From e1659487c6e30046481548ce4e72a176277bd7e0 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 4 Oct 2010 17:30:49 -0400
Subject: [PATCH 039/150] - first cut at pkinit_process_td_dh_params - add
 initial zero bytes to the oakley groups so that
 there's no ambiguity that they're unsigned - add
 some prototypes in anticipation of mozilla's
 #584224 getting sorted

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |  151 ++++++++++++++++++++----
 1 files changed, 129 insertions(+), 22 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 9d7df51..750fe2b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -51,6 +51,22 @@
 #define NULLCX NULL /* FIXME */
 #define DEBUG_DER "derdump"
 
+#ifndef FIXME
+SECStatus NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *i, PRBool b);
+SECStatus NSS_CMSType_RegisterContentType(SECOidTag tag,
+					  const SEC_ASN1Template *,
+					  size_t size,
+					  void *,
+					  void *,
+					  void *,
+					  void *,
+					  void *,
+					  void *,
+					  void *,
+					  void *,
+					  PRBool data);
+#endif
+
 /* Forward declarations. */
 static krb5_error_code cert_retrieve_cert_sans(krb5_context context,
 					       CERTCertificate *cert,
@@ -407,6 +423,51 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx)
 								     NULL,
 								     0);
 			if ((*plg_cryptoctx)->ncontext != NULL) {
+				if (NSS_CMSType_RegisterContentType(get_pkinit_data_auth_data_tag(),
+								    SEC_AnyTemplate,
+								    sizeof(SECItem),
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    PR_FALSE) != SECSuccess) {
+					PORT_FreeArena(pool, PR_TRUE);
+					return ENOMEM;
+				}
+				if (NSS_CMSType_RegisterContentType(get_pkinit_data_rkey_data_tag(),
+								    SEC_AnyTemplate,
+								    sizeof(SECItem),
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    PR_FALSE) != SECSuccess) {
+					PORT_FreeArena(pool, PR_TRUE);
+					return ENOMEM;
+				}
+				if (NSS_CMSType_RegisterContentType(get_pkinit_data_dhkey_data_tag(),
+								    SEC_AnyTemplate,
+								    sizeof(SECItem),
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    NULL,
+								    PR_FALSE) != SECSuccess) {
+					PORT_FreeArena(pool, PR_TRUE);
+					return ENOMEM;
+				}
 				return 0;
 			}
 		}
@@ -545,6 +606,7 @@ static struct oakley_group {
 	{
 	1, 768,
 	"Oakley MODP Group 1",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -558,6 +620,7 @@ static struct oakley_group {
 	{
 	2, 1024,
 	"Oakley MODP Group 2",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -575,6 +638,7 @@ static struct oakley_group {
 	{
 	5, 1536,
 	"Oakley MODP Group 5",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -596,6 +660,7 @@ static struct oakley_group {
 	{
 	14, 2048,
 	"Oakley MODP Group 14",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -623,6 +688,7 @@ static struct oakley_group {
 	{
 	15, 3072,
 	"Oakley MODP Group 15",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -660,6 +726,7 @@ static struct oakley_group {
 	{
 	16, 4096,
 	"Oakley MODP Group 16",
+	"00"
 	"FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1"
 	"29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD"
 	"EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245"
@@ -1895,7 +1962,40 @@ pkinit_process_td_dh_params(krb5_context context,
 			    krb5_algorithm_identifier **algId,
 			    int *new_dh_size)
 {
-	return ENOSYS;
+	struct domain_parameters params;
+	SECItem item;
+	int i, size;
+	unsigned int j;
+	unsigned char c;
+	/* Initial guess is a hard-coded lower bound. */
+	*new_dh_size = 512;
+	for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) {
+		/* Decode the domain parameters. */
+		item.len = algId[i]->parameters.length;
+		item.data = algId[i]->parameters.data;
+		if (SEC_ASN1DecodeItem(req_cryptoctx->pool, &params,
+				       domain_parameters_template,
+				       &item) != SECSuccess) {
+			continue;
+		}
+		/* Count the size of the prime. */
+		size = 0;
+		for (j = 0; j < params.p.len; j++) {
+			c = params.p.data[j];
+			if (c != 0) {
+				size = params.p.len - j - 1;
+				while (c != 0) {
+					c >>= 1;
+					size++;
+				}
+				break;
+			}
+		}
+		if (size > *new_dh_size) {
+			*new_dh_size = size;
+		}
+	}
+	return 0;
 }
 
 krb5_error_code
@@ -2453,7 +2553,6 @@ cms_contentinfo_create(krb5_context context,
 	NSSCMSContentInfo *info;
 	PLArenaPool *pool;
 	SECItem plain, encoded;
-	SECOidData *encapsulated;
 	SECOidTag encapsulated_tag;
 
 	switch (cms_msg_type) {
@@ -2490,26 +2589,22 @@ cms_contentinfo_create(krb5_context context,
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
-
-	encapsulated = SECOID_FindOIDByTag(encapsulated_tag);
-	if (encapsulated == NULL) {
-		pkiDebug("%s: internal error looking up tag %d\n",
-			 __FUNCTION__, encapsulated_tag);
+	if (NSS_CMSContentInfo_SetDontStream(info, PR_TRUE) != SECSuccess) {
+		pkiDebug("%s: error turning off streaming\n", __FUNCTION__);
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
 
-	if (NSS_CMSContentInfo_SetContent(msg, info,
-					  encapsulated_tag,
-					  NULL) != SECSuccess) {
+	plain.data = in_data;
+	plain.len = in_length;
+	if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag,
+					  &plain) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
 
 	memset(&encoded, 0, sizeof(encoded));
-	plain.data = in_data;
-	plain.len = in_length;
-	if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) {
+	if (NSS_CMSDEREncode(msg, NULL, &encoded, pool) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
 		pkiDebug("%s: error %d encoding data\n",
 			 __FUNCTION__, encapsulated_tag);
@@ -2548,6 +2643,7 @@ cms_envelopeddata_create(krb5_context context,
 	NSSCMSEnvelopedData *env;
 	NSSCMSRecipientInfo *recipient;
 	PLArenaPool *pool;
+	SECOidTag encapsulated_tag;
 	SECItem plain, encoded;
 
 	if (req_cryptoctx->peer_cert == NULL) {
@@ -2578,6 +2674,11 @@ cms_envelopeddata_create(krb5_context context,
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
+	if (NSS_CMSContentInfo_SetDontStream(info, PR_TRUE) != SECSuccess) {
+		pkiDebug("%s: error turning off streaming\n", __FUNCTION__);
+		PORT_FreeArena(pool, PR_TRUE);
+		return ENOMEM;
+	}
 	if (NSS_CMSContentInfo_SetContent_EnvelopedData(msg, info,
 							env) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
@@ -2602,17 +2703,18 @@ cms_envelopeddata_create(krb5_context context,
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
-	if (NSS_CMSContentInfo_SetContent_Data(msg, info, &plain,
-					       PR_FALSE) != SECSuccess) {
+	plain.data = key_pack;
+	plain.len = key_pack_len;
+	encapsulated_tag = get_pkinit_data_rkey_data_tag();
+	if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag,
+					  &plain) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
 
 	/* Encode and export. */
-	plain.data = key_pack;
-	plain.len = key_pack_len;
 	memset(&encoded, 0, sizeof(encoded));
-	if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) {
+	if (NSS_CMSDEREncode(msg, NULL, &encoded, pool) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
 		pkiDebug("%s: error encoding enveloped-data\n",
 			 __FUNCTION__);
@@ -2785,6 +2887,11 @@ cms_signeddata_create(krb5_context context,
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
+	if (NSS_CMSContentInfo_SetDontStream(info, PR_TRUE) != SECSuccess) {
+		pkiDebug("%s: error turning off streaming\n", __FUNCTION__);
+		PORT_FreeArena(pool, PR_TRUE);
+		return ENOMEM;
+	}
 	if (NSS_CMSContentInfo_SetContent_SignedData(msg, info,
 						     sdata) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
@@ -2827,8 +2934,10 @@ cms_signeddata_create(krb5_context context,
 		PORT_FreeArena(pool, PR_TRUE);
 		return ENOMEM;
 	}
+	plain.data = payload;
+	plain.len = payload_len;
 	if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag,
-					  NULL) != SECSuccess) {
+					  &plain) != SECSuccess) {
 		pkiDebug("%s: error setting encapsulated content type\n",
 			 __FUNCTION__);
 		PORT_FreeArena(pool, PR_TRUE);
@@ -2836,10 +2945,8 @@ cms_signeddata_create(krb5_context context,
 	}
 
 	/* Encode and export. */
-	plain.data = payload;
-	plain.len = payload_len;
 	memset(&encoded, 0, sizeof(encoded));
-	if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) {
+	if (NSS_CMSDEREncode(msg, NULL, &encoded, pool) != SECSuccess) {
 		PORT_FreeArena(pool, PR_TRUE);
 		pkiDebug("%s: error encoding signed-data\n",
 			 __FUNCTION__);
-- 
1.7.6.4