From a930fe9a7d6d90f994d40f2198a895cdfafeb2c1 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 2 Nov 2010 17:33:22 -0400 Subject: [PATCH 103/150] - move most of the structure and template definitions to be together - don't enable pkcs12 ciphers until we need them - drop definitions for our krb5_typed_datum --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 166 +++++++++++------------- 1 files changed, 73 insertions(+), 93 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index fa2a56b..4847835 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -65,23 +65,73 @@ #include "pkinit_crypto.h" /* We should probably avoid using the default location for certificate trusts, - * unless we can be sure that the list of trusted roots isn't being shared with - * general-purpose SSL/TLS configuration, even though we're leaning on SSL/TLS - * trust settings. */ + * unless we can be sure that the list of trusted roots isn't being shared + * with general-purpose SSL/TLS configuration, even though we're leaning on + * SSL/TLS trust settings. */ #define DEFAULT_CONFIGDIR "/etc/pki/nssdb" -#define NSS_CMSContentInfo_SetDontStream(a, b) (SECSuccess) /* FIXME once this API works */ + +/* FIXME: This API doesn't work yet, so short-circuit calls to it. */ +#define NSS_CMSContentInfo_SetDontStream(a, b) (SECSuccess) /* #define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" */ -#define DEBUG_SENSITIVE +/* #define DEBUG_SENSITIVE */ -/* Forward declarations. */ +/* Forward declaration. */ static krb5_error_code cert_retrieve_cert_sans(krb5_context context, CERTCertificate *cert, krb5_principal **pkinit_sans, krb5_principal **upn_sans, unsigned char ***kdc_hostname); -/* Protocol elements. */ +/* DomainParameters: RFC 2459, 7.3.2. */ +struct domain_parameters { + SECItem p, g, q, j; + struct validation_parms *validation_parms; +}; + +/* Plugin and request state. */ +struct _pkinit_plg_crypto_context { + PLArenaPool *pool; + NSSInitContext *ncontext; +}; + +struct _pkinit_req_crypto_context { + PLArenaPool *pool; + SECKEYPrivateKey *client_dh_privkey; /* used by clients */ + SECKEYPublicKey *client_dh_pubkey; /* used by clients */ + struct domain_parameters client_dh_params; /* used by KDCs */ + CERTCertificate *peer_cert; /* the other party */ +}; + +struct _pkinit_identity_crypto_context { + PLArenaPool *pool; + SECMODModule *pem_module; + SECMODModule **id_modules; + PK11SlotInfo **id_userdbs; + PK11SlotInfo *id_p12_slot; + PK11GenericObject **id_objects; + CERTCertList *id_certs, *ca_certs; + CERTCertificate *id_cert; + struct { + krb5_context context; + krb5_prompter_fct prompter; + void *prompter_data; + } pwcb_args; +}; + +struct _pkinit_cert_info { /* aka _pkinit_cert_handle */ + PLArenaPool *pool; + struct _pkinit_identity_crypto_context *id_cryptoctx; + CERTCertificate *cert; +}; + +struct _pkinit_cert_iter_info { /* aka _pkinit_cert_iter_handle */ + PLArenaPool *pool; + struct _pkinit_identity_crypto_context *id_cryptoctx; + CERTCertListNode *node; +}; + +/* Protocol elements that we need to encode or decode. */ /* DH parameters: draft-ietf-cat-kerberos-pk-init-08.txt, 3.1.2.2. */ struct dh_parameters { @@ -144,10 +194,7 @@ validation_parms_template[] = { }; /* DomainParameters: RFC 2459, 7.3.2. */ -struct domain_parameters { - SECItem p, g, q, j; - struct validation_parms *validation_parms; -}; +struct domain_parameters; static const SEC_ASN1Template domain_parameters_template[] = { { @@ -219,48 +266,6 @@ issuer_and_serial_number_template[] = { { 0, 0, NULL, 0}, }; -/* Plugin and request state. */ -struct _pkinit_plg_crypto_context { - PLArenaPool *pool; - NSSInitContext *ncontext; -}; - -struct _pkinit_req_crypto_context { - PLArenaPool *pool; - SECKEYPrivateKey *client_dh_privkey; /* used by clients */ - SECKEYPublicKey *client_dh_pubkey; /* used by clients */ - struct domain_parameters client_dh_params; /* used by KDCs */ - CERTCertificate *peer_cert; /* the other party */ -}; - -struct _pkinit_identity_crypto_context { - PLArenaPool *pool; - SECMODModule *pem_module; - SECMODModule **id_modules; - PK11SlotInfo **id_userdbs; - PK11SlotInfo *id_p12_slot; - PK11GenericObject **id_objects; - CERTCertList *id_certs, *ca_certs; - CERTCertificate *id_cert; - struct { - krb5_context context; - krb5_prompter_fct prompter; - void *prompter_data; - } pwcb_args; -}; - -struct _pkinit_cert_info { /* aka _pkinit_cert_handle */ - PLArenaPool *pool; - struct _pkinit_identity_crypto_context *id_cryptoctx; - CERTCertificate *cert; -}; - -struct _pkinit_cert_iter_info { /* aka _pkinit_cert_iter_handle */ - PLArenaPool *pool; - struct _pkinit_identity_crypto_context *id_cryptoctx; - CERTCertListNode *node; -}; - /* KerberosString: RFC 4120, 5.2.1. */ static const SEC_ASN1Template kerberos_string_template[] = { @@ -271,6 +276,7 @@ kerberos_string_template[] = { .size = sizeof(SECItem), }, }; + /* Realm: RFC 4120, 5.2.2. */ struct realm { SECItem name; @@ -284,6 +290,7 @@ realm_template[] = { .size = sizeof(SECItem), }, }; + /* PrincipalName: RFC 4120, 5.2.2. */ static const SEC_ASN1Template sequence_of_kerberos_string_template[] = { @@ -324,6 +331,7 @@ principal_name_template[] = { }, {0, 0, NULL, 0}, }; + /* KRB5PrincipalName: RFC 4556, 3.2.2. */ struct kerberos_principal_name { SECItem realm; @@ -356,37 +364,6 @@ kerberos_principal_name_template[] = { {0, 0, NULL, 0}, }; -/* Typed data that we return as e-data. */ -struct typed_datum { - SECItem td_type, td_data; -}; -static const SEC_ASN1Template -typed_datum_template[] = { - { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct typed_datum), - }, - { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 0 | - SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED, - .offset = offsetof(struct typed_datum, td_type), - .sub = SEC_IntegerTemplate, - .size = sizeof(SECItem), - }, - { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 1 | - SEC_ASN1_EXPLICIT | - SEC_ASN1_CONSTRUCTED, - .offset = offsetof(struct typed_datum, td_data), - .sub = SEC_OctetStringTemplate, - .size = sizeof(SECItem), - }, - {0, 0, NULL, 0}, -}; - /* OIDs. */ static unsigned char oid_pkinit_key_purpose_client_bytes[] = {0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x04}; @@ -596,8 +573,8 @@ crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg) #ifdef DEBUG_SENSITIVE pkiDebug("%s: returning \"%s\"\n", __FUNCTION__, answer); #else - pkiDebug("%s: returning %d-char answer\n", __FUNCTION__, - strlen(answer)); + pkiDebug("%s: returning %ld-char answer\n", __FUNCTION__, + (long) strlen(answer)); #endif } @@ -738,12 +715,6 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) PORT_FreeArena(pool, PR_TRUE); return ENOMEM; } - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC4_40, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC4_128, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_DES_56, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, PR_TRUE); return 0; } } @@ -2057,6 +2028,7 @@ crypto_load_pkcs12(krb5_context context, { PK11SlotInfo *slot; SEC_PKCS12DecoderContext *ctx; + unsigned char emptypwd[] = {'\0'}; SECItem tmp, empty; if ((slot = crypto_get_p12_slot(id_cryptoctx)) == NULL) { @@ -2069,8 +2041,16 @@ crypto_load_pkcs12(krb5_context context, "error reading from file\n", __FUNCTION__, name); return SECFailure; } + /* We're going to need these. */ + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC4_40, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_RC4_128, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_DES_56, PR_TRUE); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, PR_TRUE); + /* Pass in the password. */ memset(&empty, 0, sizeof(empty)); - empty.data = "\0\0"; + empty.data = emptypwd; empty.len = 1; ctx = SEC_PKCS12DecoderStart(&empty, slot, -- 1.7.6.4