From 28dafd0a0132b8b1db1e17187831a89e4b144d00 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Fri, 6 Sep 2019 13:47:16 -0400 Subject: [PATCH] Issue 50588 - Address tokenname issues impacting FIPS Description: Always get the slot by calling: PK11_GetInternalKeySlot() instead of by: PK11_FindSlotByName(). relates: https://pagure.io/389-ds-base/issue/50588 Reviewed by: ? --- VERSION.sh | 4 +- admserv/cgi-src40/sec-activate.c | 6 +-- admserv/cgi-src40/security.c | 77 +++++++++++--------------------- admserv/cgi-src40/statpingserv.c | 2 +- lib/libadmin/httpcon.c | 2 +- mod_restartd/mod_restartd-2.2.c | 10 ++--- 6 files changed, 37 insertions(+), 64 deletions(-) diff --git a/VERSION.sh b/VERSION.sh index 1975cdd..8e93afd 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -6,12 +6,12 @@ brand=389 capbrand=389 # vendor is the properly formatted vendor/manufacturer name that appears to end users vendor="389 Project" -vendorurl=http://port389.org +vendorurl=https://www.port389.org # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=1 -VERSION_MAINT=46 +VERSION_MAINT=47 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c index 08568ca..d6fe208 100644 --- a/admserv/cgi-src40/sec-activate.c +++ b/admserv/cgi-src40/sec-activate.c @@ -43,9 +43,9 @@ extern "C" { #include "pk11func.h" #include "cert.h" -#include "key.h" +#include "keyhi.h" #include "certdb.h" -#include "keyt.h" +#include "keythi.h" #include "secport.h" #include "libadminutil/distadm.h" #include "libadminutil/admutil.h" @@ -152,7 +152,7 @@ static char * get_cgi_var_must(char * var, char * x, char * y) { void get_family_input(family_input **family_head) { - family_input *family_ptr; + family_input *family_ptr = NULL; char *list_of_families; char *family_name; char *temp; diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c index 2d7f38d..ba2147b 100644 --- a/admserv/cgi-src40/security.c +++ b/admserv/cgi-src40/security.c @@ -37,7 +37,7 @@ extern "C" { #include "cert.h" #include "certdb.h" #include "certt.h" -#include "key.h" +#include "keyhi.h" #include "secport.h" #include "secder.h" #include "plstr.h" @@ -885,7 +885,7 @@ static CERTCertificate *findCertByFingerprint(char *fingerprint) { /* * Llist all the certificate under the specified token */ -static void listCert(char* tokenName) { +static void listCert() { /* int expired = 0; */ CERTCertList *certList; @@ -893,14 +893,9 @@ static void listCert(char* tokenName) { PK11SlotInfo *slot = NULL; PK11SlotInfo *internal_slot; char *internalTokenName; + char* tokenName; - if (tokenName && (!strcasecmp(tokenName, "internal") || - !strcasecmp(tokenName, "internal (software)"))) { - slot = PK11_GetInternalKeySlot(); - } else { - slot = PK11_FindSlotByName(tokenName); - } - + slot = PK11_GetInternalKeySlot(); if (!slot) { errorRpt(GENERAL_FAILURE, getResourceString(DBT_TOKEN_NAME)); return; @@ -915,7 +910,7 @@ static void listCert(char* tokenName) { return; } } - + tokenName = PK11_GetTokenName(slot); internalTokenName = PK11_GetTokenName(internal_slot); if (PK11_NeedUserInit(internal_slot) == PR_TRUE) { @@ -1079,8 +1074,8 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey CERTSubjectPublicKeyInfo* keyInfo = NULL; CERTCertificateRequest* request = NULL; PRArenaPool *arena = NULL; - PRBool error = PR_FALSE; - char *line; + PRBool error = PR_FALSE; + char *line = NULL; char *sSignAlgo = NULL; int signAlgo = 0; /*DebugBreak();*/ @@ -1173,7 +1168,7 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey /* Generate an RSA key pair */ static SECKEYPrivateKey* -generateKey(SECKEYPublicKey** publicKey, char* tokenName) +generateKey(SECKEYPublicKey** publicKey) { SECKEYPrivateKey* privateKey = NULL; PK11RSAGenParams params; @@ -1194,10 +1189,7 @@ generateKey(SECKEYPublicKey** publicKey, char* tokenName) /* will use this method if HCL can't provide a good random number generator */ PK11_RandomUpdate(rand_buffer, TOTAL_BITS); - /*slot = PK11_GetInternalKeySlot();*/ - /*DebugBreak();*/ - - slot = PK11_FindSlotByName(tokenName); + slot = PK11_GetInternalKeySlot(); if (slot == NULL) { goto loser; } @@ -1242,7 +1234,7 @@ generateKey(SECKEYPublicKey** publicKey, char* tokenName) } /* generate an CSR, dn most be provided */ -static void generateCSR(char* tokenName) { +static void generateCSR() { int _new = (get_cgi_var("renewal", NULL, NULL) == NULL); /* need to find dn here */ @@ -1253,7 +1245,7 @@ static void generateCSR(char* tokenName) { /*DebugBreak();*/ /* Generate key pair */ /* to do token here */ - privateKey = generateKey(&publicKey, tokenName); + privateKey = generateKey(&publicKey); /* can be done in place */ unescape_entities(DN); /* e.g. convert " to " */ @@ -1396,13 +1388,12 @@ static void printDERCert(int isCACert) { * Install a server certificate. */ static void -installServerCert(char *tokenName, char *certname) +installServerCert(char *certname) { SECStatus rv; CERTCertificate *cert; CERTCertTrust trust; - PK11SlotInfo *slot = PK11_FindSlotByName(tokenName); - + PK11SlotInfo *slot = PK11_GetInternalKeySlot(); /* need to decode der cert */ char *derCertBase64 = getParameter("dercert",getResourceString(DBT_DER_CERT)); CERTDERCerts *collectArgs = decodeDERCert(derCertBase64); @@ -1450,7 +1441,7 @@ installServerCert(char *tokenName, char *certname) /*check to see if certificate has a matching private key under the key db*/ SECKEYPrivateKey *key = PK11_FindKeyByDERCert(slot, cert, NULL); if (!key) { - PR_snprintf(line, sizeof(line), getResourceString(DBT_NO_PRIVATE_KEY_WHY), tokenName); + PR_snprintf(line, sizeof(line), getResourceString(DBT_NO_PRIVATE_KEY_WHY), ""); rpt_err(INCORRECT_USAGE, getResourceString(DBT_NO_PRIVATE_KEY), line, @@ -1483,10 +1474,10 @@ bail: * Install a CA cert and set its trust */ static void -installCACert(char *tokenName, char *certname) +installCACert(char *certname) { /* need to decode der cert */ - CERTCertificate *cert; + CERTCertificate *cert = NULL; char *derCertBase64 = NULL; CERTDERCerts *collectArgs = NULL; PK11SlotInfo *slot = NULL; @@ -1505,11 +1496,8 @@ installCACert(char *tokenName, char *certname) truststr = getParameter("trust_flag",getResourceString(DBT_TRUST)); trustflag = strtol(truststr, &endptr, 0); - if (tokenName) { - slot = PK11_FindSlotByName(tokenName); - } else { - slot = PK11_GetInternalKeySlot(); - } + slot = PK11_GetInternalKeySlot(); + /* remove leading space in certificate name */ if (certname) { while (isspace(*certname)) ++certname; @@ -1556,11 +1544,6 @@ bail: */ static void needInit() { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); - char *tokenName = get_cgi_var("tokenname", NULL, NULL); - - if (tokenName != NULL) { - slot= PK11_FindSlotByName(tokenName); - } if (slot && (PK11_NeedUserInit(slot) == PR_TRUE)) { /*errorRpt(INCORRECT_USAGE, getResourceString(DBT_INVALID_CONFIRM_PWD));*/ @@ -1575,11 +1558,6 @@ static void needInit() { */ static void initPin(char* keypwd, char* confirm) { PK11SlotInfo *slot= PK11_GetInternalKeySlot(); - char *tokenName = get_cgi_var("tokenname", NULL, NULL); - - if (tokenName != NULL) { - slot= PK11_FindSlotByName(tokenName); - } /* set password */ if (PORT_Strcmp(keypwd, confirm)) { @@ -1956,7 +1934,9 @@ void tokenInfo() { static void moduleOperation(char* op) { const char *binary = "modutil"; /* PATH and LD_LIBRARY_PATH must already be set correctly */ const char *install_dir = LIBDIR; - char *filename, *filetype, *dllname; + char *filename = NULL; + char *filetype = NULL; + char *dllname = NULL; char cmd[BIG_LINE] = ""; char msg[BIG_LINE]; @@ -2051,11 +2031,6 @@ static void moduleOperation(char* op) { static void changePassword(char* oldPwd, char* newPwd, char* confirmPwd) { SECStatus rv; PK11SlotInfo *slot= PK11_GetInternalKeySlot(); - char *tokenName = get_cgi_var("tokenname", NULL, NULL); - - if (tokenName != NULL) { - slot= PK11_FindSlotByName(tokenName); - } if (slot == NULL) { errorRpt(GENERAL_FAILURE, getResourceString(DBT_NO_SLOT)); @@ -2186,7 +2161,7 @@ int main(int argc, char *argv[]) if (!PORT_Strcmp(operation, "LIST_CERTIFICATE")) { /* list cert */ - listCert(getParameter("tokenname",getResourceString(DBT_TOKEN_NAME))); + listCert(); /* fprintf(stdout, "total_cert:%d",num_of_certs++); */ } else if (!PORT_Strcmp(operation, "CHANGE_TRUST")) { @@ -2208,7 +2183,7 @@ int main(int argc, char *argv[]) } else if (!PORT_Strcmp(operation, "GENERATE_CSR")) { /* generate a CSR (certificate signing request) */ - generateCSR(getParameter("tokenname",getResourceString(DBT_TOKEN_NAME))); + generateCSR(); } else if (!PORT_Strcmp(operation, "INSTALL_CERT")) { @@ -2223,12 +2198,10 @@ int main(int argc, char *argv[]) else { /* install a certificate */ char *certName = get_cgi_var("certname", NULL, NULL); - char *tokenName = - getParameter("tokenname",getResourceString(DBT_TOKEN_NAME)); if (isCACert) { - installCACert(tokenName, certName); + installCACert(certName); } else { - installServerCert(tokenName, certName); + installServerCert(certName); } } diff --git a/admserv/cgi-src40/statpingserv.c b/admserv/cgi-src40/statpingserv.c index 3fc5616..350a238 100644 --- a/admserv/cgi-src40/statpingserv.c +++ b/admserv/cgi-src40/statpingserv.c @@ -42,7 +42,7 @@ extern "C" { #include "libadmsslutil/certmgt.h" #include "libadmsslutil/psetcssl.h" #include "libadmsslutil/admsslutil.h" -#include "key.h" +#include "keyhi.h" #include "cert.h" #include "secport.h" #include "secmod.h" diff --git a/lib/libadmin/httpcon.c b/lib/libadmin/httpcon.c index 24a39e1..d474c41 100644 --- a/lib/libadmin/httpcon.c +++ b/lib/libadmin/httpcon.c @@ -31,7 +31,7 @@ /* Removed for new ns security #include "sec.h" */ -#include +#include #include #include #include diff --git a/mod_restartd/mod_restartd-2.2.c b/mod_restartd/mod_restartd-2.2.c index e2949cc..4836d88 100644 --- a/mod_restartd/mod_restartd-2.2.c +++ b/mod_restartd/mod_restartd-2.2.c @@ -688,17 +688,17 @@ static int cgid_server(void *data) while (!daemon_should_exit) { int errfileno = STDERR_FILENO; - char *argv0; - char **env; - const char * const *argv; + char *argv0 = NULL; + char **env = NULL; + const char * const *argv = NULL; apr_int32_t in_pipe; apr_int32_t out_pipe; apr_int32_t err_pipe; apr_cmdtype_e cmd_type; - request_rec *r; + request_rec *r = NULL; apr_procattr_t *procattr = NULL; apr_proc_t *procnew = NULL; - apr_file_t *inout; + apr_file_t *inout = NULL; cgid_req_t cgid_req; apr_status_t stat; -- 2.21.0