From 4c47fcbbf4b83e119474a8870af6960cdbb4c57a Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 19 Oct 2010 22:02:21 -0400 Subject: [PATCH 057/150] - try to return more meaningful error codes --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 95 +++++++++++++----------- 1 files changed, 52 insertions(+), 43 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index b9e6a08..471f1a2 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -2016,9 +2016,9 @@ crypto_cert_get_matching_data(krb5_context context, } md->ch = cert_handle; md->subject_dn = strdup(cert_handle->cert->subjectName); - /* FIXME: these not RFC2253 */ + /* FIXME: these are not RFC2253 */ md->issuer_dn = strdup(cert_handle->cert->issuerName); - /* FIXME: not RFC2253 */ + /* FIXME: these are not RFC2253 */ md->ku_bits = cert_get_ku_bits(context, cert_handle->cert); md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, 0); if (cert_retrieve_cert_sans(context, cert_handle->cert, @@ -2085,12 +2085,9 @@ crypto_cert_select_default(krb5_context context, if (result != 0) { return result; } -#if 0 - /* FIXME */ if (count != 1) { return ENOENT; } -#endif if (id_cryptoctx->id_cert != NULL) { CERT_DestroyCertificate(id_cryptoctx->id_cert); } @@ -3253,6 +3250,7 @@ crypto_signeddata_common_verify(krb5_context context, SECCertUsage usage, SECOidTag expected_type, SECItem **plain, + int cms_msg_type, int *is_signed) { NSSCMSSignedData *sdata; @@ -3269,28 +3267,28 @@ crypto_signeddata_common_verify(krb5_context context, if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA) { pkiDebug("%s: content type mismatch\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return EINVAL; } sdata = NSS_CMSContentInfo_GetContent(cinfo); if ((sdata == NULL) || (NSS_CMSSignedData_SignerInfoCount(sdata) != 1)) { pkiDebug("%s: wrong number of signers\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return ENOENT; } if (NSS_CMSSignedData_ImportCerts(sdata, certdb, usage, PR_FALSE) != SECSuccess) { pkiDebug("%s: error importing signer certs\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return ENOENT; } signer = NSS_CMSSignedData_GetSignerInfo(sdata, 0); if (signer == NULL) { pkiDebug("%s: no signers?\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return ENOENT; } /* Verify the signer's certificate. */ if (!NSS_CMSSignedData_HasDigests(sdata)) { pkiDebug("%s: no digests?\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return ENOENT; } status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb, usage); @@ -3299,7 +3297,18 @@ crypto_signeddata_common_verify(krb5_context context, PR_ErrorToString(status == SECFailure ? PORT_GetError() : status, PR_LANGUAGE_I_DEFAULT)); - return ENOMEM; /* FIXME: better error? */ + switch (cms_msg_type) { + case CMS_SIGN_DRAFT9: + case CMS_SIGN_CLIENT: + return KRB5KDC_ERR_CLIENT_NOT_TRUSTED; + break; + case CMS_SIGN_SERVER: + case CMS_ENVEL_SERVER: + return KRB5KDC_ERR_KDC_NOT_TRUSTED; + break; + default: + return ENOMEM; + } } pkiDebug("%s: signer verify passed\n", __FUNCTION__); /* Pull out the payload. */ @@ -3313,7 +3322,7 @@ crypto_signeddata_common_verify(krb5_context context, if (encapsulated_tag != expected_type) { pkiDebug("%s: wrong encapsulated content type\n", __FUNCTION__); - return ENOMEM; /* FIXME: better error? */ + return EINVAL; } *plain = NSS_CMSContentInfo_GetContent(ecinfo); if ((*plain != NULL) && ((*plain)->len == 0)) { @@ -3352,7 +3361,7 @@ cms_envelopeddata_verify(krb5_context context, SECItem *plain, encoded; SECCertUsage usage; SECOidTag expected_tag; - int is_signed; + int is_signed, ret; pool = PORT_NewArena(sizeof(double)); if (pool == NULL) { @@ -3382,7 +3391,7 @@ cms_envelopeddata_verify(krb5_context context, SEC_OID_PKCS7_ENVELOPED_DATA) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; /* FIXME: better error? */ + return EINVAL; } /* Okay, it's enveloped-data. */ @@ -3402,22 +3411,22 @@ cms_envelopeddata_verify(krb5_context context, expected_tag = get_pkinit_data_rkey_data_tag(); usage = certUsageSSLServer; plain = NULL; - if ((crypto_signeddata_common_verify(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - require_crl_checking, - info, - certdb, - usage, - expected_tag, - &plain, - &is_signed) != 0) || - (plain == NULL) || - !is_signed) { + ret = crypto_signeddata_common_verify(context, + plg_cryptoctx, + req_cryptoctx, + id_cryptoctx, + require_crl_checking, + info, + certdb, + usage, + expected_tag, + &plain, + CMS_ENVEL_SERVER, + &is_signed); + if ((ret != 0) || (plain == NULL) || !is_signed) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; /* FIXME: better error? */ + return ret ? ret : ENOMEM; } /* Export the payload. */ @@ -3584,7 +3593,7 @@ cms_signeddata_verify(krb5_context context, SECOidTag expected_tag; PLArenaPool *pool; SECItem *plain, encoded; - int was_signed; + int was_signed, ret; switch (cms_msg_type) { case CMS_SIGN_DRAFT9: @@ -3636,22 +3645,22 @@ cms_signeddata_verify(krb5_context context, __FUNCTION__); plain = NULL; was_signed = 0; - if ((crypto_signeddata_common_verify(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - require_crl_checking, - info, - certdb, - usage, - expected_tag, - &plain, - &was_signed) != 0) || - (plain == NULL) || - (!was_signed)) { + ret = crypto_signeddata_common_verify(context, + plg_cryptoctx, + req_cryptoctx, + id_cryptoctx, + require_crl_checking, + info, + certdb, + usage, + expected_tag, + &plain, + cms_msg_type, + &was_signed); + if ((ret != 0) || (plain == NULL) || !was_signed) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; /* FIXME: better error? */ + return ret ? ret : ENOMEM; } if (is_signed != NULL) { *is_signed = was_signed; -- 1.7.6.4