
|
1.7.12.1
|
|
|