Issue #1746 - Revert "Update to NSS 3.59.1.1"

1 files changed, 47 insertions, 75 deletions

diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
index 2540a544c5..aa3d6778c8 100644
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -217,56 +217,6 @@ const SEC_ASN1Template hashParameterTemplate[] =
     };
 
 /*
- * Get just the encryption algorithm from the signature algorithm
- */
-SECOidTag
-sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
-{
-    /* get the "encryption" algorithm */
-    switch (sigAlg) {
-        case SEC_OID_PKCS1_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-        case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
-        case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
-        case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-            return SEC_OID_PKCS1_RSA_ENCRYPTION;
-        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
-            return SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
-
-        /* what about normal DSA? */
-        case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-        case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
-        case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
-        case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
-            return SEC_OID_ANSIX9_DSA_SIGNATURE;
-        case SEC_OID_MISSI_DSS:
-        case SEC_OID_MISSI_KEA_DSS:
-        case SEC_OID_MISSI_KEA_DSS_OLD:
-        case SEC_OID_MISSI_DSS_OLD:
-            return SEC_OID_MISSI_DSS;
-        case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
-        case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
-        case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
-        case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
-        case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
-        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
-        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
-            return SEC_OID_ANSIX962_EC_PUBLIC_KEY;
-        /* we don't implement MD4 hashes */
-        case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-        default:
-            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-            break;
-    }
-    return SEC_OID_UNKNOWN;
-}
-
-/*
  * Pulls the hash algorithm, signing algorithm, and key type out of a
  * composite algorithm.
  *
@@ -279,16 +229,15 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
  */
 SECStatus
 sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
-                 const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+                 const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
 {
     int len;
     PLArenaPool *arena;
     SECStatus rv;
     SECItem oid;
-    SECOidTag encalg;
 
     PR_ASSERT(hashalg != NULL);
-    PR_ASSERT(encalgp != NULL);
+    PR_ASSERT(encalg != NULL);
 
     switch (sigAlg) {
         /* We probably shouldn't be generating MD2 signatures either */
@@ -405,13 +354,52 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
             return SECFailure;
     }
+    /* get the "encryption" algorithm */
+    switch (sigAlg) {
+        case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+        case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+        case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+        case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+            *encalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
+            break;
+        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+            *encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
+            break;
 
-    encalg = sec_GetEncAlgFromSigAlg(sigAlg);
-    if (encalg == SEC_OID_UNKNOWN) {
-        return SECFailure;
+        /* what about normal DSA? */
+        case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+        case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+        case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
+        case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
+            *encalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
+            break;
+        case SEC_OID_MISSI_DSS:
+        case SEC_OID_MISSI_KEA_DSS:
+        case SEC_OID_MISSI_KEA_DSS_OLD:
+        case SEC_OID_MISSI_DSS_OLD:
+            *encalg = SEC_OID_MISSI_DSS;
+            break;
+        case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
+        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
+            *encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+            break;
+        /* we don't implement MD4 hashes */
+        case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+            return SECFailure;
     }
-    *encalgp = encalg;
-
     return SECSuccess;
 }
 
@@ -435,7 +423,6 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
     SECStatus rv;
     unsigned int sigLen;
     KeyType type;
-    PRUint32 policyFlags;
 
     /* make sure the encryption algorithm matches the key type */
     /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
@@ -446,13 +433,6 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
         return NULL;
     }
 
-    /* check the policy on the encryption algorithm */
-    if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
-        !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
-        PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
-        return NULL;
-    }
-
     cx = (VFYContext *)PORT_ZAlloc(sizeof(VFYContext));
     if (cx == NULL) {
         goto loser;
@@ -513,14 +493,6 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
         /* error set by HASH_GetHashTypeByOidTag */
         goto loser;
     }
-    /* check the policy on the hash algorithm. Do this after
-     * the rsa decode because some uses of this function get hash implicitly
-     * from the RSA signature itself. */
-    if ((NSS_GetAlgorithmPolicy(cx->hashAlg, &policyFlags) == SECFailure) ||
-        !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
-        PORT_SetError(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
-        goto loser;
-    }
 
     if (hash) {
         *hash = cx->hashAlg;
@@ -716,10 +688,10 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
                                                 &cx->pkcs1RSADigestInfoLen,
                                                 cx->key,
                                                 sig, cx->wincx);
+                    PORT_Assert(cx->hashAlg == hashid);
                     if (rv != SECSuccess) {
                         return SECFailure;
                     }
-                    PORT_Assert(cx->hashAlg == hashid);
                 }
                 return verifyPKCS1DigestInfo(cx, &digest);
             }