The Tor Browser: security/nss/lib/smime/cmsdecode.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmsdecode.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmsdecode.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * CMS decoding.
  */
 #include "cmslocal.h"
 #include "cert.h"
 #include "key.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "prtime.h"
 #include "secerr.h"
 struct NSSCMSDecoderContextStr {
     SEC_ASN1DecoderContext *	dcx;		/* ASN.1 decoder context */
     NSSCMSMessage *		cmsg;		/* backpointer to the root message */
     SECOidTag			type;		/* type of message */
     NSSCMSContent		content;	/* pointer to message */
     NSSCMSDecoderContext *	childp7dcx;	/* inner CMS decoder context */
     PRBool			saw_contents;
     int				error;
     NSSCMSContentCallback	cb;
     void *			cb_arg;
     PRBool			first_decoded;
     PRBool			need_indefinite_finish;
 };
 struct NSSCMSDecoderDataStr {
     SECItem data; 	/* must be first */
     unsigned int totalBufferSize;
 };
 typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData;
 static void      nss_cms_decoder_update_filter (void *arg, const char *data,
                  unsigned long len, int depth, SEC_ASN1EncodingPart data_kind);
 static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
 static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
 static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
 static void      nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
 		 const unsigned char *data, unsigned long len, PRBool final);
 static NSSCMSDecoderData *nss_cms_create_decoder_data(PLArenaPool *poolp);
 extern const SEC_ASN1Template NSSCMSMessageTemplate[];
 static NSSCMSDecoderData *
 nss_cms_create_decoder_data(PLArenaPool *poolp)
 {
     NSSCMSDecoderData *decoderData = NULL;
     decoderData = (NSSCMSDecoderData *)
 			PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData));
     if (!decoderData) {
 	return NULL;
     }
     decoderData->data.data = NULL;
     decoderData->data.len = 0;
     decoderData->totalBufferSize = 0;
     return decoderData;
 }
 /*
  * nss_cms_decoder_notify -
  *  this is the driver of the decoding process. It gets called by the ASN.1
  *  decoder before and after an object is decoded.
  *  at various points in the decoding process, we intercept to set up and do
  *  further processing.
  */
 static void
 nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
 {
     NSSCMSDecoderContext *p7dcx;
     NSSCMSContentInfo *rootcinfo, *cinfo;
     PRBool after = !before;
     p7dcx = (NSSCMSDecoderContext *)arg;
     rootcinfo = &(p7dcx->cmsg->contentInfo);
     /* XXX error handling: need to set p7dcx->error */
 #ifdef CMSDEBUG
     fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
 #endif
     /* so what are we working on right now? */
     if (p7dcx->type == SEC_OID_UNKNOWN) {
 	/*
 	 * right now, we are still decoding the OUTER (root) cinfo
 	 * As soon as we know the inner content type, set up the info,
 	 * but NO inner decoder or filter. The root decoder handles the first
 	 * level children by itself - only for encapsulated contents (which
 	 * are encoded as DER inside of an OCTET STRING) we need to set up a
 	 * child decoder...
 	 */
 	if (after && dest == &(rootcinfo->contentType)) {
 	    p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
 	    p7dcx->content = rootcinfo->content;
 	    /* is this ready already ? need to alloc? */
 	    /* XXX yes we need to alloc -- continue here */
 	}
     } else if (NSS_CMSType_IsData(p7dcx->type)) {
 	/* this can only happen if the outermost cinfo has DATA in it */
 	/* otherwise, we handle this type implicitely in the inner decoders */
 	if (before && dest == &(rootcinfo->content)) {
 	    /* cause the filter to put the data in the right place...
 	    ** We want the ASN.1 decoder to deliver the decoded bytes to us
 	    ** from now on
 	    */
 	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
 					  nss_cms_decoder_update_filter,
 					  p7dcx,
 					  (PRBool)(p7dcx->cb != NULL));
 	} else if (after && dest == &(rootcinfo->content.data)) {
 	    /* remove the filter */
 	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
 	}
     } else if (NSS_CMSType_IsWrapper(p7dcx->type)) {
 	if (!before || dest != &(rootcinfo->content)) {
 	    if (p7dcx->content.pointer == NULL)
 		p7dcx->content = rootcinfo->content;
 	    /* get this data type's inner contentInfo */
 	    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer,
 	                                      p7dcx->type);
 	    if (before && dest == &(cinfo->contentType)) {
 	        /* at this point, set up the &%$&$ back pointer */
 	        /* we cannot do it later, because the content itself
 		 * is optional! */
 		switch (p7dcx->type) {
 		case SEC_OID_PKCS7_SIGNED_DATA:
 		    p7dcx->content.signedData->cmsg = p7dcx->cmsg;
 		    break;
 		case SEC_OID_PKCS7_DIGESTED_DATA:
 		    p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
 		    break;
 		case SEC_OID_PKCS7_ENVELOPED_DATA:
 		    p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
 		    break;
 		case SEC_OID_PKCS7_ENCRYPTED_DATA:
 		    p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
 		    break;
 		default:
 		    p7dcx->content.genericData->cmsg = p7dcx->cmsg;
 		    break;
 		}
 	    }
 	    if (before && dest == &(cinfo->rawContent)) {
 		/* we want the ASN.1 decoder to deliver the decoded bytes to us
 		 ** from now on
 		 */
 		SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
 	                                 nss_cms_decoder_update_filter,
 					 p7dcx, (PRBool)(p7dcx->cb != NULL));
 		/* we're right in front of the data */
 		if (nss_cms_before_data(p7dcx) != SECSuccess) {
 		    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
 		    /* stop all processing */
 		    p7dcx->error = PORT_GetError();
 		}
 	    }
 	    if (after && dest == &(cinfo->rawContent)) {
 		/* we're right after of the data */
 		if (nss_cms_after_data(p7dcx) != SECSuccess)
 		    p7dcx->error = PORT_GetError();
 		/* we don't need to see the contents anymore */
 		SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
 	    }
 	}
     } else {
 	/* unsupported or unknown message type - fail  gracefully */
 	p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
     }
 }
 /*
  * nss_cms_before_data - set up the current encoder to receive data
  */
 static SECStatus
 nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
 {
     SECStatus rv;
     SECOidTag childtype;
     PLArenaPool *poolp;
     NSSCMSDecoderContext *childp7dcx;
     NSSCMSContentInfo *cinfo;
     const SEC_ASN1Template *template;
     void *mark = NULL;
     size_t size;
     poolp = p7dcx->cmsg->poolp;
     /* call _Decode_BeforeData handlers */
     switch (p7dcx->type) {
     case SEC_OID_PKCS7_SIGNED_DATA:
 	/* we're decoding a signedData, so set up the digests */
 	rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
 	break;
     case SEC_OID_PKCS7_DIGESTED_DATA:
 	/* we're encoding a digestedData, so set up the digest */
 	rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
 	break;
     case SEC_OID_PKCS7_ENVELOPED_DATA:
 	rv = NSS_CMSEnvelopedData_Decode_BeforeData(
 	                             p7dcx->content.envelopedData);
 	break;
     case SEC_OID_PKCS7_ENCRYPTED_DATA:
 	rv = NSS_CMSEncryptedData_Decode_BeforeData(
 	                             p7dcx->content.encryptedData);
 	break;
     default:
 	rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type,
 				p7dcx->content.genericData);
     }
     if (rv != SECSuccess)
 	return SECFailure;
     /* ok, now we have a pointer to cinfo */
     /* find out what kind of data is encapsulated */
     cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
     childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
     if (NSS_CMSType_IsData(childtype)) {
 	cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp);
 	if (cinfo->content.pointer == NULL)
 	    /* set memory error */
 	    return SECFailure;
 	p7dcx->childp7dcx = NULL;
 	return SECSuccess;
     }
     /* set up inner decoder */
     if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
 	return SECFailure;
     childp7dcx = PORT_ZNew(NSSCMSDecoderContext);
     if (childp7dcx == NULL)
 	return SECFailure;
     mark = PORT_ArenaMark(poolp);
     /* allocate space for the stuff we're creating */
     size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
     childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
     if (childp7dcx->content.pointer == NULL)
 	goto loser;
     /* give the parent a copy of the pointer so that it doesn't get lost */
     cinfo->content.pointer = childp7dcx->content.pointer;
     /* start the child decoder */
     childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer,
                                            template);
     if (childp7dcx->dcx == NULL)
 	goto loser;
     /* the new decoder needs to notify, too */
     SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify,
                                  childp7dcx);
     /* tell the parent decoder that it needs to feed us the content data */
     p7dcx->childp7dcx = childp7dcx;
     childp7dcx->type = childtype;	/* our type */
     childp7dcx->cmsg = p7dcx->cmsg;	/* backpointer to root message */
     /* should the child decoder encounter real data,
     ** it must give it to the caller
     */
     childp7dcx->cb = p7dcx->cb;
     childp7dcx->cb_arg = p7dcx->cb_arg;
     childp7dcx->first_decoded = PR_FALSE;
     childp7dcx->need_indefinite_finish = PR_FALSE;
     if (childtype == SEC_OID_PKCS7_SIGNED_DATA) {
 	childp7dcx->first_decoded = PR_TRUE;
     }
     /* now set up the parent to hand decoded data to the next level decoder */
     p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
     p7dcx->cb_arg = childp7dcx;
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
     if (mark)
 	PORT_ArenaRelease(poolp, mark);
     if (childp7dcx)
 	PORT_Free(childp7dcx);
     p7dcx->childp7dcx = NULL;
     return SECFailure;
 }
 static SECStatus
 nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
 {
     NSSCMSDecoderContext *childp7dcx;
     SECStatus rv = SECFailure;
     /* Handle last block. This is necessary to flush out the last bytes
      * of a possibly incomplete block */
     nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);
     /* finish any "inner" decoders - there's no more data coming... */
     if (p7dcx->childp7dcx != NULL) {
 	childp7dcx = p7dcx->childp7dcx;
 	if (childp7dcx->dcx != NULL) {
 	    /* we started and indefinite sequence somewhere, not complete it */
 	    if (childp7dcx->need_indefinite_finish) {
 		static const char lbuf[2] = { 0, 0 };
 		NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf));
 		childp7dcx->need_indefinite_finish = PR_FALSE;
 	    }
 	    if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
 		/* do what? free content? */
 		rv = SECFailure;
 	    } else {
 		rv = nss_cms_after_end(childp7dcx);
 	    }
 	    if (rv != SECSuccess)
 		goto done;
 	}
 	PORT_Free(p7dcx->childp7dcx);
 	p7dcx->childp7dcx = NULL;
     }
     switch (p7dcx->type) {
     case SEC_OID_PKCS7_SIGNED_DATA:
 	/* this will finish the digests and verify */
 	rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
 	break;
     case SEC_OID_PKCS7_ENVELOPED_DATA:
 	rv = NSS_CMSEnvelopedData_Decode_AfterData(
 	                            p7dcx->content.envelopedData);
 	break;
     case SEC_OID_PKCS7_DIGESTED_DATA:
 	rv = NSS_CMSDigestedData_Decode_AfterData(
 	                           p7dcx->content.digestedData);
 	break;
     case SEC_OID_PKCS7_ENCRYPTED_DATA:
 	rv = NSS_CMSEncryptedData_Decode_AfterData(
 	                            p7dcx->content.encryptedData);
 	break;
     case SEC_OID_PKCS7_DATA:
 	/* do nothing */
 	break;
     default:
 	rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type,
 	                            p7dcx->content.genericData);
 	break;
     }
 done:
     return rv;
 }
 static SECStatus
 nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
 {
     SECStatus rv = SECSuccess;
     switch (p7dcx->type) {
     case SEC_OID_PKCS7_SIGNED_DATA:
 	if (p7dcx->content.signedData)
 	    rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
 	break;
     case SEC_OID_PKCS7_ENVELOPED_DATA:
 	if (p7dcx->content.envelopedData)
 	    rv = NSS_CMSEnvelopedData_Decode_AfterEnd(
 	                               p7dcx->content.envelopedData);
 	break;
     case SEC_OID_PKCS7_DIGESTED_DATA:
 	if (p7dcx->content.digestedData)
 	    rv = NSS_CMSDigestedData_Decode_AfterEnd(
 	                              p7dcx->content.digestedData);
 	break;
     case SEC_OID_PKCS7_ENCRYPTED_DATA:
 	if (p7dcx->content.encryptedData)
 	    rv = NSS_CMSEncryptedData_Decode_AfterEnd(
 	                               p7dcx->content.encryptedData);
 	break;
     case SEC_OID_PKCS7_DATA:
 	break;
     default:
 	rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type,
 	                               p7dcx->content.genericData);
 	break;
     }
     return rv;
 }
 /*
  * nss_cms_decoder_work_data - handle decoded data bytes.
  *
  * This function either decrypts the data if needed, and/or calculates digests
  * on it, then either stores it or passes it on to the next level decoder.
  */
 static void
 nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
 			     const unsigned char *data, unsigned long len,
 			     PRBool final)
 {
     NSSCMSContentInfo *cinfo;
     unsigned char *buf = NULL;
     unsigned char *dest;
     unsigned int offset;
     SECStatus rv;
     /*
      * We should really have data to process, or we should be trying
      * to finish/flush the last block.  (This is an overly paranoid
      * check since all callers are in this file and simple inspection
      * proves they do it right.  But it could find a bug in future
      * modifications/development, that is why it is here.)
      */
     PORT_Assert ((data != NULL && len) || final);
     cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
     if (!cinfo) {
 	/* The original programmer didn't expect this to happen */
 	p7dcx->error = SEC_ERROR_LIBRARY_FAILURE;
 	goto loser;
     }
     if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {
 	/*
 	 * we are decrypting.
 	 *
 	 * XXX If we get an error, we do not want to do the digest or callback,
 	 * but we want to keep decoding.  Or maybe we want to stop decoding
 	 * altogether if there is a callback, because obviously we are not
 	 * sending the data back and they want to know that.
 	 */
 	unsigned int outlen = 0;	/* length of decrypted data */
 	unsigned int buflen;		/* length available for decrypted data */
 	/* find out about the length of decrypted data */
 	buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final);
 	/*
 	 * it might happen that we did not provide enough data for a full
 	 * block (decryption unit), and that there is no output available
 	 */
 	/* no output available, AND no input? */
 	if (buflen == 0 && len == 0)
 	    goto loser;	/* bail out */
 	/*
 	 * have inner decoder: pass the data on (means inner content type is NOT data)
 	 * no inner decoder: we have DATA in here: either call callback or store
 	 */
 	if (buflen != 0) {
 	    /* there will be some output - need to make room for it */
 	    /* allocate buffer from the heap */
 	    buf = (unsigned char *)PORT_Alloc(buflen);
 	    if (buf == NULL) {
 		p7dcx->error = SEC_ERROR_NO_MEMORY;
 		goto loser;
 	    }
 	}
 	/*
 	 * decrypt incoming data
 	 * buf can still be NULL here (and buflen == 0) here if we don't expect
 	 * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
 	 * keep track of incoming data
 	 */
 	rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen,
 			       data, len, final);
 	if (rv != SECSuccess) {
 	    p7dcx->error = PORT_GetError();
 	    goto loser;
 	}
 	PORT_Assert (final || outlen == buflen);
 	/* swap decrypted data in */
 	data = buf;
 	len = outlen;
     }
     if (len == 0)
 	goto done;		/* nothing more to do */
     /*
      * Update the running digests with plaintext bytes (if we need to).
      */
     if (cinfo->privateInfo && cinfo->privateInfo->digcx)
 	NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len);
     /* at this point, we have the plain decoded & decrypted data
     ** which is either more encoded DER (which we need to hand to the child
     ** decoder) or data we need to hand back to our caller
     */
     /* pass the content back to our caller or */
     /* feed our freshly decrypted and decoded data into child decoder */
     if (p7dcx->cb != NULL) {
 	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
     }
 #if 1
     else
 #endif
     if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
 	/* store it in "inner" data item as well */
 	/* find the DATA item in the encapsulated cinfo and store it there */
 	NSSCMSDecoderData *decoderData =
 				(NSSCMSDecoderData *)cinfo->content.pointer;
 	SECItem *dataItem = &decoderData->data;
 	offset = dataItem->len;
 	if (dataItem->len+len > decoderData->totalBufferSize) {
 	    int needLen = (dataItem->len+len) * 2;
 	    dest = (unsigned char *)
 				PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
 	    if (dest == NULL) {
 		p7dcx->error = SEC_ERROR_NO_MEMORY;
 		goto loser;
 	    }
 	    if (dataItem->len) {
 		PORT_Memcpy(dest, dataItem->data, dataItem->len);
 	    }
 	    decoderData->totalBufferSize = needLen;
 	    dataItem->data = dest;
 	}
 	/* copy it in */
 	PORT_Memcpy(dataItem->data + offset, data, len);
 	dataItem->len += len;
     }
 done:
 loser:
     if (buf)
 	PORT_Free (buf);
 }
 /*
  * nss_cms_decoder_update_filter - process ASN.1 data
  *
  * once we have set up a filter in nss_cms_decoder_notify(),
  * all data processed by the ASN.1 decoder is also passed through here.
  * we pass the content bytes (as opposed to length and tag bytes) on to
  * nss_cms_decoder_work_data().
  */
 static void
 nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
 			  int depth, SEC_ASN1EncodingPart data_kind)
 {
     NSSCMSDecoderContext *p7dcx;
     PORT_Assert (len);	/* paranoia */
     if (len == 0)
 	return;
     p7dcx = (NSSCMSDecoderContext*)arg;
     p7dcx->saw_contents = PR_TRUE;
     /* pass on the content bytes only */
     if (data_kind == SEC_ASN1_Contents)
 	nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len,
 	                          PR_FALSE);
 }
 /*
  * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
  *
  * "poolp" - pointer to arena for message, or NULL if new pool should be created
  * "cb", "cb_arg" - callback function and argument for delivery of inner content
  * "pwfn", pwfn_arg" - callback function for getting token password
  * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
  */
 NSSCMSDecoderContext *
 NSS_CMSDecoder_Start(PLArenaPool *poolp,
 		      NSSCMSContentCallback cb, void *cb_arg,
 		      PK11PasswordFunc pwfn, void *pwfn_arg,
 		      NSSCMSGetDecryptKeyCallback decrypt_key_cb,
 		      void *decrypt_key_cb_arg)
 {
     NSSCMSDecoderContext *p7dcx;
     NSSCMSMessage *cmsg;
     cmsg = NSS_CMSMessage_Create(poolp);
     if (cmsg == NULL)
 	return NULL;
     NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb,
                                      decrypt_key_cb_arg, NULL, NULL);
     p7dcx = PORT_ZNew(NSSCMSDecoderContext);
     if (p7dcx == NULL) {
 	NSS_CMSMessage_Destroy(cmsg);
 	return NULL;
     }
     p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
     if (p7dcx->dcx == NULL) {
 	PORT_Free (p7dcx);
 	NSS_CMSMessage_Destroy(cmsg);
 	return NULL;
     }
     SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx);
     p7dcx->cmsg = cmsg;
     p7dcx->type = SEC_OID_UNKNOWN;
     p7dcx->cb = cb;
     p7dcx->cb_arg = cb_arg;
     p7dcx->first_decoded = PR_FALSE;
     p7dcx->need_indefinite_finish = PR_FALSE;
     return p7dcx;
 }
 /*
  * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
  */
 SECStatus
 NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf,
                       unsigned long len)
 {
     SECStatus rv = SECSuccess;
     if (p7dcx->dcx != NULL && p7dcx->error == 0) {
     	/* if error is set already, don't bother */
 	if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA)
 		&& (p7dcx->first_decoded==PR_TRUE)
 		&& (buf[0] == SEC_ASN1_INTEGER)) {
 	    /* Microsoft Windows 2008 left out the Sequence wrapping in some
 	     * of their kerberos replies. If we are here, we most likely are
 	     * dealing with one of those replies. Supply the Sequence wrap
 	     * as indefinite encoding (since we don't know the total length
 	     * yet) */
 	     static const char lbuf[2] =
 		{ SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED, 0x80 };
 	     rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf));
 	     if (rv != SECSuccess) {
 		goto loser;
 	    }
 	    /* ok, we're going to need the indefinite finish when we are done */
 	    p7dcx->need_indefinite_finish = PR_TRUE;
 	}
 	rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len);
     }
 loser:
     p7dcx->first_decoded = PR_FALSE;
     if (rv != SECSuccess) {
 	p7dcx->error = PORT_GetError();
 	PORT_Assert (p7dcx->error);
 	if (p7dcx->error == 0)
 	    p7dcx->error = -1;
     }
     if (p7dcx->error == 0)
 	return SECSuccess;
     /* there has been a problem, let's finish the decoder */
     if (p7dcx->dcx != NULL) {
 	(void) SEC_ASN1DecoderFinish (p7dcx->dcx);
 	p7dcx->dcx = NULL;
     }
     PORT_SetError (p7dcx->error);
     return SECFailure;
 }
 /*
  * NSS_CMSDecoder_Cancel - stop decoding in case of error
  */
 void
 NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
 {
     if (p7dcx->dcx != NULL)
 	(void)SEC_ASN1DecoderFinish(p7dcx->dcx);
     NSS_CMSMessage_Destroy(p7dcx->cmsg);
     PORT_Free(p7dcx);
 }
 /*
  * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
  */
 NSSCMSMessage *
 NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
 {
     NSSCMSMessage *cmsg;
     cmsg = p7dcx->cmsg;
     if (p7dcx->dcx == NULL ||
         SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
 	nss_cms_after_end(p7dcx) != SECSuccess)
     {
 	NSS_CMSMessage_Destroy(cmsg);	/* get rid of pool if it's ours */
 	cmsg = NULL;
     }
     PORT_Free(p7dcx);
     return cmsg;
 }
 NSSCMSMessage *
 NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
 		    NSSCMSContentCallback cb, void *cb_arg,
 		    PK11PasswordFunc pwfn, void *pwfn_arg,
 		    NSSCMSGetDecryptKeyCallback decrypt_key_cb,
 		    void *decrypt_key_cb_arg)
 {
     NSSCMSDecoderContext *p7dcx;
     /* first arg(poolp) == NULL => create our own pool */
     p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg,
                                  decrypt_key_cb, decrypt_key_cb_arg);
     if (p7dcx == NULL)
 	return NULL;
     NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
     return NSS_CMSDecoder_Finish(p7dcx);
 }

The Tor Browser / annotate

security/nss/lib/smime/cmsdecode.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmsdecode.c