diff options
author | Dan Williams <dcbw@redhat.com> | 2009-10-29 22:46:20 -0700 |
---|---|---|
committer | Dan Williams <dcbw@redhat.com> | 2009-10-29 22:46:20 -0700 |
commit | f496f3f9b94911edb176f617e5cb44845e4cecd3 (patch) | |
tree | 7edfef140210bb961e26f7c09d26c0e4f2280314 /libnm-util | |
parent | acd1620e84883af585ef04200c65df18b5771e32 (diff) |
Revert "libnm-util: fix NSS padding checking and add testcase"
This reverts commit 32bcb0049cc1fe03382b25ee2d0255c9d89ed12f.
Diffstat (limited to 'libnm-util')
-rw-r--r-- | libnm-util/crypto_nss.c | 69 | ||||
-rw-r--r-- | libnm-util/tests/Makefile.am | 11 | ||||
-rw-r--r-- | libnm-util/tests/certs/test2-cert.p12 | bin | 4136 -> 0 bytes | |||
-rw-r--r-- | libnm-util/tests/certs/test2_ca_cert.pem | 27 | ||||
-rw-r--r-- | libnm-util/tests/certs/test2_key_and_cert.pem | 119 |
5 files changed, 17 insertions, 209 deletions
diff --git a/libnm-util/crypto_nss.c b/libnm-util/crypto_nss.c index be2884c3a9..8cbdd9f525 100644 --- a/libnm-util/crypto_nss.c +++ b/libnm-util/crypto_nss.c @@ -18,7 +18,7 @@ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, * Boston, MA 02110-1301 USA. * - * (C) Copyright 2007 - 2009 Red Hat, Inc. + * (C) Copyright 2007 - 2008 Red Hat, Inc. */ #include "config.h" @@ -147,7 +147,8 @@ crypto_decrypt (const char *cipher, GError **error) { char *output = NULL; - int decrypted_len = 0; + int tmp1_len = 0; + unsigned int tmp2_len = 0; CK_MECHANISM_TYPE cipher_mech; PK11SlotInfo *slot = NULL; SECItem key_item; @@ -156,16 +157,13 @@ crypto_decrypt (const char *cipher, PK11Context *ctx = NULL; SECStatus s; gboolean success = FALSE; - unsigned int pad_len = 0, extra = 0; - guint32 i, real_iv_len = 0; + gsize len; - if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) { + if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) cipher_mech = CKM_DES3_CBC_PAD; - real_iv_len = 8; - } else if (!strcmp (cipher, CIPHER_DES_CBC)) { + else if (!strcmp (cipher, CIPHER_DES_CBC)) cipher_mech = CKM_DES_CBC_PAD; - real_iv_len = 8; - } else { + else { g_set_error (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), @@ -173,15 +171,7 @@ crypto_decrypt (const char *cipher, return NULL; } - if (iv_len < real_iv_len) { - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RAW_IV_INVALID, - _("Invalid IV length (must be at least %d)."), - real_iv_len); - return NULL; - } - - output = g_malloc0 (data->len); + output = g_malloc0 (data->len + 1); if (!output) { g_set_error (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_OUT_OF_MEMORY, @@ -208,7 +198,7 @@ crypto_decrypt (const char *cipher, } key_item.data = (unsigned char *) iv; - key_item.len = real_iv_len; + key_item.len = iv_len; sec_param = PK11_ParamFromIV (cipher_mech, &key_item); if (!sec_param) { g_set_error (error, NM_CRYPTO_ERROR, @@ -227,7 +217,7 @@ crypto_decrypt (const char *cipher, s = PK11_CipherOp (ctx, (unsigned char *) output, - &decrypted_len, + &tmp1_len, data->len, data->data, data->len); @@ -239,17 +229,10 @@ crypto_decrypt (const char *cipher, goto out; } - if (decrypted_len > data->len) { - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, - _("Failed to decrypt the private key: decrypted data too large.")); - goto out; - } - s = PK11_DigestFinal (ctx, - (unsigned char *) (output + decrypted_len), - &extra, - data->len - decrypted_len); + (unsigned char *) (output + tmp1_len), + &tmp2_len, + data->len - tmp1_len); if (s != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, @@ -257,30 +240,12 @@ crypto_decrypt (const char *cipher, PORT_GetError ()); goto out; } - decrypted_len += extra; - pad_len = data->len - decrypted_len; - - /* Check if the padding at the end of the decrypted data is valid */ - if (pad_len == 0 || pad_len > real_iv_len) { - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, - _("Failed to decrypt the private key: unexpected padding length.")); + len = tmp1_len + tmp2_len; + if (len > data->len) goto out; - } - - /* Validate tail padding; last byte is the padding size, and all pad bytes - * should contain the padding size. - */ - for (i = pad_len; i > 0; i--) { - if (output[data->len - i] != pad_len) { - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, - _("Failed to decrypt the private key.")); - goto out; - } - } - *out_len = decrypted_len; + *out_len = len; + output[*out_len] = '\0'; success = TRUE; out: diff --git a/libnm-util/tests/Makefile.am b/libnm-util/tests/Makefile.am index b8046036d4..1cf19cbc46 100644 --- a/libnm-util/tests/Makefile.am +++ b/libnm-util/tests/Makefile.am @@ -33,8 +33,6 @@ if WITH_TESTS check-local: test-settings-defaults test-crypto $(abs_builddir)/test-settings-defaults - -# Cert with 8 bytes of tail padding $(abs_builddir)/test-crypto \ $(top_srcdir)/libnm-util/tests/certs/test_ca_cert.pem \ $(top_srcdir)/libnm-util/tests/certs/test_key_and_cert.pem \ @@ -43,14 +41,5 @@ check-local: test-settings-defaults test-crypto $(top_srcdir)/libnm-util/tests/certs/test-cert.p12 \ "test" -# Cert with only 6 bytes of tail padding - $(abs_builddir)/test-crypto \ - $(top_srcdir)/libnm-util/tests/certs/test2_ca_cert.pem \ - $(top_srcdir)/libnm-util/tests/certs/test2_key_and_cert.pem \ - $(top_srcdir)/libnm-util/tests/certs/test2_key_and_cert.pem \ - "12345testing" \ - $(top_srcdir)/libnm-util/tests/certs/test2-cert.p12 \ - "12345testing" - endif diff --git a/libnm-util/tests/certs/test2-cert.p12 b/libnm-util/tests/certs/test2-cert.p12 Binary files differdeleted file mode 100644 index 9d5732b0a9..0000000000 --- a/libnm-util/tests/certs/test2-cert.p12 +++ /dev/null diff --git a/libnm-util/tests/certs/test2_ca_cert.pem b/libnm-util/tests/certs/test2_ca_cert.pem deleted file mode 100644 index 9a487ca4b4..0000000000 --- a/libnm-util/tests/certs/test2_ca_cert.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEpDCCA4ygAwIBAgIJANDnVhixAO1GMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD -VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czERMA8GA1UEBxMIV2VzdGZv -cmQxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xFDASBgNVBAsTC0VuZ2luZWVyaW5n -MRAwDgYDVQQDEwdlYXB0ZXN0MRgwFgYJKoZIhvcNAQkBFglpdEBpdC5jb20wHhcN -MDcxMTA5MTU0ODI1WhcNMTcxMTA2MTU0ODI1WjCBkjELMAkGA1UEBhMCVVMxFjAU -BgNVBAgTDU1hc3NhY2h1c2V0dHMxETAPBgNVBAcTCFdlc3Rmb3JkMRYwFAYDVQQK -Ew1SZWQgSGF0LCBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEQMA4GA1UEAxMH -ZWFwdGVzdDEYMBYGCSqGSIb3DQEJARYJaXRAaXQuY29tMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAz9zRLSiQyQangDgEliEP8xSpnPJS7GjXzrkZS3sk -gZLuVuwoFeZRq3Hsrq/wGd/vM0KUFNmEaMc+47jnuv0UHQcQ45ZACO7s4/Aflhzj -lkmud/z06hVknIzjXmvS6q2ttCviHsXnfokl+wAxuUhsd+le0xjP9H1jXny4YBuS -jP+yGUz7PL4w1sFFghKIPrlB7m4GkFbQRqvH7FSJg86GWopPwJvNvIzhOZiO1a1D -CAAL4Ru3jxtNFxqWT87C/qUEe/2Qb7jtNyqFcKfwZyZh4u1bo0c8bjErlUZERbWz -zM3hTFypuw+i2v+0h3A8/Xb0hTjcHkUoJgfSdbsOLC5TOwIDAQABo4H6MIH3MB0G -A1UdDgQWBBR+UOaH4e8nrEuMcEXJl7UN5r/wDTCBxwYDVR0jBIG/MIG8gBR+UOaH -4e8nrEuMcEXJl7UN5r/wDaGBmKSBlTCBkjELMAkGA1UEBhMCVVMxFjAUBgNVBAgT -DU1hc3NhY2h1c2V0dHMxETAPBgNVBAcTCFdlc3Rmb3JkMRYwFAYDVQQKEw1SZWQg -SGF0LCBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEQMA4GA1UEAxMHZWFwdGVz -dDEYMBYGCSqGSIb3DQEJARYJaXRAaXQuY29tggkA0OdWGLEA7UYwDAYDVR0TBAUw -AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAmE2jqUymfxN2Vv7bPafoK/EpZwGPxu+z -phRFsgUgWVzidc/GtOxN81LduJ+ow8MEbQIabo4JV/MdKzuPuhAHToAQdeb0LIWa -p59vTIZiVhUt0cMAbQwKcTnfmDnXw9wytvtKgeAXJq0Jd6F+uNXTiR1btlYLZqmF -oSu54cHQlXpUT9z0BnQ8eXd7m0TwfzGQkTHQI7xBa87lZDAkJaTlhv7fR5vPmJYY -0LiXii71ce+4hxdlp7hQfwQ2sb8FPY3RlVboTRD0CvGaWypWhdSZnS790dBXgZOs -NCge6NGuHzW5LtiZE9ppuv8qJysVcIFdAqt8dkx58ksOqFcARCerXw== ------END CERTIFICATE----- diff --git a/libnm-util/tests/certs/test2_key_and_cert.pem b/libnm-util/tests/certs/test2_key_and_cert.pem deleted file mode 100644 index a668596eef..0000000000 --- a/libnm-util/tests/certs/test2_key_and_cert.pem +++ /dev/null @@ -1,119 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,5FA2D6D6242C26D0 - -dyNdbh115sczbUEhiaGYJ6fazyvJss5thPFEmkP6aftYlvXY6vPtc++xFCCktiSd -qFVEyi6oDyV4iGPmX7pCJ0e+pSI6uFNXKFtxh5/+/wXZcOEMCvfu7w2IrvYF2LHY -qJDljcISSRxeINuYO7TETD5fLLRKj2X9vwwkwVN02b2N5jsrm6Bt//WbatqSB3ln -FHyQhVKkvdl9Hr1XNmEfgGfZSxxDoPu1DjhtZ5ja2LZj64C2CXdI0oq2wcAVvQNn -rZeeg9sinQJkz9rwsNaWqlYw4X+YD2JRSwZuvwkWRydYMwgb1XS/jCxtuFF8NXWP -RBAOAZZUy7onzohsJHVVa05wCKQ4klo+PEfI3vn7BeuHyciCc0eFqGRvz8eFDybH -ZdPbU/3vGp+mOB7gd27TptttTCQQy9uM5CIyovNSYsAIw1Z583Ea4q8eXgzkgD6D -isCqkGXMfPbNXU3myQGDnQwWRi2CqX+rXM8PJUhdewLAlmHRz/aYSuql2BRixJKx -eASzmFBYdAjrvafda5D+xTyJwXEwdq/HlqMK9cY28ZbNrzA2Kor2X23EKC1+VG8k -B67OsfUhW27j4u6aV5JdLf87OtF3mHFRR+Lzs7i7LYvJ8ACE+jiIi7PboZjK5Oiv -JqTK0BwDaeNYjkd6jiJh8It/ReMbLk65J3eldOklN0VMPYiqcQnHvSPC2DD1YAy+ -Rv/JVj6TvzvgEAj+hgH6MAAF6u3ARj6+10DlvhUubkOC5RztLKReu8B+427TuuDb -T03gFpHD6X9IqSiq/QfYFyHFojCVSrv6wDZOcHc1s71kpJ8R14YIVe+DrrZN/0D4 -M631jdNg3JARMZXcXTHrghGIdPmOtrsRyTTRZuGoVup/DW9MRzOzCTMSNCX8T+eq -13HMSNQEO9lMwy0sYeO5c7sjHY4K1ubZuVE1mvXq4JLz3YxXJIvgp8TUvqDnAsK+ -Fv63bDoTg5Tq63XvnaKc7Lawneyg5ZAMzPN3nM0/1EZcn/2ICI5c4Yepc5t63EI5 -KytuXx86Mcx234enj3uMeuM22POQ1SnKOef6dFzK/CE8J8eUEY/aDhX4eBl/s3nd -U4+aaFKYz3HTazePayt2SC6rP/KKMmS14q59bOQA1DiWxCvmA2ypRyP87fV5DstH -I53RD5xp1P38iaO8U/divD0W2dkv748s9DQqYrHPtWALT9esxNU07CgB8Zt070si -7pzjQ8FDCZ8ygDmwWGNSBz1nA90Cpd6gAFDrep7HAtDE4qgNfokycpaJZkXBei/U -tC4tWYRbqDEsEbeBHvQRJzzqWzk9e/P4fQoelM3aryKzKLG5z7KvywVifKMLECQ+ -tIpzoRp06nuTA/O+iLFdkCy3JEWszfvvOwTwtIIV6+3s8TU0k9MmzEe3rGL+QqT/ -Tf+9/dN5LK+LWyc99BfmCOrBuFtQmHyEXkfe6EuFYEwj0B2ZfnLCon6cdRujjK7H -IJslC1B/cBVqG3KCrbBzjeygKfJ5Ijo72oXZJOCFTLeJefZKGGWJCp9nG9h9Wrcf -fEN/mj3wBvTa90/PYFj9NuaBtrvMF8Rn9XDeYPq2JGL8YkNdPuO8A+2Yko8wcvST ------END RSA PRIVATE KEY----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) - Signature Algorithm: md5WithRSAEncryption - Issuer: C=US, ST=Massachusetts, L=Westford, O=Red Hat, Inc., OU=Engineering, CN=eaptest/emailAddress=it@it.com - Validity - Not Before: Nov 9 15:50:14 2007 GMT - Not After : Nov 6 15:50:14 2017 GMT - Subject: C=US, ST=Massachusetts, O=Red Hat, Inc., OU=Engineering, CN=client/emailAddress=it@it.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:b0:8f:4f:1c:93:d4:43:e7:87:b7:22:33:55:a8: - 35:a1:c4:01:b0:f1:ed:26:23:96:ab:65:c2:c2:54: - db:79:22:03:ad:3f:6f:22:e3:63:3f:f4:21:6d:fa: - 88:c8:8f:1a:ce:55:49:7c:98:33:6a:67:8a:8d:d9: - 34:b0:c3:42:f4:72:a4:45:43:05:72:5d:0c:d3:42: - f8:9c:66:3b:b8:f8:77:ea:f6:b6:94:d7:cc:5d:62: - 34:2a:14:48:0a:bc:65:94:f5:7a:63:98:6c:88:4c: - 25:d8:95:f1:40:3d:00:d2:fb:43:28:fa:02:fb:2c: - 80:b3:e1:33:e7:8c:ce:8a:a0:1b:3d:04:4d:bc:a1: - b6:a2:42:8b:8e:f3:5b:4a:72:34:7d:8d:ba:d8:46: - 22:35:da:5c:f8:dd:fc:6d:9e:59:22:b7:6b:e7:78: - 56:54:9f:4c:d1:e2:4a:23:a3:bc:04:ea:46:6b:70: - 8a:fb:fe:8a:73:ca:36:d5:f3:e9:17:e3:22:d5:b3: - 70:05:e7:f7:37:b7:21:b5:90:53:27:27:ea:36:9b: - 00:ff:35:b0:66:3d:dc:a9:2f:95:d2:21:18:98:4f: - 28:07:09:70:20:a8:b1:82:aa:a5:df:ae:0f:e3:36: - be:68:8c:9e:80:d3:33:d0:f5:84:17:d9:0f:eb:9d: - af:0b - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 71:AB:BB:91:B7:04:DE:43:35:36:07:8A:35:CA:BE:5C:3E:EB:B1:09 - X509v3 Authority Key Identifier: - keyid:7E:50:E6:87:E1:EF:27:AC:4B:8C:70:45:C9:97:B5:0D:E6:BF:F0:0D - DirName:/C=US/ST=Massachusetts/L=Westford/O=Red Hat, Inc./OU=Engineering/CN=eaptest/emailAddress=it@it.com - serial:D0:E7:56:18:B1:00:ED:46 - - Signature Algorithm: md5WithRSAEncryption - ce:43:6d:f7:f8:4a:66:fd:8a:2c:41:a6:e0:03:0e:60:30:d4: - 41:01:ba:46:ba:81:97:64:68:83:25:9c:e1:2c:03:8b:2d:ca: - 85:cf:bc:fa:ca:22:c4:59:28:23:8f:ff:50:94:60:1c:90:dd: - 75:f4:d4:ea:8c:fa:61:61:08:35:4a:8f:aa:a7:e9:3d:76:e9: - 08:28:55:01:c4:03:42:c7:ad:58:bb:ee:94:f7:09:b3:9a:9b: - 8b:d0:25:95:18:a6:22:d5:2c:fc:b7:bb:91:0c:7c:03:7f:9b: - 85:de:b0:e4:95:a8:73:94:27:0a:11:4e:e3:67:ae:2b:cc:e7: - 51:29:10:23:57:5c:3e:e7:ea:47:e0:f0:8f:5b:a2:9f:26:cf: - 7f:b5:7c:44:b1:7b:83:67:3c:41:ae:c6:66:64:e0:d2:ef:57: - a4:5c:1b:94:11:ce:28:e5:91:51:ef:e1:98:b7:3b:9a:cc:f7: - b9:85:76:eb:a8:2b:15:4a:cc:1a:a3:42:fa:be:1c:ce:b8:eb: - ee:12:d7:2f:e4:a8:cf:eb:2a:8f:78:e8:91:88:fa:c2:98:75: - 6a:4c:92:3f:2e:0d:e1:20:39:36:c6:2c:be:67:30:c3:f3:c3: - 65:81:ac:e3:3c:19:6a:21:ee:ea:f5:22:66:74:b2:07:53:7c: - 9a:0c:24:a6 ------BEGIN CERTIFICATE----- -MIIEtDCCA5ygAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCVVMx -FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxETAPBgNVBAcTCFdlc3Rmb3JkMRYwFAYD -VQQKEw1SZWQgSGF0LCBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEQMA4GA1UE -AxMHZWFwdGVzdDEYMBYGCSqGSIb3DQEJARYJaXRAaXQuY29tMB4XDTA3MTEwOTE1 -NTAxNFoXDTE3MTEwNjE1NTAxNFowfjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1h -c3NhY2h1c2V0dHMxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xFDASBgNVBAsTC0Vu -Z2luZWVyaW5nMQ8wDQYDVQQDEwZjbGllbnQxGDAWBgkqhkiG9w0BCQEWCWl0QGl0 -LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCPTxyT1EPnh7ci -M1WoNaHEAbDx7SYjlqtlwsJU23kiA60/byLjYz/0IW36iMiPGs5VSXyYM2pnio3Z -NLDDQvRypEVDBXJdDNNC+JxmO7j4d+r2tpTXzF1iNCoUSAq8ZZT1emOYbIhMJdiV -8UA9ANL7Qyj6AvssgLPhM+eMzoqgGz0ETbyhtqJCi47zW0pyNH2NuthGIjXaXPjd -/G2eWSK3a+d4VlSfTNHiSiOjvATqRmtwivv+inPKNtXz6RfjItWzcAXn9ze3IbWQ -Uycn6jabAP81sGY93KkvldIhGJhPKAcJcCCosYKqpd+uD+M2vmiMnoDTM9D1hBfZ -D+udrwsCAwEAAaOCASYwggEiMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w -ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRxq7uRtwTeQzU2 -B4o1yr5cPuuxCTCBxwYDVR0jBIG/MIG8gBR+UOaH4e8nrEuMcEXJl7UN5r/wDaGB -mKSBlTCBkjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxETAP -BgNVBAcTCFdlc3Rmb3JkMRYwFAYDVQQKEw1SZWQgSGF0LCBJbmMuMRQwEgYDVQQL -EwtFbmdpbmVlcmluZzEQMA4GA1UEAxMHZWFwdGVzdDEYMBYGCSqGSIb3DQEJARYJ -aXRAaXQuY29tggkA0OdWGLEA7UYwDQYJKoZIhvcNAQEEBQADggEBAM5Dbff4Smb9 -iixBpuADDmAw1EEBuka6gZdkaIMlnOEsA4styoXPvPrKIsRZKCOP/1CUYByQ3XX0 -1OqM+mFhCDVKj6qn6T126QgoVQHEA0LHrVi77pT3CbOam4vQJZUYpiLVLPy3u5EM -fAN/m4XesOSVqHOUJwoRTuNnrivM51EpECNXXD7n6kfg8I9bop8mz3+1fESxe4Nn -PEGuxmZk4NLvV6RcG5QRzijlkVHv4Zi3O5rM97mFduuoKxVKzBqjQvq+HM646+4S -1y/kqM/rKo946JGI+sKYdWpMkj8uDeEgOTbGLL5nMMPzw2WBrOM8GWoh7ur1ImZ0 -sgdTfJoMJKY= ------END CERTIFICATE----- |