#578: M1579060 M1586176

classilla · Nov 28, 2019 · f3f2956 · f3f2956
1 parent 7758ebb
commit f3f2956
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 14 deletions.
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
@@ -1159,8 +1159,7 @@ CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
 	    }
 	    /* encrypt the current padded data */
     	    rv = (*context->update)(context->cipherInfo, pEncryptedPart, 
-		&padoutlen, context->blockSize, context->padBuf,
-							context->blockSize);
+		&padoutlen, maxout, context->padBuf, context->blockSize);
 	    if (rv != SECSuccess) {
 		return sftk_MapCryptError(PORT_GetError());
 	    }

diff --git a/security/pkix/lib/pkixcert.cpp b/security/pkix/lib/pkixcert.cpp
@@ -105,29 +105,24 @@ BackCert::Init()
     return rv;
   }
 
-  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
-
   // According to RFC 5280, all fields below this line are forbidden for
   // certificate versions less than v3.  However, for compatibility reasons,
   // we parse v1/v2 certificates in the same way as v3 certificates.  So if
   // these fields appear in a v1 certificate, they will be used.
 
   // Ignore issuerUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 1)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 1);
+  if (rv != Success) {
+    return rv;
   }
 
   // Ignore subjectUniqueID if present.
-  if (tbsCertificate.Peek(CSC | 2)) {
-    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
-    if (rv != Success) {
-      return rv;
-    }
+  rv = der::SkipOptionalImplicitPrimitiveTag(tbsCertificate, 2);
+  if (rv != Success) {
+    return rv;
   }
 
+  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
   rv = der::OptionalExtensions(
          tbsCertificate, CSC | 3,
          [this](Reader& extnID, const Input& extnValue, bool critical,

diff --git a/security/pkix/lib/pkixder.h b/security/pkix/lib/pkixder.h
@@ -123,6 +123,17 @@ ExpectTagAndSkipValue(Reader& input, uint8_t tag)
   return ExpectTagAndGetValue(input, tag, ignoredValue);
 }
 
+// This skips IMPLICIT OPTIONAL tags that are "primitive" (not constructed),
+// given the number in the class of the tag (i.e. the number in the brackets in
+// `issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL`).
+inline Result SkipOptionalImplicitPrimitiveTag(Reader& input,
+                                               uint8_t numberInClass) {
+  if (input.Peek(CONTEXT_SPECIFIC | numberInClass)) {
+    return ExpectTagAndSkipValue(input, CONTEXT_SPECIFIC | numberInClass);
+  }
+  return Success;
+}
+
 // Like ExpectTagAndGetValue, except the output Input will contain the
 // encoded tag and length along with the value.
 inline Result