From 444d818f36950a11595df6a3ae23e0fdcdc4b714 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 8 Sep 2011 16:23:45 -0400 Subject: [PATCH 135/150] - whitespace cleanups - shorten the names of enums we create - add blank lines after declarations - remove field names from structure initializers - include "k5-platform.h" rather than "k5-int.h" - replace a variable-sized buffer with a dynamic one on the heap --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 494 +++++++++++++----------- 1 files changed, 269 insertions(+), 225 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 2c4137e..7f73f6b 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -32,10 +32,11 @@ */ #include +#include #include #include -#include "k5-int.h" +#include "k5-platform.h" #include "k5-utf8.h" #include "krb5.h" @@ -89,9 +90,9 @@ /* Forward declaration. */ static krb5_error_code cert_retrieve_cert_sans(krb5_context context, CERTCertificate *cert, - krb5_principal **pkinit_sans_out, - krb5_principal **upn_sans_out, - unsigned char ***kdc_hostname_out); + krb5_principal **pkinit_sans, + krb5_principal **upn_sans, + unsigned char ***kdc_hostname); /* DomainParameters: RFC 2459, 7.3.2. */ struct domain_parameters { @@ -150,28 +151,28 @@ struct dh_parameters { }; static const SEC_ASN1Template dh_parameters_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct dh_parameters), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct dh_parameters), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct dh_parameters, p), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct dh_parameters, p), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct dh_parameters, g), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct dh_parameters, g), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, - .offset = offsetof(struct dh_parameters, private_value_length), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, + offsetof(struct dh_parameters, private_value_length), + &SEC_IntegerTemplate, + sizeof(SECItem), }, {0, 0, NULL, 0} }; @@ -182,22 +183,22 @@ struct validation_parms { }; static const SEC_ASN1Template validation_parms_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct validation_parms), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct validation_parms), }, { - .kind = SEC_ASN1_BIT_STRING, - .offset = offsetof(struct validation_parms, seed), - .sub = &SEC_BitStringTemplate, - .size = sizeof(SECItem), + SEC_ASN1_BIT_STRING, + offsetof(struct validation_parms, seed), + &SEC_BitStringTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct validation_parms, pgen_counter), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct validation_parms, pgen_counter), + &SEC_IntegerTemplate, + sizeof(SECItem), }, {0, 0, NULL, 0} }; @@ -206,40 +207,40 @@ static const SEC_ASN1Template validation_parms_template[] = { struct domain_parameters; static const SEC_ASN1Template domain_parameters_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct domain_parameters), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct domain_parameters), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct domain_parameters, p), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct domain_parameters, p), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct domain_parameters, g), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct domain_parameters, g), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct domain_parameters, q), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct domain_parameters, q), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, - .offset = offsetof(struct domain_parameters, j), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, + offsetof(struct domain_parameters, j), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INLINE | SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL, - .offset = offsetof(struct domain_parameters, validation_parms), - .sub = &validation_parms_template, - .size = sizeof(struct validation_parms *), + SEC_ASN1_INLINE | SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL, + offsetof(struct domain_parameters, validation_parms), + &validation_parms_template, + sizeof(struct validation_parms *), }, {0, 0, NULL, 0} }; @@ -251,22 +252,22 @@ struct issuer_and_serial_number { }; static const SEC_ASN1Template issuer_and_serial_number_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct issuer_and_serial_number), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct issuer_and_serial_number), }, { - .kind = SEC_ASN1_ANY, - .offset = offsetof(struct issuer_and_serial_number, issuer), - .sub = &SEC_AnyTemplate, - .size = sizeof(SECItem), + SEC_ASN1_ANY, + offsetof(struct issuer_and_serial_number, issuer), + &SEC_AnyTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_INTEGER, - .offset = offsetof(struct issuer_and_serial_number, serial), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_INTEGER, + offsetof(struct issuer_and_serial_number, serial), + &SEC_IntegerTemplate, + sizeof(SECItem), }, {0, 0, NULL, 0} }; @@ -274,10 +275,10 @@ static const SEC_ASN1Template issuer_and_serial_number_template[] = { /* KerberosString: RFC 4120, 5.2.1. */ static const SEC_ASN1Template kerberos_string_template[] = { { - .kind = SEC_ASN1_GENERAL_STRING, - .offset = 0, - .sub = NULL, - .size = sizeof(SECItem), + SEC_ASN1_GENERAL_STRING, + 0, + NULL, + sizeof(SECItem), } }; @@ -287,20 +288,20 @@ struct realm { }; static const SEC_ASN1Template realm_template[] = { { - .kind = SEC_ASN1_GENERAL_STRING, - .offset = 0, - .sub = NULL, - .size = sizeof(SECItem), + SEC_ASN1_GENERAL_STRING, + 0, + NULL, + sizeof(SECItem), } }; /* PrincipalName: RFC 4120, 5.2.2. */ static const SEC_ASN1Template sequence_of_kerberos_string_template[] = { { - .kind = SEC_ASN1_SEQUENCE_OF, - .offset = 0, - .sub = &kerberos_string_template, - .size = 0, + SEC_ASN1_SEQUENCE_OF, + 0, + &kerberos_string_template, + 0, } }; @@ -310,24 +311,22 @@ struct principal_name { }; static const SEC_ASN1Template principal_name_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct principal_name), - }, + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct principal_name), + }, { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 0 | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - .offset = offsetof(struct principal_name, name_type), - .sub = &SEC_IntegerTemplate, - .size = sizeof(SECItem), + SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct principal_name, name_type), + &SEC_IntegerTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 1 | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - .offset = offsetof(struct principal_name, name_string), - .sub = sequence_of_kerberos_string_template, - .size = sizeof(struct SECItem **), + SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct principal_name, name_string), + sequence_of_kerberos_string_template, + sizeof(struct SECItem **), }, {0, 0, NULL, 0}, }; @@ -339,24 +338,22 @@ struct kerberos_principal_name { }; static const SEC_ASN1Template kerberos_principal_name_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct kerberos_principal_name), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct kerberos_principal_name), }, { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 0 | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - .offset = offsetof(struct kerberos_principal_name, realm), - .sub = &realm_template, - .size = sizeof(struct realm), + SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct kerberos_principal_name, realm), + &realm_template, + sizeof(struct realm), }, { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 1 | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - .offset = offsetof(struct kerberos_principal_name, principal_name), - .sub = &principal_name_template, - .size = sizeof(struct principal_name), + SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct kerberos_principal_name, principal_name), + &principal_name_template, + sizeof(struct principal_name), }, {0, 0, NULL, 0} }; @@ -367,23 +364,22 @@ struct content_info { }; static const SEC_ASN1Template content_info_template[] = { { - .kind = SEC_ASN1_SEQUENCE, - .offset = 0, - .sub = NULL, - .size = sizeof(struct content_info), + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct content_info), }, { - .kind = SEC_ASN1_OBJECT_ID, - .offset = offsetof(struct content_info, content_type), - .sub = &SEC_ObjectIDTemplate, - .size = sizeof(SECItem), + SEC_ASN1_OBJECT_ID, + offsetof(struct content_info, content_type), + &SEC_ObjectIDTemplate, + sizeof(SECItem), }, { - .kind = SEC_ASN1_CONTEXT_SPECIFIC | 0 | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - .offset = offsetof(struct content_info, content), - .sub = &SEC_OctetStringTemplate, - .size = sizeof(SECItem), + SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct content_info, content), + &SEC_OctetStringTemplate, + sizeof(SECItem), }, {0, 0, NULL, 0} }; @@ -392,32 +388,37 @@ static const SEC_ASN1Template content_info_template[] = { static unsigned char oid_pkinit_key_purpose_client_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x04 }; static SECItem pkinit_kp_client = { - .data = oid_pkinit_key_purpose_client_bytes, - .len = 7, + siDEROID, + oid_pkinit_key_purpose_client_bytes, + 7, }; static unsigned char oid_pkinit_key_purpose_kdc_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x05 }; static SECItem pkinit_kp_kdc = { - .data = oid_pkinit_key_purpose_kdc_bytes, - .len = 7, + siDEROID, + oid_pkinit_key_purpose_kdc_bytes, + 7, }; static unsigned char oid_ms_sc_login_key_purpose_bytes[] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x02 }; static SECItem pkinit_kp_mssclogin = { - .data = oid_ms_sc_login_key_purpose_bytes, - .len = 10, + siDEROID, + oid_ms_sc_login_key_purpose_bytes, + 10, }; static unsigned char oid_pkinit_name_type_principal_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x02 }; static SECItem pkinit_nt_principal = { - .data = oid_pkinit_name_type_principal_bytes, - .len = 6, + siDEROID, + oid_pkinit_name_type_principal_bytes, + 6, }; static unsigned char oid_pkinit_name_type_upn_bytes[] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03 }; static SECItem pkinit_nt_upn = { - .data = oid_pkinit_name_type_upn_bytes, - .len = 10, + siDEROID, + oid_pkinit_name_type_upn_bytes, + 10, }; static SECOidTag @@ -426,14 +427,15 @@ get_pkinit_data_auth_data_tag(void) static unsigned char oid_pkinit_auth_data_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x01 }; static SECOidData oid_pkinit_auth_data = { - .oid = { - .data = oid_pkinit_auth_data_bytes, - .len = 7, - }, - .offset = SEC_OID_UNKNOWN, - .desc = "PKINIT Client Authentication Data", - .mechanism = CKM_INVALID_MECHANISM, - .supportedExtension = UNSUPPORTED_CERT_EXTENSION, + { + siDEROID, + oid_pkinit_auth_data_bytes, + 7, + }, + SEC_OID_UNKNOWN, + "PKINIT Client Authentication Data", + CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION, }; if (oid_pkinit_auth_data.offset == SEC_OID_UNKNOWN) { oid_pkinit_auth_data.offset = SECOID_AddEntry(&oid_pkinit_auth_data); @@ -447,14 +449,15 @@ get_pkinit_data_auth_data9_tag(void) static unsigned char oid_pkinit_auth_data9_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 }; static SECOidData oid_pkinit_auth_data9 = { - .oid = { - .data = oid_pkinit_auth_data9_bytes, - .len = 9, - }, - .offset = SEC_OID_UNKNOWN, - .desc = "PKINIT Client Authentication Data (Draft 9)", - .mechanism = CKM_INVALID_MECHANISM, - .supportedExtension = UNSUPPORTED_CERT_EXTENSION, + { + siDEROID, + oid_pkinit_auth_data9_bytes, + 9, + }, + SEC_OID_UNKNOWN, + "PKINIT Client Authentication Data (Draft 9)", + CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION, }; if (oid_pkinit_auth_data9.offset == SEC_OID_UNKNOWN) { oid_pkinit_auth_data9.offset = SECOID_AddEntry(&oid_pkinit_auth_data9); @@ -468,14 +471,15 @@ get_pkinit_data_rkey_data_tag(void) static unsigned char oid_pkinit_rkey_data_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x03 }; static SECOidData oid_pkinit_rkey_data = { - .oid = { - .data = oid_pkinit_rkey_data_bytes, - .len = 7, - }, - .offset = SEC_OID_UNKNOWN, - .desc = "PKINIT Reply Key Data", - .mechanism = CKM_INVALID_MECHANISM, - .supportedExtension = UNSUPPORTED_CERT_EXTENSION, + { + siDEROID, + oid_pkinit_rkey_data_bytes, + 7, + }, + SEC_OID_UNKNOWN, + "PKINIT Reply Key Data", + CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION, }; if (oid_pkinit_rkey_data.offset == SEC_OID_UNKNOWN) { oid_pkinit_rkey_data.offset = SECOID_AddEntry(&oid_pkinit_rkey_data); @@ -489,14 +493,15 @@ get_pkinit_data_dhkey_data_tag(void) static unsigned char oid_pkinit_dhkey_data_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x02 }; static SECOidData oid_pkinit_dhkey_data = { - .oid = { - .data = oid_pkinit_dhkey_data_bytes, - .len = 7, - }, - .offset = SEC_OID_UNKNOWN, - .desc = "PKINIT DH Reply Key Data", - .mechanism = CKM_INVALID_MECHANISM, - .supportedExtension = UNSUPPORTED_CERT_EXTENSION, + { + siDEROID, + oid_pkinit_dhkey_data_bytes, + 7, + }, + SEC_OID_UNKNOWN, + "PKINIT DH Reply Key Data", + CKM_INVALID_MECHANISM, + UNSUPPORTED_CERT_EXTENSION, }; if (oid_pkinit_dhkey_data.offset == SEC_OID_UNKNOWN) { oid_pkinit_dhkey_data.offset = SECOID_AddEntry(&oid_pkinit_dhkey_data); @@ -520,7 +525,8 @@ get_oid_from_tag(SECOidTag tag) static void derdump(unsigned char *data, unsigned int length) { - FILE *p; + FILE *p; + p = popen(DEBUG_DER, "w"); if (p != NULL) { fwrite(data, 1, length, p); @@ -532,7 +538,8 @@ derdump(unsigned char *data, unsigned int length) static void cmsdump(unsigned char *data, unsigned int length) { - FILE *p; + FILE *p; + p = popen(DEBUG_CMS, "w"); if (p != NULL) { fwrite(data, 1, length, p); @@ -611,7 +618,7 @@ crypto_pwfn(const char *what, PRBool retry, void *arg) /* A password-prompt callback for NSS that calls the libkrb5 callback. */ static char * -crypto_pwcb(PK11SlotInfo * slot, PRBool retry, void *arg) +crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg) { return crypto_pwfn(PK11_GetTokenName(slot), retry, arg); } @@ -631,6 +638,7 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) { PLArenaPool *pool; pkinit_identity_crypto_context id; + pkiDebug("%s\n", __FUNCTION__); pool = PORT_NewArena(sizeof(double)); if (pool == NULL) { @@ -665,6 +673,7 @@ crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) { char *configdir, *spec; int attempts; + if (id->id_p12_slot == NULL) { configdir = DEFAULT_CONFIGDIR; #ifdef PKCS12_HACK @@ -699,9 +708,9 @@ crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) } #ifdef PKCS12_HACK if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) { - DIR *dir; + DIR *dir; struct dirent *ent; - char *path; + char *path; /* First, initialize the slot. */ if (id->id_p12_slot != NULL) { if (PK11_NeedUserInit(id->id_p12_slot)) { @@ -747,6 +756,7 @@ void pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) { int i; + pkiDebug("%s\n", __FUNCTION__); /* The order of cleanup here is intended to ensure that nothing gets * freed before anything that might have a reference to it. */ @@ -809,6 +819,7 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) { PLArenaPool *pool; SECOidTag tag; + pkiDebug("%s\n", __FUNCTION__); pool = PORT_NewArena(sizeof(double)); if (pool != NULL) { @@ -869,6 +880,7 @@ krb5_error_code pkinit_init_req_crypto(pkinit_req_crypto_context *req_cryptoctx) { PLArenaPool *pool; + pkiDebug("%s\n", __FUNCTION__); pool = PORT_NewArena(sizeof(double)); if (pool != NULL) { @@ -959,6 +971,7 @@ secitem_from_dh_pubval(PLArenaPool *pool, SECItem *bits_out) { SECItem tmp, uinteger; + tmp.data = dh_pubkey; tmp.len = dh_pubkey_len; memset(&uinteger, 0, sizeof(uinteger)); @@ -1532,6 +1545,7 @@ get_integer_bits(SECItem *integer) unsigned int i; unsigned char c; int size = 0; + for (i = 0; i < integer->len; i++) { c = integer->data[i]; if (c != 0) { @@ -1802,7 +1816,7 @@ create_krb5_trustedCas(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - int flag, krb5_trusted_ca *** trustedCas) + int flag, krb5_trusted_ca ***trustedCas) { return ENOSYS; } @@ -1889,12 +1903,13 @@ create_krb5_trustedCertifiers(krb5_context context, } /* Add a certificate to a list if it isn't already in the list. Since the list - * would take ownership of the cert we added it, if it's already in the list, - * delete this reference to it. */ + * would take ownership of the cert if we added it to the list, if it's already + * in the list, delete this reference to it. */ static SECStatus cert_maybe_add_to_list(CERTCertList *list, CERTCertificate *cert) { CERTCertListNode *node; + for (node = CERT_LIST_HEAD(list); (node != NULL) && (node->cert != NULL) && @@ -1985,7 +2000,8 @@ cert_load_ca_certs_from_slot(krb5_context context, static int cert_load_certs_with_keys_from_slot(krb5_context context, pkinit_identity_crypto_context - id_cryptoctx, PK11SlotInfo *slot, + id_cryptoctx, + PK11SlotInfo *slot, const char *label, const char *id) { CERTCertificate *cert; @@ -2181,6 +2197,7 @@ static PK11SlotInfo * crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) { PK11SlotInfo *slot; + if (id->pem_module == NULL) { id->pem_module = SECMOD_LoadUserModule("library=libnsspem.so", NULL, PR_FALSE); @@ -2210,10 +2227,10 @@ crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) * might expect "arg" to be a wincx, but it's actually a certificate! (Mozilla * bug #321584) */ static SECItem * -crypto_nickname_c_cb(SECItem * old_nickname, PRBool * cancel, void *arg) +crypto_nickname_c_cb(SECItem *old_nickname, PRBool *cancel, void *arg) { CERTCertificate *leaf; - char *old_name, *new_name, *p; + char *old_name, *new_name, *p; SECItem *new_nickname, tmp; int i; @@ -2330,10 +2347,10 @@ crypto_load_pkcs12(krb5_context context, return SECFailure; } if (SEC_PKCS12DecoderVerify(ctx) != SECSuccess) { - char *newpass; + char *newpass; krb5_ucs2 *ucs2; unsigned char *ucs2s; - size_t i, n_ucs2s; + size_t i, n_ucs2s; SECErrorCodes err; err = PORT_GetError(); SEC_PKCS12DecoderFinish(ctx); @@ -2430,7 +2447,7 @@ crypto_load_files(krb5_context context, { PK11SlotInfo *slot; PK11GenericObject *obj, **id_objects; - PRBool permanent, match; + PRBool permanent, match; CERTCertificate *cert; CERTCertList *before, *after; CERTCertListNode *anode, *bnode; @@ -2657,8 +2674,8 @@ crypto_load_dir(krb5_context context, int i; if (crypto_get_pem_slot(id_cryptoctx) == NULL) { - pkiDebug("%s: nsspem module not loaded, not loading directory \"%s\"\n", - __FUNCTION__, dirname); + pkiDebug("%s: nsspem module not loaded, " + "not loading directory \"%s\"\n", __FUNCTION__, dirname); return SECFailure; } if (dirname == NULL) { @@ -2895,6 +2912,7 @@ crypto_cert_get_count(krb5_context context, int *cert_count) { CERTCertListNode *node; + *cert_count = 0; if (!CERT_LIST_EMPTY(id_cryptoctx->id_certs)) { for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs); @@ -2920,6 +2938,7 @@ crypto_cert_iteration_begin(krb5_context context, { PLArenaPool *pool; struct _pkinit_cert_iter_info *handle; + if (CERT_LIST_EMPTY(id_cryptoctx->id_certs)) { return ENOENT; } @@ -2957,8 +2976,10 @@ crypto_cert_iteration_next(krb5_context context, pkinit_cert_handle *cert_handle) { PLArenaPool *pool; + /* Check if we're at the last node. */ - if (CERT_LIST_END(iter_handle->node, iter_handle->id_cryptoctx->id_certs)) { + if (CERT_LIST_END(iter_handle->node, + iter_handle->id_cryptoctx->id_certs)) { /* No more entries. */ *cert_handle = NULL; return PKINIT_ITER_NO_MORE; @@ -2984,10 +3005,11 @@ crypto_cert_iteration_next(krb5_context context, /* Read names, key usage, and extended key usage from the cert. */ static SECItem * -cert_get_ext_by_tag(CERTCertificate * cert, SECOidTag tag) +cert_get_ext_by_tag(CERTCertificate *cert, SECOidTag tag) { SECOidData *oid; int i; + oid = SECOID_FindOIDByTag(tag); for (i = 0; (cert->extensions != NULL) && (cert->extensions[i] != NULL); @@ -3006,6 +3028,7 @@ static unsigned int cert_get_ku_bits(krb5_context context, CERTCertificate *cert) { unsigned int ku = 0; + if (cert->keyUsage & KU_DIGITAL_SIGNATURE) { ku |= PKINIT_KU_DIGITALSIGNATURE; } @@ -3075,9 +3098,10 @@ cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc) krb5_error_code crypto_cert_get_matching_data(krb5_context context, pkinit_cert_handle cert_handle, - pkinit_cert_matching_data ** ret_data) + pkinit_cert_matching_data **ret_data) { pkinit_cert_matching_data *md; + md = malloc(sizeof(*md)); if (md == NULL) { return ENOMEM; @@ -3113,7 +3137,7 @@ crypto_cert_release(krb5_context context, pkinit_cert_handle cert_handle) * structure -- everything except the cert_handle it contains, anyway. */ krb5_error_code crypto_cert_free_matching_data(krb5_context context, - pkinit_cert_matching_data * data) + pkinit_cert_matching_data *data) { free(data->subject_dn); free(data->issuer_dn); @@ -3124,9 +3148,10 @@ crypto_cert_free_matching_data(krb5_context context, /* Mark the cert tracked in the matching data structure as the one we're going * to use. */ krb5_error_code -crypto_cert_select(krb5_context context, pkinit_cert_matching_data * data) +crypto_cert_select(krb5_context context, pkinit_cert_matching_data *data) { CERTCertificate *cert; + cert = CERT_DupCertificate(data->ch->cert); if (data->ch->id_cryptoctx->id_cert != NULL) { CERT_DestroyCertificate(data->ch->id_cryptoctx->id_cert); @@ -3149,6 +3174,7 @@ crypto_cert_select_default(krb5_context context, krb5_data *c; krb5_error_code code; int result, count, i; + result = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, &count); @@ -3384,7 +3410,7 @@ pkinit_create_td_dh_parameters(krb5_context context, ids[j] = NULL; /* Pass it back up. */ data = NULL; - code = (*k5int_encode_krb5_td_dh_parameters) (ids, &data); + code = (*k5int_encode_krb5_td_dh_parameters)(ids, &data); if (code != 0) { return code; } @@ -3394,7 +3420,7 @@ pkinit_create_td_dh_parameters(krb5_context context, typed_datum.data = (unsigned char *) data->data; typed_data[0] = &typed_datum; typed_data[1] = NULL; - code = (*k5int_encode_krb5_typed_data) (typed_data, edata); + code = (*k5int_encode_krb5_typed_data)(typed_data, edata); krb5_free_data(context, data); return code; } @@ -3412,6 +3438,7 @@ pkinit_process_td_dh_params(krb5_context context, struct domain_parameters params; SECItem item; int i, size; + /* Set an initial reasonable guess if we got no hints that we could * parse. */ *new_dh_size = 2048; @@ -3483,7 +3510,7 @@ pkinit_create_td_invalid_certificate(krb5_context context, /* Pass it back up. */ data = NULL; - code = (*k5int_encode_krb5_td_trusted_certifiers) (ids, &data); + code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data); if (code != 0) { return code; } @@ -3493,7 +3520,7 @@ pkinit_create_td_invalid_certificate(krb5_context context, typed_datum.data = (unsigned char *) data->data; typed_data[0] = &typed_datum; typed_data[1] = NULL; - code = (*k5int_encode_krb5_typed_data) (typed_data, edata); + code = (*k5int_encode_krb5_typed_data)(typed_data, edata); krb5_free_data(context, data); return code; } @@ -3662,7 +3689,8 @@ pkinit_process_td_trusted_certifiers(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, krb5_external_principal_identifier ** - trustedCertifiers, int td_type) + trustedCertifiers, + int td_type) { /* We should select a different client certificate based on the list of * trusted certifiers, but for now we'll just chicken out. */ @@ -3735,8 +3763,8 @@ pkinit_octetstring2key(krb5_context context, PK11Context *ctx; unsigned int left, length, rnd_len; unsigned char c, buf[512]; /* the longest digest we support */ - char rnd_buf[dh_key_len]; - size_t kbyte, klength; + char *rnd_buf; + size_t kbyte, klength; krb5_data rnd_data; krb5_error_code result; SECOidTag hash_alg = SEC_OID_SHA1; @@ -3745,6 +3773,10 @@ pkinit_octetstring2key(krb5_context context, if (result != 0) { return result; } + rnd_buf = malloc(dh_key_len); + if (rnd_buf == NULL) { + return ENOMEM; + } c = 0; rnd_len = kbyte; @@ -3753,31 +3785,36 @@ pkinit_octetstring2key(krb5_context context, ctx = PK11_CreateDigestContext(hash_alg); if (ctx == NULL) { memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return ENOMEM; } if (PK11_DigestBegin(ctx) != SECSuccess) { PK11_DestroyContext(ctx, PR_TRUE); memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return ENOMEM; } if (PK11_DigestOp(ctx, &c, 1) != SECSuccess) { PK11_DestroyContext(ctx, PR_TRUE); memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return ENOMEM; } if (PK11_DigestOp(ctx, dh_key, dh_key_len) != SECSuccess) { PK11_DestroyContext(ctx, PR_TRUE); memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return ENOMEM; } if (PK11_DigestFinal(ctx, buf, &length, sizeof(buf)) != SECSuccess) { PK11_DestroyContext(ctx, PR_TRUE); memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return ENOMEM; } PK11_DestroyContext(ctx, PR_TRUE); @@ -3804,7 +3841,8 @@ pkinit_octetstring2key(krb5_context context, result = krb5_c_random_to_key(context, etype, &rnd_data, krb5key); memset(buf, 0, sizeof(buf)); - memset(rnd_buf, 0, sizeof(rnd_buf)); + memset(rnd_buf, 0, dh_key_len); + free(rnd_buf); return result; } @@ -3814,6 +3852,7 @@ cert_add_string(unsigned char ***list, int *count, int len, const unsigned char *value) { unsigned char **tmp; + tmp = malloc(sizeof(tmp[0]) * (*count + 2)); if (tmp == NULL) { return ENOMEM; @@ -3840,6 +3879,7 @@ cert_add_princ(krb5_context context, krb5_principal princ, krb5_principal **sans_inout, int *n_sans_inout) { krb5_principal *tmp; + tmp = malloc(sizeof(krb5_principal *) * (*n_sans_inout + 2)); if (tmp == NULL) { return ENOMEM; @@ -4024,7 +4064,8 @@ cert_retrieve_cert_sans(krb5_context context, } } else /* possibly a user principal name */ - if (SECITEM_ItemsAreEqual(&name.name.OthName.oid, &pkinit_nt_upn)) { + if (SECITEM_ItemsAreEqual(&name.name.OthName.oid, + &pkinit_nt_upn)) { /* Add it to the list. */ if ((upn_sans_out != NULL) && (cert_add_upn(pool, context, &name.name.OthName.name, @@ -4167,13 +4208,13 @@ cms_contentinfo_create(krb5_context context, } /* Create a signed-data content info, add a signature to it, and return it. */ -enum signeddata_common_create_include_certchain { - signeddata_common_create_without_certchain, - signeddata_common_create_with_certchain +enum sdcc_include_certchain { + signeddata_common_create_omit_chain, + signeddata_common_create_with_chain }; -enum signeddata_common_create_include_signed_attributes { - signeddata_common_create_without_signed_attributes, - signeddata_common_create_with_signed_attributes +enum sdcc_include_signed_attrs { + signeddata_common_create_omit_signed_attrs, + signeddata_common_create_with_signed_attrs }; static krb5_error_code crypto_signeddata_common_create(krb5_context context, @@ -4182,8 +4223,8 @@ crypto_signeddata_common_create(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, NSSCMSMessage *msg, SECOidTag digest, - enum signeddata_common_create_include_certchain include_certchain, - enum signeddata_common_create_include_signed_attributes add_signed_attributes, + enum sdcc_include_certchain include_certchain, + enum sdcc_include_signed_attrs add_signedattrs, NSSCMSSignedData **signed_data_out) { NSSCMSSignedData *sdata; @@ -4206,7 +4247,8 @@ crypto_signeddata_common_create(krb5_context context, return ENOMEM; } if (NSS_CMSSignerInfo_IncludeCerts(signer, - include_certchain == signeddata_common_create_with_certchain ? + (include_certchain == + signeddata_common_create_with_chain) ? NSSCMSCM_CertChain : NSSCMSCM_CertOnly, certUsageAnyCA) != SECSuccess) { pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); @@ -4216,7 +4258,7 @@ crypto_signeddata_common_create(krb5_context context, return ENOMEM; } - if (add_signed_attributes == signeddata_common_create_with_signed_attributes) { + if (add_signedattrs == signeddata_common_create_with_signed_attrs) { /* The presence of any signed attribute means the digest * becomes a signed attribute, too. */ if (NSS_CMSSignerInfo_AddSigningTime(signer, PR_Now()) != SECSuccess) { @@ -4250,19 +4292,19 @@ cms_envelopeddata_create(krb5_context context, PLArenaPool *pool; SECOidTag encapsulated_tag, digest; SECItem plain, encoded; - enum signeddata_common_create_include_signed_attributes add_signed_attributes; + enum sdcc_include_signed_attrs add_signed_attrs; switch (pa_type) { case KRB5_PADATA_PK_AS_REQ_OLD: case KRB5_PADATA_PK_AS_REP_OLD: digest = SEC_OID_MD5; - add_signed_attributes = signeddata_common_create_without_signed_attributes; + add_signed_attrs = signeddata_common_create_omit_signed_attrs; encapsulated_tag = get_pkinit_data_rkey_data_tag(); break; case KRB5_PADATA_PK_AS_REQ: case KRB5_PADATA_PK_AS_REP: digest = SEC_OID_SHA1; - add_signed_attributes = signeddata_common_create_with_signed_attributes; + add_signed_attrs = signeddata_common_create_with_signed_attrs; encapsulated_tag = get_pkinit_data_rkey_data_tag(); break; default: @@ -4346,9 +4388,9 @@ cms_envelopeddata_create(krb5_context context, msg, digest, include_certchain ? - signeddata_common_create_with_certchain : - signeddata_common_create_without_certchain, - add_signed_attributes, + signeddata_common_create_with_chain : + signeddata_common_create_omit_chain, + add_signed_attrs, &sdata) != 0) || (sdata == NULL)) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); @@ -4431,6 +4473,7 @@ crypto_signeddata_common_verify(krb5_context context, NSSCMSContentInfo *ecinfo; CERTCertificate *cert; SECOidTag encapsulated_tag; + SEC_OcspFailureMode ocsp_failure_mode; SECOidData *expected, *received; SECStatus status; SECItem *edata; @@ -4547,9 +4590,10 @@ crypto_signeddata_common_verify(krb5_context context, /* FIXME: NSS will use OCSP if there's no applicable CRL cached, and if * OCSP fails, we'll take advice from the require_crl_checking flag, * because it has to affect something. */ - status = CERT_SetOCSPFailureMode(require_crl_checking ? - ocspMode_FailureIsVerificationFailure : - ocspMode_FailureIsNotAVerificationFailure); + ocsp_failure_mode = require_crl_checking ? + ocspMode_FailureIsVerificationFailure : + ocspMode_FailureIsNotAVerificationFailure; + status = CERT_SetOCSPFailureMode(ocsp_failure_mode); if (status != SECSuccess) { pkiDebug("%s: error setting OCSP failure mode: %s\n", __FUNCTION__, @@ -4783,22 +4827,22 @@ cms_signeddata_create(krb5_context context, PLArenaPool *pool; SECItem plain, encoded; SECOidTag digest, encapsulated_tag; - enum signeddata_common_create_include_signed_attributes add_signed_attributes; + enum sdcc_include_signed_attrs add_signed_attrs; switch (cms_msg_type) { case CMS_SIGN_DRAFT9: digest = SEC_OID_MD5; - add_signed_attributes = signeddata_common_create_without_signed_attributes; + add_signed_attrs = signeddata_common_create_omit_signed_attrs; encapsulated_tag = get_pkinit_data_auth_data9_tag(); break; case CMS_SIGN_CLIENT: digest = SEC_OID_SHA1; - add_signed_attributes = signeddata_common_create_with_signed_attributes; + add_signed_attrs = signeddata_common_create_with_signed_attrs; encapsulated_tag = get_pkinit_data_auth_data_tag(); break; case CMS_SIGN_SERVER: digest = SEC_OID_SHA1; - add_signed_attributes = signeddata_common_create_with_signed_attributes; + add_signed_attrs = signeddata_common_create_with_signed_attrs; encapsulated_tag = get_pkinit_data_dhkey_data_tag(); break; case CMS_ENVEL_SERVER: @@ -4835,9 +4879,9 @@ cms_signeddata_create(krb5_context context, msg, digest, include_certchain ? - signeddata_common_create_with_certchain : - signeddata_common_create_without_certchain, - add_signed_attributes, + signeddata_common_create_with_chain : + signeddata_common_create_omit_chain, + add_signed_attrs, &sdata) != 0) || (sdata == NULL)) { NSS_CMSMessage_Destroy(msg); PORT_FreeArena(pool, PR_TRUE); -- 1.7.6.4