|
 |
df4b1e |
From a885868181c07ba9ab5cdfdad1d66d387b2a4428 Mon Sep 17 00:00:00 2001
|
|
|
df4b1e |
From: Jan Friesse <jfriesse@redhat.com>
|
|
|
df4b1e |
Date: Tue, 20 Jun 2017 15:25:09 +0200
|
|
|
df4b1e |
Subject: [PATCH] totemcrypto: Refactor symmetric key importing
|
|
|
df4b1e |
|
|
|
df4b1e |
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
|
|
|
df4b1e |
Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>
|
|
|
df4b1e |
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
|
|
|
df4b1e |
---
|
|
|
df4b1e |
exec/totemcrypto.c | 96 +++++++++++++++++++++++++++++-----------------------
|
|
|
df4b1e |
1 files changed, 54 insertions(+), 42 deletions(-)
|
|
|
df4b1e |
|
|
|
df4b1e |
diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
|
|
|
df4b1e |
index a97ba62..0e98f27 100644
|
|
|
df4b1e |
--- a/exec/totemcrypto.c
|
|
|
df4b1e |
+++ b/exec/totemcrypto.c
|
|
|
df4b1e |
@@ -206,6 +206,11 @@ do { \
|
|
|
df4b1e |
(const char *)format, ##args); \
|
|
|
df4b1e |
} while (0);
|
|
|
df4b1e |
|
|
|
df4b1e |
+enum sym_key_type {
|
|
|
df4b1e |
+ SYM_KEY_TYPE_CRYPT,
|
|
|
df4b1e |
+ SYM_KEY_TYPE_HASH
|
|
|
df4b1e |
+};
|
|
|
df4b1e |
+
|
|
|
df4b1e |
/*
|
|
|
df4b1e |
* crypt/decrypt functions
|
|
|
df4b1e |
*/
|
|
|
df4b1e |
@@ -226,38 +231,65 @@ static int string_to_crypto_cipher_type(const char* crypto_cipher_type)
|
|
|
df4b1e |
return CRYPTO_CIPHER_TYPE_AES256;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
-static int init_nss_crypto(struct crypto_instance *instance)
|
|
|
df4b1e |
+static PK11SymKey *import_symmetric_key(struct crypto_instance *instance, enum sym_key_type key_type)
|
|
|
df4b1e |
{
|
|
|
df4b1e |
- PK11SlotInfo* crypt_slot = NULL;
|
|
|
df4b1e |
- SECItem crypt_param;
|
|
|
df4b1e |
+ SECItem key_item;
|
|
|
df4b1e |
+ PK11SlotInfo *slot;
|
|
|
df4b1e |
+ PK11SymKey *res_key;
|
|
|
df4b1e |
+ CK_MECHANISM_TYPE cipher;
|
|
|
df4b1e |
+ CK_ATTRIBUTE_TYPE operation;
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+ memset(&key_item, 0, sizeof(key_item));
|
|
|
df4b1e |
+ slot = NULL;
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+ key_item.type = siBuffer;
|
|
|
df4b1e |
+ key_item.data = instance->private_key;
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+ switch (key_type) {
|
|
|
df4b1e |
+ case SYM_KEY_TYPE_CRYPT:
|
|
|
df4b1e |
+ key_item.len = cipher_key_len[instance->crypto_cipher_type];
|
|
|
df4b1e |
+ cipher = cipher_to_nss[instance->crypto_cipher_type];
|
|
|
df4b1e |
+ operation = CKA_ENCRYPT|CKA_DECRYPT;
|
|
|
df4b1e |
+ break;
|
|
|
df4b1e |
+ case SYM_KEY_TYPE_HASH:
|
|
|
df4b1e |
+ key_item.len = instance->private_key_len;
|
|
|
df4b1e |
+ cipher = hash_to_nss[instance->crypto_hash_type];
|
|
|
df4b1e |
+ operation = CKA_SIGN;
|
|
|
df4b1e |
+ break;
|
|
|
df4b1e |
+ }
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+ slot = PK11_GetBestSlot(cipher, NULL);
|
|
|
df4b1e |
+ if (slot == NULL) {
|
|
|
df4b1e |
+ log_printf(instance->log_level_security, "Unable to find security slot (%d): %s",
|
|
|
df4b1e |
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
|
|
|
df4b1e |
+ return (NULL);
|
|
|
df4b1e |
+ }
|
|
|
df4b1e |
|
|
|
df4b1e |
- if (!cipher_to_nss[instance->crypto_cipher_type]) {
|
|
|
df4b1e |
- return 0;
|
|
|
df4b1e |
+ res_key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, operation, &key_item, NULL);
|
|
|
df4b1e |
+ if (res_key == NULL) {
|
|
|
df4b1e |
+ log_printf(instance->log_level_security, "Failure to import key into NSS (%d): %s",
|
|
|
df4b1e |
+ PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
|
|
|
df4b1e |
+ goto exit_err;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
- crypt_param.type = siBuffer;
|
|
|
df4b1e |
- crypt_param.data = instance->private_key;
|
|
|
df4b1e |
- crypt_param.len = cipher_key_len[instance->crypto_cipher_type];
|
|
|
df4b1e |
+exit_err:
|
|
|
df4b1e |
+ PK11_FreeSlot(slot);
|
|
|
df4b1e |
|
|
|
df4b1e |
- crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
|
|
|
df4b1e |
- if (crypt_slot == NULL) {
|
|
|
df4b1e |
- log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
|
|
|
df4b1e |
- PR_GetError());
|
|
|
df4b1e |
- return -1;
|
|
|
df4b1e |
+ return (res_key);
|
|
|
df4b1e |
+}
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+static int init_nss_crypto(struct crypto_instance *instance)
|
|
|
df4b1e |
+{
|
|
|
df4b1e |
+
|
|
|
df4b1e |
+ if (!cipher_to_nss[instance->crypto_cipher_type]) {
|
|
|
df4b1e |
+ return 0;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
- instance->nss_sym_key = PK11_ImportSymKey(crypt_slot,
|
|
|
df4b1e |
- cipher_to_nss[instance->crypto_cipher_type],
|
|
|
df4b1e |
- PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
|
|
|
df4b1e |
- &crypt_param, NULL);
|
|
|
df4b1e |
+ instance->nss_sym_key = import_symmetric_key(instance, SYM_KEY_TYPE_CRYPT);
|
|
|
df4b1e |
if (instance->nss_sym_key == NULL) {
|
|
|
df4b1e |
- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
|
|
|
df4b1e |
- PR_GetError());
|
|
|
df4b1e |
return -1;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
- PK11_FreeSlot(crypt_slot);
|
|
|
df4b1e |
-
|
|
|
df4b1e |
return 0;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
@@ -447,36 +479,16 @@ static int string_to_crypto_hash_type(const char* crypto_hash_type)
|
|
|
df4b1e |
|
|
|
df4b1e |
static int init_nss_hash(struct crypto_instance *instance)
|
|
|
df4b1e |
{
|
|
|
df4b1e |
- PK11SlotInfo* hash_slot = NULL;
|
|
|
df4b1e |
- SECItem hash_param;
|
|
|
df4b1e |
|
|
|
df4b1e |
if (!hash_to_nss[instance->crypto_hash_type]) {
|
|
|
df4b1e |
return 0;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
- hash_param.type = siBuffer;
|
|
|
df4b1e |
- hash_param.data = instance->private_key;
|
|
|
df4b1e |
- hash_param.len = instance->private_key_len;
|
|
|
df4b1e |
-
|
|
|
df4b1e |
- hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
|
|
|
df4b1e |
- if (hash_slot == NULL) {
|
|
|
df4b1e |
- log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
|
|
|
df4b1e |
- PR_GetError());
|
|
|
df4b1e |
- return -1;
|
|
|
df4b1e |
- }
|
|
|
df4b1e |
-
|
|
|
df4b1e |
- instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot,
|
|
|
df4b1e |
- hash_to_nss[instance->crypto_hash_type],
|
|
|
df4b1e |
- PK11_OriginUnwrap, CKA_SIGN,
|
|
|
df4b1e |
- &hash_param, NULL);
|
|
|
df4b1e |
+ instance->nss_sym_key_sign = import_symmetric_key(instance, SYM_KEY_TYPE_HASH);
|
|
|
df4b1e |
if (instance->nss_sym_key_sign == NULL) {
|
|
|
df4b1e |
- log_printf(instance->log_level_security, "Failure to import key into NSS (err %d)",
|
|
|
df4b1e |
- PR_GetError());
|
|
|
df4b1e |
return -1;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
- PK11_FreeSlot(hash_slot);
|
|
|
df4b1e |
-
|
|
|
df4b1e |
return 0;
|
|
|
df4b1e |
}
|
|
|
df4b1e |
|
|
|
df4b1e |
--
|
|
|
df4b1e |
1.7.1
|
|
|
df4b1e |
|