Closed Bug 352932 Opened 18 years ago Closed 7 years ago

common_DecodeDerSig should use SEC_QuickDERDecodeItem

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 944179

People

(Reporter: wtc, Unassigned)

Details

common_DecodeDerSig uses SEC_ASN1DecodeItem, so it's
not easy to detect if there is extra input in the buffer.
common_DecodeDerSig should use SEC_QuickDERDecodeItem, or
should use DER_Lengths to check if there is extra input
in the buffer.

Julien, do you know why we didn't change common_DecodeDerSig
to use the QuickDER decoder?
Wan-Teh,

For one thing, this function didn't exist on the NSS_3_6_BRANCH that I reviewed when I created the QuickDER decoder. There seems to have been a DSAU_DecodeDerSig function, which was also skipped in bug 178895. I'm not sure why because the dsautil.c source file is never mentioned in the bug. One the possible reasons why the API was skipped is that there is no arena, and QuickDER requires one. However, it appears the decoded object gets reencoded and discarded, so this shouldn't actually be an issue.



Related to or inspired by CVE-2006-4340 : unchecked garbage in PKCS v1.5 blocks
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.