/* SSSD NSS crypto wrappers Authors: Sumit Bose Jakub Hrozek Copyright (C) Red Hat, Inc 2010 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "config.h" #include #include #include "util/util.h" #include "util/crypto/nss/nss_util.h" #include "util/crypto/nss/nss_crypto.h" static int nspr_nss_init_done = 0; int nspr_nss_init(void) { SECStatus sret; /* nothing to do */ if (nspr_nss_init_done == 1) return SECSuccess; PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); sret = NSS_NoDB_Init(NULL); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Error initializing connection to NSS [%d]\n", PR_GetError()); return EIO; } nspr_nss_init_done = 1; return EOK; } int nspr_nss_cleanup(void) { SECStatus sret; /* nothing to do */ if (nspr_nss_init_done == 0) return SECSuccess; sret = NSS_Shutdown(); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Error shutting down connection to NSS [%d]\n", PR_GetError()); return EIO; } PR_Cleanup(); nspr_nss_init_done = 0; return EOK; } static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx) { if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE); if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE); if (cctx->slot) PK11_FreeSlot(cctx->slot); if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj); return EOK; } static int generate_random_key(TALLOC_CTX *mem_ctx, PK11SlotInfo *slot, struct crypto_mech_data *mech_props, SECItem **_key) { SECStatus sret; SECItem *randkeydata; SECItem *key = NULL; PK11SymKey *randkey; int ret; randkey = PK11_KeyGen(slot, mech_props->cipher, NULL, mech_props->keylen, NULL); if (randkey == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n", PR_GetError()); ret = EIO; goto done; } sret = PK11_ExtractKeyValue(randkey); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n", PR_GetError()); ret = EIO; goto done; } randkeydata = PK11_GetKeyData(randkey); if (randkeydata == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n", PR_GetError()); ret = EIO; goto done; } /* randkeydata is valid until randkey is. Copy with talloc to * get a nice memory hierarchy symmetrical in encrypt * and decrypt case */ key = talloc_zero(mem_ctx, SECItem); if (!key) { ret = ENOMEM; goto done; } key->data = talloc_memdup(key, randkeydata->data, randkeydata->len); if (!key->data) { ret = ENOMEM; goto done; } key->len = randkeydata->len; *_key = key; ret = EOK; done: if (ret != EOK) talloc_zfree(key); PK11_FreeSymKey(randkey); return ret; } int nss_ctx_init(TALLOC_CTX *mem_ctx, struct crypto_mech_data *mech_props, uint8_t *key, int keylen, uint8_t *iv, int ivlen, struct sss_nss_crypto_ctx **_cctx) { struct sss_nss_crypto_ctx *cctx; int ret; cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx); if (!cctx) { return ENOMEM; } talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor); cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL); if (cctx->slot == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find security device (err %d)\n", PR_GetError()); ret = EIO; goto done; } if (keylen > 0) { cctx->key = talloc(cctx, SECItem); if (cctx->key == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate Key buffer\n"); ret = ENOMEM; goto done; } if (key) { MAKE_SECITEM(key, keylen, cctx->key); } else { ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->key); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate encryption key\n"); goto done; } } } if (ivlen > 0) { cctx->iv = talloc(cctx, SECItem); if (cctx->iv == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate IV buffer\n"); ret = ENOMEM; goto done; } if (iv) { MAKE_SECITEM(iv, ivlen, cctx->iv); } else { ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->iv); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate initialization vector\n"); goto done; } } } ret = EOK; *_cctx = cctx; done: if (ret) talloc_zfree(cctx); return ret; } int nss_crypto_init(struct crypto_mech_data *mech_props, enum crypto_mech_op crypto_op, struct sss_nss_crypto_ctx *cctx) { CK_ATTRIBUTE_TYPE op; int ret; switch (crypto_op) { case op_encrypt: op = CKA_ENCRYPT; break; case op_decrypt: op = CKA_DECRYPT; break; case op_sign: op = CKA_SIGN; break; default: return EFAULT; } /* turn the raw key into a key object */ cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher, PK11_OriginUnwrap, op, cctx->key, NULL); if (cctx->keyobj == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to import key into NSS (err %d)\n", PR_GetError()); ret = EIO; goto done; } if (crypto_op == op_encrypt || crypto_op == op_decrypt) { /* turn the raw IV into a initialization vector object */ cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv); if (cctx->sparam == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to set up PKCS11 param (err %d)\n", PR_GetError()); ret = EIO; goto done; } } else { cctx->sparam = SECITEM_AllocItem(NULL, NULL, 0); if (cctx->sparam == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Failure to allocate SECItem\n"); ret = EIO; goto done; } MAKE_SECITEM(NULL, 0, cctx->sparam); } /* Create cipher context */ cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op, cctx->keyobj, cctx->sparam); if (cctx->ectx == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create cipher context (err %d)\n", PORT_GetError()); ret = EIO; goto done; } ret = EOK; done: return ret; }