From 023e59ccbe6d5be5e09c27277ac568448c09b229 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 19 Oct 2010 20:50:34 -0400 Subject: [PATCH 055/150] - hang on to the dh public key, because we can't recover it from the private key after all --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 41 +++++++++++------------- 1 files changed, 19 insertions(+), 22 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index d28e161..d9b77a2 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -76,7 +76,8 @@ struct _pkinit_plg_crypto_context { struct _pkinit_req_crypto_context { PLArenaPool *pool; - SECKEYPrivateKey *client_dh_key; /* used by clients */ + SECKEYPrivateKey *client_dh_privkey; /* used by clients */ + SECKEYPublicKey *client_dh_pubkey; /* used by clients */ CERTCertificate *peer_cert; /* the other party */ }; @@ -688,8 +689,11 @@ pkinit_init_req_crypto(pkinit_req_crypto_context *req_cryptoctx) void pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) { - if (req_cryptoctx->client_dh_key != NULL) { - SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_key); + if (req_cryptoctx->client_dh_privkey != NULL) { + SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); + } + if (req_cryptoctx->client_dh_pubkey != NULL) { + SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); } if (req_cryptoctx->peer_cert != NULL) { CERT_DestroyCertificate(req_cryptoctx->peer_cert); @@ -1151,12 +1155,15 @@ client_create_dh(krb5_context context, return ENOMEM; } - /* Save our private key for reuse later. */ - SECKEY_DestroyPublicKey(pub); - if (req_cryptoctx->client_dh_key != NULL) { - SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_key); + /* Save our private and public keys for reuse later. */ + if (req_cryptoctx->client_dh_privkey != NULL) { + SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); } - req_cryptoctx->client_dh_key = priv; + req_cryptoctx->client_dh_privkey = priv; + if (req_cryptoctx->client_dh_pubkey != NULL) { + SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); + } + req_cryptoctx->client_dh_pubkey = pub; PK11_FreeSlot(slot); PORT_FreeArena(pool, PR_TRUE); @@ -1177,7 +1184,7 @@ client_process_dh(krb5_context context, { PLArenaPool *pool; PK11SlotInfo *slot; - SECKEYPublicKey *pub, pub2; + SECKEYPublicKey pub; PK11SymKey *sym; SECItem *bits; @@ -1188,15 +1195,9 @@ client_process_dh(krb5_context context, /* Rebuild the KDC's public key using our parameters and the supplied * public value (subjectPublicKey). */ - pub = SECKEY_ConvertToPublicKey(req_cryptoctx->client_dh_key); - if (pub == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - pub2 = *pub; + pub = *(req_cryptoctx->client_dh_pubkey); if (secitem_from_dh_pubval(pool, dh_pubkey, dh_pubkey_len, - &pub2.u.dh.publicValue) != 0) { - SECKEY_DestroyPublicKey(pub); + &pub.u.dh.publicValue) != 0) { PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } @@ -1206,11 +1207,10 @@ client_process_dh(krb5_context context, slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN, crypto_pwcb_prep(id_cryptoctx, context)); if (slot == NULL) { - SECKEY_DestroyPublicKey(pub); PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } - sym = PK11_PubDerive(req_cryptoctx->client_dh_key, &pub2, PR_FALSE, + sym = PK11_PubDerive(req_cryptoctx->client_dh_privkey, &pub, PR_FALSE, NULL, NULL, CKM_DH_PKCS_DERIVE, CKM_TLS_MASTER_KEY_DERIVE_DH, @@ -1218,7 +1218,6 @@ client_process_dh(krb5_context context, 0, crypto_pwcb_prep(id_cryptoctx, context)); if (sym == NULL) { - SECKEY_DestroyPublicKey(pub); PK11_FreeSlot(slot); PORT_FreeArena(pool, PR_TRUE); return ENOMEM; @@ -1229,14 +1228,12 @@ client_process_dh(krb5_context context, ((bits = PK11_GetKeyData(sym)) == NULL) || (secitem_to_buf_len(bits, dh_session_key, dh_session_key_len) != 0)) { PK11_FreeSymKey(sym); - SECKEY_DestroyPublicKey(pub); PK11_FreeSlot(slot); PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } PK11_FreeSymKey(sym); - SECKEY_DestroyPublicKey(pub); PK11_FreeSlot(slot); PORT_FreeArena(pool, PR_TRUE); return 0; -- 1.7.6.4