From c707f69a1db4853bf14980a088fcaf002b93d984 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 20 Oct 2010 19:49:57 -0400 Subject: [PATCH 059/150] - move some debug bits around - decode client-supplied domain parameters correctly --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 82 ++++++++++++++++++------ 1 files changed, 63 insertions(+), 19 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index bb5c6e8..7c75cd9 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -57,7 +57,7 @@ #define CONFIGDIR "/home/nalin/projects/krb5/pkinit/src/plugins/preauth/pkinit" /* FIXME */ #define NSS_CMSContentInfo_SetDontStream(a, b) (SECSuccess) /* FIXME */ -#define DEBUG_DER "derdump" +#define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" /* Forward declarations. */ static krb5_error_code cert_retrieve_cert_sans(krb5_context context, @@ -484,6 +484,31 @@ get_oid_from_tag(SECOidTag tag) } } +#ifdef DEBUG_DER +static void +derdump(unsigned char *data, unsigned int length) +{ + FILE *p; + p = popen(DEBUG_DER, "w"); + if (p != NULL) { + fwrite(data, 1, length, p); + pclose(p); + } +} +#endif +#ifdef DEBUG_CMS +static void +cmsdump(unsigned char *data, unsigned int length) +{ + FILE *p; + p = popen(DEBUG_CMS, "w"); + if (p != NULL) { + fwrite(data, 1, length, p); + pclose(p); + } +} +#endif + /* A password-prompt callback for NSS that calls the libkrb5 callback. */ static char * crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg) @@ -764,10 +789,12 @@ secitem_from_dh_pubval(PLArenaPool *pool, SECItem tmp, uinteger; tmp.data = dh_pubkey; tmp.len = dh_pubkey_len; + memset(&uinteger, 0, sizeof(uinteger)); if (SEC_ASN1DecodeItem(pool, &uinteger, SEC_BitStringTemplate, &tmp) != SECSuccess) { return ENOMEM; } + memset(&bits, 0, sizeof(bits)); if (SEC_ASN1DecodeItem(pool, bits, SEC_IntegerTemplate, &uinteger) != SECSuccess) { return ENOMEM; @@ -1259,7 +1286,7 @@ get_integer_bits(SECItem *integer) for (i = 0; i < integer->len; i++) { c = integer->data[i]; if (c != 0) { - size = integer->len - i - 1; + size = (integer->len - i - 1) * 8; while (c != 0) { c >>= 1; size++; @@ -1281,7 +1308,7 @@ server_check_dh(krb5_context context, int minbits) { PLArenaPool *pool; - struct dh_parameters *params; + struct domain_parameters params; SECItem item; pool = PORT_NewArena(sizeof(double)); @@ -1291,13 +1318,14 @@ server_check_dh(krb5_context context, item.data = dh_params->data; item.len = dh_params->length; - if (SEC_ASN1DecodeItem(pool, ¶ms, dh_parameters_template, + memset(¶ms, 0, sizeof(params)); + if (SEC_ASN1DecodeItem(pool, ¶ms, domain_parameters_template, &item) != SECSuccess) { PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } - if (get_integer_bits(¶ms->p) < minbits) { + if (get_integer_bits(¶ms.p) < minbits) { PORT_FreeArena(pool, PR_TRUE); return KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } @@ -1357,6 +1385,7 @@ server_process_dh(krb5_context context, } /* Decode the domain parameters. */ + memset(¶ms, 0, sizeof(params)); if (SEC_ASN1DecodeItem(pool, ¶ms, domain_parameters_template, &spki->algorithm.parameters) != SECSuccess) { @@ -2084,9 +2113,12 @@ crypto_cert_select_default(krb5_context context, if (result != 0) { return result; } + /* FIXME */ +#if 0 if (count != 1) { return ENOENT; } +#endif if (id_cryptoctx->id_cert != NULL) { CERT_DestroyCertificate(id_cryptoctx->id_cert); } @@ -2239,6 +2271,7 @@ pkinit_process_td_dh_params(krb5_context context, /* Decode the domain parameters. */ item.len = algId[i]->parameters.length; item.data = algId[i]->parameters.data; + memset(¶ms, 0, sizeof(params)); if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms, domain_parameters_template, &item) != SECSuccess) { @@ -2681,6 +2714,7 @@ cert_add_upn(PLArenaPool *pool, krb5_context context, int i; /* Decode the string. */ + memset(&decoded, 0, sizeof(decoded)); if (SEC_ASN1DecodeItem(pool, &decoded, SEC_UTF8StringTemplate, name) != SECSuccess) { return ENOMEM; @@ -2728,6 +2762,7 @@ cert_add_kpn(PLArenaPool *pool, krb5_context context, int i, j; /* Decode the structure. */ + memset(&kname, 0, sizeof(kname)); if (SEC_ASN1DecodeItem(pool, &kname, kerberos_principal_name_template, name) != SECSuccess) { @@ -2786,6 +2821,7 @@ cert_retrieve_cert_sans(krb5_context context, if (pool == NULL) { return ENOMEM; } + encoded_names = NULL; if (SEC_ASN1DecodeItem(pool, &encoded_names, SEC_SequenceOfAnyTemplate, ext) != SECSuccess) { PORT_FreeArena(pool, PR_TRUE); @@ -2908,19 +2944,6 @@ crypto_check_cert_eku(krb5_context context, return 0; } -#ifdef DEBUG_DER -static void -derdump(unsigned char *data, unsigned int length) -{ - FILE *p; - p = popen(DEBUG_DER, "w"); - if (p != NULL) { - fwrite(data, 1, length, p); - pclose(p); - } -} -#endif - krb5_error_code cms_contentinfo_create(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, @@ -3001,6 +3024,9 @@ cms_contentinfo_create(krb5_context context, #ifdef DEBUG_DER derdump(*out_data, *out_data_len); #endif +#ifdef DEBUG_CMS + cmsdump(*out_data, *out_data_len); +#endif PORT_FreeArena(pool, PR_TRUE); @@ -3038,7 +3064,7 @@ crypto_signeddata_common_create(krb5_context context, if (signer == NULL) { return ENOMEM; } - if (NSS_CMSSignerInfo_IncludeCerts(signer, NSSCMSCM_CertOnly, + if (NSS_CMSSignerInfo_IncludeCerts(signer, NSSCMSCM_CertChain, certUsageAnyCA) != SECSuccess) { pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); return ENOMEM; @@ -3229,6 +3255,9 @@ cms_envelopeddata_create(krb5_context context, #ifdef DEBUG_DER derdump(*envel_data, *envel_data_len); #endif +#ifdef DEBUG_CMS + cmsdump(*envel_data, *envel_data_len); +#endif PORT_FreeArena(pool, PR_TRUE); @@ -3371,7 +3400,16 @@ cms_envelopeddata_verify(krb5_context context, certdb = CERT_GetDefaultCertDB(); /* Decode the message. */ +#ifdef DEBUG_DER derdump(envel_data, envel_data_len); +#endif + { + FILE *fp = fopen("/tmp/enveloped", "w"); + if (fp) { + fwrite(envel_data, 1, envel_data_len, fp); + fclose(fp); + } + } encoded.data = envel_data; encoded.len = envel_data_len; msg = NSS_CMSMessage_CreateFromDER(&encoded, @@ -3569,6 +3607,9 @@ cms_signeddata_create(krb5_context context, #ifdef DEBUG_DER derdump(*signed_data, *signed_data_len); #endif +#ifdef DEBUG_CMS + cmsdump(*signed_data, *signed_data_len); +#endif PORT_FreeArena(pool, PR_TRUE); @@ -3625,6 +3666,9 @@ cms_signeddata_verify(krb5_context context, certdb = CERT_GetDefaultCertDB(); /* Decode the message. */ +#ifdef DEBUG_DER + derdump(signed_data, signed_data_len); +#endif encoded.data = signed_data; encoded.len = signed_data_len; msg = NSS_CMSMessage_CreateFromDER(&encoded, -- 1.7.6.4