xmlsecurity: check for errors in OCipherContext::Create()

If this function returns null, storing a document will proceed without reporting an error to the user, and lose all the data. Change-Id: I0f9fd53702321e7997b28e12eb5bed3349bbcc13 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160435 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Michael Stahl <michael.stahl@allotropia.de> 2023-12-07 16:00:17 +0100
committer: Michael Stahl <michael.stahl@allotropia.de> 2023-12-07 21:46:00 +0100
commit: 328b135f0decbab475c16560f4b366559f2d0e66 (patch)
tree: 20f314312a3333549553dfa84b03e522fa5bd755 /xmlsecurity/source/xmlsec
parent: 1c93df52e522f4055fa7b4dd5de3c13fa9dc52d9 (diff)
2 files changed, 42 insertions, 22 deletions
diff --git a/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx b/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx
index 5be6eb26c6d2..bf0a16bfca38 100644
--- a/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx
+++ b/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx
@@ -35,31 +35,50 @@ uno::Reference< xml::crypto::XCipherContext > OCipherContext::Create( CK_MECHANI
     ::rtl::Reference< OCipherContext > xResult = new OCipherContext;
 
     xResult->m_pSlot = PK11_GetBestSlot( nNSSCipherID, nullptr );
-    if ( xResult->m_pSlot )
+    if (!xResult->m_pSlot)
     {
-        SECItem aKeyItem = { siBuffer, const_cast< unsigned char* >( reinterpret_cast< const unsigned char* >( aKey.getConstArray() ) ), sal::static_int_cast<unsigned>( aKey.getLength() ) };
-        xResult->m_pSymKey = PK11_ImportSymKey( xResult->m_pSlot, nNSSCipherID, PK11_OriginDerive, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, &aKeyItem, nullptr );
-        if ( xResult->m_pSymKey )
-        {
-            SECItem aIVItem = { siBuffer, const_cast< unsigned char* >( reinterpret_cast< const unsigned char* >( aInitializationVector.getConstArray() ) ), sal::static_int_cast<unsigned>( aInitializationVector.getLength() ) };
-            xResult->m_pSecParam = PK11_ParamFromIV( nNSSCipherID, &aIVItem );
-            if ( xResult->m_pSecParam )
-            {
-                xResult->m_pContext = PK11_CreateContextBySymKey( nNSSCipherID, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, xResult->m_pSymKey, xResult->m_pSecParam);
-                if ( xResult->m_pContext )
-                {
-                    xResult->m_bEncryption = bEncryption;
-                    xResult->m_bW3CPadding = bW3CPadding;
-                    xResult->m_bPadding = bW3CPadding || ( PK11_GetPadMechanism( nNSSCipherID ) == nNSSCipherID );
-                    xResult->m_nBlockSize = PK11_GetBlockSize( nNSSCipherID, xResult->m_pSecParam );
-                    if ( xResult->m_nBlockSize <= SAL_MAX_INT8 )
-                        return xResult;
-                }
-            }
-        }
+        SAL_WARN("xmlsecurity.nss", "PK11_GetBestSlot failed");
+        throw uno::RuntimeException("PK11_GetBestSlot failed");
     }
 
-    return uno::Reference< xml::crypto::XCipherContext >();
+    SECItem aKeyItem = { siBuffer,
+        const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(aKey.getConstArray())),
+        sal::static_int_cast<unsigned>(aKey.getLength()) };
+    xResult->m_pSymKey = PK11_ImportSymKey(xResult->m_pSlot, nNSSCipherID,
+        PK11_OriginDerive, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, &aKeyItem, nullptr);
+    if (!xResult->m_pSymKey)
+    {
+        SAL_WARN("xmlsecurity.nss", "PK11_ImportSymKey failed");
+        throw uno::RuntimeException("PK11_ImportSymKey failed");
+    }
+
+    SECItem aIVItem = { siBuffer,
+        const_cast<unsigned char*>(reinterpret_cast<const unsigned char*>(aInitializationVector.getConstArray())),
+        sal::static_int_cast<unsigned>(aInitializationVector.getLength()) };
+    xResult->m_pSecParam = PK11_ParamFromIV(nNSSCipherID, &aIVItem);
+    if (!xResult->m_pSecParam)
+    {
+        SAL_WARN("xmlsecurity.nss", "PK11_ParamFromIV failed");
+        throw uno::RuntimeException("PK11_ParamFromIV failed");
+    }
+
+    xResult->m_pContext = PK11_CreateContextBySymKey( nNSSCipherID, bEncryption ? CKA_ENCRYPT : CKA_DECRYPT, xResult->m_pSymKey, xResult->m_pSecParam);
+    if (!xResult->m_pContext)
+    {
+        SAL_WARN("xmlsecurity.nss", "PK11_CreateContextBySymKey failed");
+        throw uno::RuntimeException("PK11_CreateContextBySymKey failed");
+    }
+
+    xResult->m_bEncryption = bEncryption;
+    xResult->m_bW3CPadding = bW3CPadding;
+    xResult->m_bPadding = bW3CPadding || ( PK11_GetPadMechanism( nNSSCipherID ) == nNSSCipherID );
+    xResult->m_nBlockSize = PK11_GetBlockSize(nNSSCipherID, xResult->m_pSecParam);
+    if (SAL_MAX_INT8 < xResult->m_nBlockSize)
+    {
+        SAL_WARN("xmlsecurity.nss", "PK11_GetBlockSize unexpected result");
+        throw uno::RuntimeException("PK11_GetBlockSize unexpected result");
+    }
+    return xResult;
 }
 
 void OCipherContext::Dispose()
diff --git a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
index 69e165c550fc..83a83a9ea551 100644
--- a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
+++ b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
@@ -606,6 +606,7 @@ css::uno::Reference< css::xml::crypto::XCipherContext > SAL_CALL ONSSInitializer
             throw css::lang::IllegalArgumentException("Unexpected length of initialization vector.", css::uno::Reference< css::uno::XInterface >(), 3 );
 
         xResult = OCipherContext::Create( nNSSCipherID, aKey, aInitializationVector, bEncryption, bW3CPadding );
+        assert(xResult.is());
     }
 
     return xResult;
author	Michael Stahl <michael.stahl@allotropia.de>	2023-12-07 16:00:17 +0100
committer	Michael Stahl <michael.stahl@allotropia.de>	2023-12-07 21:46:00 +0100
commit	328b135f0decbab475c16560f4b366559f2d0e66 (patch)
tree	20f314312a3333549553dfa84b03e522fa5bd755 /xmlsecurity/source/xmlsec
parent	1c93df52e522f4055fa7b4dd5de3c13fa9dc52d9 (diff)