From e4de124b642aa5f612e1d01a1dcd19fbc60d7f92 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 26 Oct 2010 00:22:53 -0400 Subject: [PATCH 067/150] - stop disabling pkcs11 completely --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 121 ++++++++++++++++-------- 1 files changed, 83 insertions(+), 38 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index e26e0de..fa4e1be 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -31,12 +31,16 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +/* Avoid including our local copy of "pkcs11.h" from one of the local headers, + * since the definitions we want to use are going to be the ones that NSS + * provides. */ + +#define PKCS11_H + #include #include + #include "k5-int.h" -#include "k5-int-pkinit.h" -#include "pkinit.h" -#include "pkinit_crypto.h" #include "krb5.h" #include @@ -47,9 +51,15 @@ #include #include #include +#include +#include #include #include +#include "k5-int-pkinit.h" +#include "pkinit.h" +#include "pkinit_crypto.h" + /* We should probably avoid using the default location for certificate trusts, * unless we can be sure that the list of trusted roots isn't being shared with * general-purpose SSL/TLS configuration, even though we're leaning on SSL/TLS @@ -223,6 +233,8 @@ struct _pkinit_req_crypto_context { struct _pkinit_identity_crypto_context { PLArenaPool *pool; PRBool default_loaded; + SECMODModule *pem_module; + SECMODModule **id_modules; CERTCertList *id_certs, *ca_certs, *other_certs; SECKEYPrivateKeyList *id_keys; CERTCertificate *id_cert; @@ -599,36 +611,47 @@ krb5_error_code pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) { PLArenaPool *pool; + pkinit_identity_crypto_context id; pool = PORT_NewArena(sizeof(double)); if (pool != NULL) { - *id_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(**id_cryptoctx)); - if (*id_cryptoctx != NULL) { - (*id_cryptoctx)->pool = pool; - (*id_cryptoctx)->id_certs = CERT_NewCertList(); - (*id_cryptoctx)->id_keys = SECKEY_NewPrivateKeyList(); - (*id_cryptoctx)->ca_certs = CERT_NewCertList(); - (*id_cryptoctx)->other_certs = CERT_NewCertList(); - if (((*id_cryptoctx)->id_certs != NULL) && - ((*id_cryptoctx)->id_keys != NULL) && - ((*id_cryptoctx)->ca_certs != NULL) && - ((*id_cryptoctx)->other_certs != NULL)) { - return 0; - } - if ((*id_cryptoctx)->other_certs != NULL) { - CERT_DestroyCertList((*id_cryptoctx)->other_certs); - } - if ((*id_cryptoctx)->ca_certs != NULL) { - CERT_DestroyCertList((*id_cryptoctx)->ca_certs); - } - if ((*id_cryptoctx)->id_keys != NULL) { - SECKEY_DestroyPrivateKeyList((*id_cryptoctx)->id_keys); - } - if ((*id_cryptoctx)->id_certs != NULL) { - CERT_DestroyCertList((*id_cryptoctx)->id_certs); - } + id = PORT_ArenaZAlloc(pool, sizeof(*id)); + if (id != NULL) { + return ENOMEM; } - PORT_FreeArena(pool, PR_TRUE); } + id->pool = pool; + id->id_certs = CERT_NewCertList(); + id->id_keys = SECKEY_NewPrivateKeyList(); + id->ca_certs = CERT_NewCertList(); + id->other_certs = CERT_NewCertList(); + if ((id->id_certs != NULL) && + (id->id_keys != NULL) && + (id->ca_certs != NULL) && + (id->other_certs != NULL)) { + id->pem_module = SECMOD_CreateModule("libnsspem.so", + "PEM Reader", + NULL, + NULL); + if (id->pem_module == NULL) { + pkiDebug("%s: error loading libnsspem.so\n", + __FUNCTION__); + } + *id_cryptoctx = id; + return 0; + } + if (id->other_certs != NULL) { + CERT_DestroyCertList(id->other_certs); + } + if (id->ca_certs != NULL) { + CERT_DestroyCertList(id->ca_certs); + } + if (id->id_keys != NULL) { + SECKEY_DestroyPrivateKeyList(id->id_keys); + } + if (id->id_certs != NULL) { + CERT_DestroyCertList(id->id_certs); + } + PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } @@ -639,6 +662,15 @@ pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) CERT_DestroyCertList(id_cryptoctx->ca_certs); SECKEY_DestroyPrivateKeyList(id_cryptoctx->id_keys); CERT_DestroyCertList(id_cryptoctx->id_certs); + if (id_cryptoctx->pem_module != NULL) { + SECMOD_DestroyModule(id_cryptoctx->pem_module); + } + if (id_cryptoctx->id_modules != NULL) { + int i; + for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { + SECMOD_DestroyModule(id_cryptoctx->id_modules[i]); + } + } PORT_FreeArena(id_cryptoctx->pool, PR_TRUE); } @@ -1667,6 +1699,8 @@ crypto_load_certs(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, krb5_principal princ) { + SECMODModule **id_modules; + int i, j; return 0; /* FIXME */ switch (idopts->idtype) { case IDTYPE_FILE: @@ -1676,16 +1710,30 @@ crypto_load_certs(krb5_context context, return ENOSYS; break; case IDTYPE_PKCS11: - return ENOSYS; - break; - case IDTYPE_ENVVAR: - return ENOSYS; + if (id_cryptoctx->id_modules != NULL) { + for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { + continue; + } + } else { + i = 0; + } + id_modules = PORT_ArenaZAlloc(id_cryptoctx->pool, + sizeof(id_modules[0]) * (i + 2)); + for (j = 0; j < i; j++) { + id_modules[j] = id_cryptoctx->id_modules[i]; + } + id_modules[j++] = SECMOD_CreateModule(idopts->p11_module_name, + idopts->p11_module_name, + NULL, + NULL); + id_modules[j] = NULL; + id_cryptoctx->id_modules = id_modules; break; case IDTYPE_PKCS12: return ENOSYS; break; default: - return ENOSYS; + return EINVAL; break; } } @@ -2175,14 +2223,11 @@ crypto_load_cas_and_crls(krb5_context context, case IDTYPE_PKCS11: return ENOSYS; break; - case IDTYPE_ENVVAR: - return ENOSYS; - break; case IDTYPE_PKCS12: return ENOSYS; break; default: - return ENOSYS; + return EINVAL; break; } switch (catype) { -- 1.7.6.4