From 25d8ad7e89ff795f2fa5d9a7110abd8281fb8eb5 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 2 Nov 2010 01:46:38 -0400 Subject: [PATCH 102/150] - turn on support for all of the pkcs12 ciphers we could end up using - switch full-time to a dedicated slot for pkcs12 imports - supply a nickname collision detection callback to the pkcs12 verify function - explicitly reject loading of crls from anywhere other than files or dirs - explicitly reject loading of cas from anywhere other than files or dirs or nss --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 81 +++++++++++++++++++---- 1 files changed, 67 insertions(+), 14 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index d752655..fa2a56b 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -43,8 +43,11 @@ #include #include #include +#include #include #include +#include +#include #include #include #include @@ -69,6 +72,7 @@ #define NSS_CMSContentInfo_SetDontStream(a, b) (SECSuccess) /* FIXME once this API works */ /* #define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" */ +#define DEBUG_SENSITIVE /* Forward declarations. */ static krb5_error_code cert_retrieve_cert_sans(krb5_context context, @@ -589,6 +593,12 @@ crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg) memcpy(answer, reply.data, reply.length); answer[reply.length] = '\0'; answer[strcspn(answer, "\r\n")] = '\0'; +#ifdef DEBUG_SENSITIVE + pkiDebug("%s: returning \"%s\"\n", __FUNCTION__, answer); +#else + pkiDebug("%s: returning %d-char answer\n", __FUNCTION__, + strlen(answer)); +#endif } if (reply.data == data) { @@ -728,6 +738,12 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC4_40, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC4_128, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_DES_56, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, PR_TRUE); return 0; } } @@ -2015,16 +2031,21 @@ crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) static PK11SlotInfo * crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) { -#if 0 - return crypto_get_pem_slot(id); -#else if (id->id_p12_slot == NULL) { id->id_p12_slot = SECMOD_OpenUserDB("configDir='" DEFAULT_CONFIGDIR "' flags=readOnly"); } return id->id_p12_slot; -#endif +} + +static SECItem * +crypto_nickname_c_cb(SECItem *old_nickname, PRBool *cancel, void *arg) +{ + pkiDebug("%s: warning: nickname collision on \"%.*s\"\n", + __FUNCTION__, old_nickname->len, old_nickname->data); + *cancel = PR_TRUE; + return NULL; } static SECStatus @@ -2049,6 +2070,8 @@ crypto_load_pkcs12(krb5_context context, return SECFailure; } memset(&empty, 0, sizeof(empty)); + empty.data = "\0\0"; + empty.len = 1; ctx = SEC_PKCS12DecoderStart(&empty, slot, crypto_pwcb_prep(id_cryptoctx, context), @@ -2070,19 +2093,23 @@ crypto_load_pkcs12(krb5_context context, } if (SEC_PKCS12DecoderVerify(ctx) != SECSuccess) { pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error verifying data\n", __FUNCTION__, name); + "error verifying data: %d\n", __FUNCTION__, name, + PORT_GetError()); SEC_PKCS12DecoderFinish(ctx); return SECFailure; } - if (SEC_PKCS12DecoderValidateBags(ctx, NULL) != SECSuccess) { + if (SEC_PKCS12DecoderValidateBags(ctx, + crypto_nickname_c_cb) != SECSuccess) { pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error validating bags\n", __FUNCTION__, name); + "error validating bags: %d\n", __FUNCTION__, name, + PORT_GetError()); SEC_PKCS12DecoderFinish(ctx); return SECFailure; } if (SEC_PKCS12DecoderImportBags(ctx) != SECSuccess) { pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error importing data\n", __FUNCTION__, name); + "error importing data: %d\n", __FUNCTION__, name, + PORT_GetError()); SEC_PKCS12DecoderFinish(ctx); return SECFailure; } @@ -2294,6 +2321,10 @@ crypto_load_files(krb5_context context, CERT_DestroyCertList(before); } } + + if ((status == SECSuccess) && (crlfile != NULL)) { + /* FIXME: cache a CRL from the named file */ + } return status; } @@ -2884,18 +2915,44 @@ crypto_load_cas_and_crls(krb5_context context, switch (catype) { case CATYPE_ANCHORS: /* Mark certs we load as trusted roots. */ + switch (idtype) { + case IDTYPE_FILE: + case IDTYPE_DIR: + case IDTYPE_NSS: + break; + default: + return EINVAL; + break; + } cert_self = PR_FALSE; cert_mark_trusted = PR_TRUE; load_crl = PR_FALSE; break; case CATYPE_INTERMEDIATES: /* Hang on to certs as reference material. */ + switch (idtype) { + case IDTYPE_FILE: + case IDTYPE_DIR: + case IDTYPE_NSS: + break; + default: + return EINVAL; + break; + } cert_self = PR_FALSE; cert_mark_trusted = PR_FALSE; load_crl = PR_FALSE; break; case CATYPE_CRLS: /* FIXME: Load CRLs. */ + switch (idtype) { + case IDTYPE_FILE: + case IDTYPE_DIR: + break; + default: + return EINVAL; + break; + } cert_self = PR_FALSE; cert_mark_trusted = PR_FALSE; load_crl = PR_TRUE; @@ -2916,7 +2973,7 @@ crypto_load_cas_and_crls(krb5_context context, cert_self, cert_mark_trusted, id_cryptoctx); if (status != SECSuccess) { - pkiDebug("%s: error loading CA file \"%s\"\n", + pkiDebug("%s: error loading file \"%s\"\n", __FUNCTION__, id); return ENOMEM; } @@ -2943,16 +3000,12 @@ crypto_load_cas_and_crls(krb5_context context, cert_self, cert_mark_trusted, load_crl, id_cryptoctx); if (status != SECSuccess) { - pkiDebug("%s: error loading CA directory \"%s\"\n", + pkiDebug("%s: error loading directory \"%s\"\n", __FUNCTION__, id); return ENOMEM; } return 0; break; - case IDTYPE_PKCS12: - pkiDebug("%s: skipping CA PKCS12 bundle \"%s\"\n", - __FUNCTION__, id); - return ENOSYS; default: return EINVAL; break; -- 1.7.6.4