From 09200f4333c832293283d1cb35c9bb6f81d35748 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jun 25 2020 21:25:25 +0000 Subject: Check for NSS_Shutdown and context failures and exit This is not likely since a successful Init/Shutdown combination just happened but safety first. --- diff --git a/src/certread-n.c b/src/certread-n.c index bb61b61..3ce7ec0 100644 --- a/src/certread-n.c +++ b/src/certread-n.c @@ -158,11 +158,18 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, _exit(status); } /* Re-open the database with modules enabled */ - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(entry->cm_cert_storage_location, NULL, NULL, NULL, NULL, (readwrite ? 0 : NSS_INIT_READONLY) | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } es = util_n_fips_hook(); if (es != NULL) { cm_log(1, "Error putting NSS into FIPS mode: %s\n", es); diff --git a/src/certsave-n.c b/src/certsave-n.c index eda03b3..3518def 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -186,11 +186,18 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, } else { /* We don't try to force FIPS mode here, as it seems to get in * the way of saving the certificate. */ - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(entry->cm_cert_storage_location, NULL, NULL, NULL, NULL, (readwrite ? 0 : NSS_INIT_READONLY) | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } /* Allocate a memory pool. */ arena = PORT_NewArena(sizeof(double)); diff --git a/src/keygen-n.c b/src/keygen-n.c index e921d7e..6832cb6 100644 --- a/src/keygen-n.c +++ b/src/keygen-n.c @@ -226,11 +226,18 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, break; } } - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(entry->cm_key_storage_location, NULL, NULL, NULL, NULL, (readwrite ? 0 : NSS_INIT_READONLY) | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } reason = util_n_fips_hook(); if (reason != NULL) { cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); diff --git a/src/keyiread-n.c b/src/keyiread-n.c index dc1c609..b8bf353 100644 --- a/src/keyiread-n.c +++ b/src/keyiread-n.c @@ -115,11 +115,18 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) break; } } - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(entry->cm_key_storage_location, NULL, NULL, NULL, NULL, (readwrite ? 0 : NSS_INIT_READONLY) | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } reason = util_n_fips_hook(); if (reason != NULL) { cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); diff --git a/src/scepgen-n.c b/src/scepgen-n.c index ce73c31..440f332 100644 --- a/src/scepgen-n.c +++ b/src/scepgen-n.c @@ -183,11 +183,18 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, break; } } - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(entry->cm_key_storage_location, NULL, NULL, NULL, NULL, NSS_INIT_READONLY | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } reason = util_n_fips_hook(); if (reason != NULL) { cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason); diff --git a/src/submit-n.c b/src/submit-n.c index f27b9c7..98fc7c5 100644 --- a/src/submit-n.c +++ b/src/submit-n.c @@ -317,11 +317,18 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, } goto done; } - NSS_ShutdownContext(ctx); + if (NSS_ShutdownContext(ctx) != SECSuccess) { + cm_log(0, "Error shutting down NSS.\n"); + _exit(1); + } ctx = NSS_InitContext(args->entry->cm_key_storage_location, NULL, NULL, NULL, NULL, NSS_INIT_READONLY | NSS_INIT_NOROOTINIT); + if (ctx == NULL) { + cm_log(0, "Unable to initialize NSS.\n"); + _exit(1); + } reason = util_n_fips_hook(); if (reason != NULL) { cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);