diff options
Diffstat (limited to 'nss/lib/softoken/legacydb/keydb.c')
| -rw-r--r-- | nss/lib/softoken/legacydb/keydb.c | 1979 |
1 files changed, 984 insertions, 995 deletions
diff --git a/nss/lib/softoken/legacydb/keydb.c b/nss/lib/softoken/legacydb/keydb.c index d54f10c..178e333 100644 --- a/nss/lib/softoken/legacydb/keydb.c +++ b/nss/lib/softoken/legacydb/keydb.c @@ -20,105 +20,104 @@ */ #define SALT_STRING "global-salt" #define VERSION_STRING "Version" -#define KEYDB_PW_CHECK_STRING "password-check" -#define KEYDB_PW_CHECK_LEN 14 -#define KEYDB_FAKE_PW_CHECK_STRING "fake-password-check" -#define KEYDB_FAKE_PW_CHECK_LEN 19 +#define KEYDB_PW_CHECK_STRING "password-check" +#define KEYDB_PW_CHECK_LEN 14 +#define KEYDB_FAKE_PW_CHECK_STRING "fake-password-check" +#define KEYDB_FAKE_PW_CHECK_LEN 19 /* Size of the global salt for key database */ -#define SALT_LENGTH 16 +#define SALT_LENGTH 16 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) }, + 0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,algorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,encryptedData) }, + offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, encryptedData) }, { 0 } }; const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = { - { SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate } + { SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate } }; - /* ====== Default key databse encryption algorithm ====== */ static void sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey) { - if ( dbkey && dbkey->arena ) { - PORT_FreeArena(dbkey->arena, PR_FALSE); + if (dbkey && dbkey->arena) { + PORT_FreeArena(dbkey->arena, PR_FALSE); } } static void free_dbt(DBT *dbt) { - if ( dbt ) { - PORT_Free(dbt->data); - PORT_Free(dbt); + if (dbt) { + PORT_Free(dbt->data); + PORT_Free(dbt); } - + return; } -static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, - unsigned int flags); -static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, - unsigned int flags); +static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); +static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); static int keydb_Sync(NSSLOWKEYDBHandle *db, unsigned int flags); static int keydb_Del(NSSLOWKEYDBHandle *db, DBT *key, unsigned int flags); -static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, - unsigned int flags); +static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); static void keydb_Close(NSSLOWKEYDBHandle *db); /* * format of key database entries for version 3 of database: - * byte offset field - * ----------- ----- - * 0 version - * 1 salt-len - * 2 nn-len - * 3.. salt-data - * ... nickname - * ... encrypted-key-data + * byte offset field + * ----------- ----- + * 0 version + * 1 salt-len + * 2 nn-len + * 3.. salt-data + * ... nickname + * ... encrypted-key-data */ static DBT * -encode_dbkey(NSSLOWKEYDBKey *dbkey,unsigned char version) +encode_dbkey(NSSLOWKEYDBKey *dbkey, unsigned char version) { DBT *bufitem = NULL; unsigned char *buf; int nnlen; char *nn; - + bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT)); - if ( bufitem == NULL ) { - goto loser; + if (bufitem == NULL) { + goto loser; } - - if ( dbkey->nickname ) { - nn = dbkey->nickname; - nnlen = PORT_Strlen(nn) + 1; + + if (dbkey->nickname) { + nn = dbkey->nickname; + nnlen = PORT_Strlen(nn) + 1; } else { - nn = ""; - nnlen = 1; + nn = ""; + nnlen = 1; } - + /* compute the length of the record */ /* 1 + 1 + 1 == version number header + salt length + nn len */ bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1; - + bufitem->data = (void *)PORT_ZAlloc(bufitem->size); - if ( bufitem->data == NULL ) { - goto loser; + if (bufitem->data == NULL) { + goto loser; } buf = (unsigned char *)bufitem->data; - + /* set version number */ buf[0] = version; @@ -131,23 +130,25 @@ encode_dbkey(NSSLOWKEYDBKey *dbkey,unsigned char version) buf[2] = nnlen; /* copy salt */ - PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len); + if (dbkey->salt.len > 0) { + PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len); + } /* copy nickname */ PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen); /* copy encrypted key */ PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data, - dbkey->derPK.len); - - return(bufitem); - + dbkey->derPK.len); + + return (bufitem); + loser: - if ( bufitem ) { - free_dbt(bufitem); + if (bufitem) { + free_dbt(bufitem); } - - return(NULL); + + return (NULL); } static NSSLOWKEYDBKey * @@ -160,69 +161,69 @@ decode_dbkey(DBT *bufitem, int expectedVersion) int keyoff; int nnlen; int saltoff; - + buf = (unsigned char *)bufitem->data; version = buf[0]; - - if ( version != expectedVersion ) { - goto loser; + + if (version != expectedVersion) { + goto loser; } - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { - goto loser; + if (arena == NULL) { + goto loser; } - + dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey)); - if ( dbkey == NULL ) { - goto loser; + if (dbkey == NULL) { + goto loser; } dbkey->arena = arena; dbkey->salt.data = NULL; dbkey->derPK.data = NULL; - + dbkey->salt.len = buf[1]; dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len); - if ( dbkey->salt.data == NULL ) { - goto loser; + if (dbkey->salt.data == NULL) { + goto loser; } saltoff = 2; keyoff = 2 + dbkey->salt.len; - - if ( expectedVersion >= 3 ) { - nnlen = buf[2]; - if ( nnlen ) { - dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1); - if ( dbkey->nickname ) { - PORT_Memcpy(dbkey->nickname, &buf[keyoff+1], nnlen); - } - } - keyoff += ( nnlen + 1 ); - saltoff = 3; + + if (expectedVersion >= 3) { + nnlen = buf[2]; + if (nnlen) { + dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1); + if (dbkey->nickname) { + PORT_Memcpy(dbkey->nickname, &buf[keyoff + 1], nnlen); + } + } + keyoff += (nnlen + 1); + saltoff = 3; } PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len); - + dbkey->derPK.len = bufitem->size - keyoff; - dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena,dbkey->derPK.len); - if ( dbkey->derPK.data == NULL ) { - goto loser; + dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->derPK.len); + if (dbkey->derPK.data == NULL) { + goto loser; } - + PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len); - - return(dbkey); - + + return (dbkey); + loser: - if ( arena ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); } - - return(NULL); + + return (NULL); } static NSSLOWKEYDBKey * @@ -231,19 +232,19 @@ get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index) NSSLOWKEYDBKey *dbkey; DBT entry; int ret; - + /* get it from the database */ ret = keydb_Get(handle, index, &entry, 0); - if ( ret ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return NULL; + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; } /* set up dbkey struct */ dbkey = decode_dbkey(&entry, handle->version); - return(dbkey); + return (dbkey); } static SECStatus @@ -251,44 +252,44 @@ put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool u { DBT *keydata = NULL; int status; - + keydata = encode_dbkey(dbkey, handle->version); - if ( keydata == NULL ) { - goto loser; + if (keydata == NULL) { + goto loser; } - + /* put it in the database */ - if ( update ) { - status = keydb_Put(handle, index, keydata, 0); + if (update) { + status = keydb_Put(handle, index, keydata, 0); } else { - status = keydb_Put(handle, index, keydata, R_NOOVERWRITE); + status = keydb_Put(handle, index, keydata, R_NOOVERWRITE); } - - if ( status ) { - goto loser; + + if (status) { + goto loser; } /* sync the database */ status = keydb_Sync(handle, 0); - if ( status ) { - goto loser; + if (status) { + goto loser; } free_dbt(keydata); - return(SECSuccess); + return (SECSuccess); loser: - if ( keydata ) { - free_dbt(keydata); + if (keydata) { + free_dbt(keydata); } - - return(SECFailure); + + return (SECFailure); } SECStatus -nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, - SECStatus (* keyfunc)(DBT *k, DBT *d, void *pdata), - void *udata ) +nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, + SECStatus (*keyfunc)(DBT *k, DBT *d, void *pdata), + void *udata) { DBT data; DBT key; @@ -296,39 +297,39 @@ nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, int ret; if (handle == NULL) { - return(SECFailure); + return (SECFailure); } ret = keydb_Seq(handle, &key, &data, R_FIRST); - if ( ret ) { - return(SECFailure); + if (ret) { + return (SECFailure); } - + do { - /* skip version record */ - if ( data.size > 1 ) { - if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) { - if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) { - continue; - } - } - - /* skip password check */ - if ( key.size == KEYDB_PW_CHECK_LEN ) { - if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, - KEYDB_PW_CHECK_LEN) == 0 ) { - continue; - } - } - - status = (* keyfunc)(&key, &data, udata); - if (status != SECSuccess) { - return(status); - } - } - } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 ); - - return(SECSuccess); + /* skip version record */ + if (data.size > 1) { + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + + /* skip password check */ + if (key.size == KEYDB_PW_CHECK_LEN) { + if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, + KEYDB_PW_CHECK_LEN) == 0) { + continue; + } + } + + status = (*keyfunc)(&key, &data, udata); + if (status != SECSuccess) { + return (status); + } + } + } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0); + + return (SECSuccess); } #ifdef notdef @@ -348,19 +349,19 @@ sec_add_key_to_list(DBT *key, DBT *data, void *arg) keyList *keylist; keyNode *node; void *keydata; - + keylist = (keyList *)arg; /* allocate the node struct */ - node = (keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode)); - if ( node == NULL ) { - return(SECFailure); + node = (keyNode *)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode)); + if (node == NULL) { + return (SECFailure); } - + /* allocate room for key data */ keydata = PORT_ArenaZAlloc(keylist->arena, key->size); - if ( keydata == NULL ) { - return(SECFailure); + if (keydata == NULL) { + return (SECFailure); } /* link node into list */ @@ -371,8 +372,8 @@ sec_add_key_to_list(DBT *key, DBT *data, void *arg) PORT_Memcpy(keydata, key->data, key->size); node->key.size = key->size; node->key.data = keydata; - - return(SECSuccess); + + return (SECSuccess); } #endif @@ -380,22 +381,22 @@ static SECItem * decodeKeyDBGlobalSalt(DBT *saltData) { SECItem *saltitem; - + saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); - if ( saltitem == NULL ) { - return(NULL); + if (saltitem == NULL) { + return (NULL); } - + saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size); - if ( saltitem->data == NULL ) { - PORT_Free(saltitem); - return(NULL); + if (saltitem->data == NULL) { + PORT_Free(saltitem); + return (NULL); } - + saltitem->len = saltData->size; PORT_Memcpy(saltitem->data, saltData->data, saltitem->len); - - return(saltitem); + + return (saltitem); } static SECItem * @@ -404,16 +405,16 @@ GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle) DBT saltKey; DBT saltData; int ret; - + saltKey.data = SALT_STRING; saltKey.size = sizeof(SALT_STRING) - 1; ret = keydb_Get(handle, &saltKey, &saltData, 0); - if ( ret ) { - return(NULL); + if (ret) { + return (NULL); } - return(decodeKeyDBGlobalSalt(&saltData)); + return (decodeKeyDBGlobalSalt(&saltData)); } static SECStatus @@ -422,7 +423,7 @@ StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle, SECItem *salt) DBT saltKey; DBT saltData; int status; - + saltKey.data = SALT_STRING; saltKey.size = sizeof(SALT_STRING) - 1; @@ -431,11 +432,11 @@ StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle, SECItem *salt) /* put global salt into the database now */ status = keydb_Put(handle, &saltKey, &saltData, 0); - if ( status ) { - return(SECFailure); + if (status) { + return (SECFailure); } - return(SECSuccess); + return (SECSuccess); } static SECStatus @@ -445,24 +446,23 @@ makeGlobalVersion(NSSLOWKEYDBHandle *handle) DBT versionData; DBT versionKey; int status; - + version = NSSLOWKEY_DB_FILE_VERSION; versionData.data = &version; versionData.size = 1; versionKey.data = VERSION_STRING; - versionKey.size = sizeof(VERSION_STRING)-1; - + versionKey.size = sizeof(VERSION_STRING) - 1; + /* put version string into the database now */ status = keydb_Put(handle, &versionKey, &versionData, 0); - if ( status ) { - return(SECFailure); + if (status) { + return (SECFailure); } handle->version = version; - return(SECSuccess); + return (SECSuccess); } - static SECStatus makeGlobalSalt(NSSLOWKEYDBHandle *handle) { @@ -470,7 +470,7 @@ makeGlobalSalt(NSSLOWKEYDBHandle *handle) DBT saltData; unsigned char saltbuf[16]; int status; - + saltKey.data = SALT_STRING; saltKey.size = sizeof(SALT_STRING) - 1; @@ -480,16 +480,16 @@ makeGlobalSalt(NSSLOWKEYDBHandle *handle) /* put global salt into the database now */ status = keydb_Put(handle, &saltKey, &saltData, 0); - if ( status ) { - return(SECFailure); + if (status) { + return (SECFailure); } - return(SECSuccess); + return (SECSuccess); } static SECStatus encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg, - SECItem *encCheck); + SECItem *encCheck); static unsigned char nsslowkey_version(NSSLOWKEYDBHandle *handle) @@ -498,24 +498,24 @@ nsslowkey_version(NSSLOWKEYDBHandle *handle) DBT versionData; int ret; versionKey.data = VERSION_STRING; - versionKey.size = sizeof(VERSION_STRING)-1; + versionKey.size = sizeof(VERSION_STRING) - 1; if (handle->db == NULL) { - return 255; + return 255; } /* lookup version string in database */ - ret = keydb_Get( handle, &versionKey, &versionData, 0 ); + ret = keydb_Get(handle, &versionKey, &versionData, 0); /* error accessing the database */ - if ( ret < 0 ) { - return 255; + if (ret < 0) { + return 255; } - if ( ret >= 1 ) { - return 0; + if (ret >= 1) { + return 0; } - return *( (unsigned char *)versionData.data); + return *((unsigned char *)versionData.data); } static PRBool @@ -527,49 +527,48 @@ seckey_HasAServerKey(NSSLOWKEYDBHandle *handle) PRBool found = PR_FALSE; ret = keydb_Seq(handle, &key, &data, R_FIRST); - if ( ret ) { - return PR_FALSE; + if (ret) { + return PR_FALSE; } - + do { - /* skip version record */ - if ( data.size > 1 ) { - /* skip salt */ - if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) { - if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) { - continue; - } - } - /* skip pw check entry */ - if ( key.size == KEYDB_PW_CHECK_LEN ) { - if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, - KEYDB_PW_CHECK_LEN) == 0 ) { - continue; - } - } - - /* keys stored by nickname will have 0 as the last byte of the - * db key. Other keys must be stored by modulus. We will not - * update those because they are left over from a keygen that - * never resulted in a cert. - */ - if ( ((unsigned char *)key.data)[key.size-1] != 0 ) { - continue; - } - - if (PORT_Strcmp(key.data,"Server-Key") == 0) { - found = PR_TRUE; - break; - } - - } - } while ( keydb_Seq(handle, &key, &data, R_NEXT) == 0 ); + /* skip version record */ + if (data.size > 1) { + /* skip salt */ + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + /* skip pw check entry */ + if (key.size == KEYDB_PW_CHECK_LEN) { + if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, + KEYDB_PW_CHECK_LEN) == 0) { + continue; + } + } + + /* keys stored by nickname will have 0 as the last byte of the + * db key. Other keys must be stored by modulus. We will not + * update those because they are left over from a keygen that + * never resulted in a cert. + */ + if (((unsigned char *)key.data)[key.size - 1] != 0) { + continue; + } + + if (PORT_Strcmp(key.data, "Server-Key") == 0) { + found = PR_TRUE; + break; + } + } + } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0); return found; } /* forward declare local create function */ -static NSSLOWKEYDBHandle * nsslowkey_NewHandle(DB *dbHandle); +static NSSLOWKEYDBHandle *nsslowkey_NewHandle(DB *dbHandle); /* * currently updates key database from v2 to v3 @@ -591,15 +590,15 @@ nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle) int ret; SECItem checkitem; - if ( handle->updatedb == NULL ) { - return SECSuccess; + if (handle->updatedb == NULL) { + return SECSuccess; } - /* create a full DB Handle for our update so we + /* create a full DB Handle for our update so we * can use the correct locks for the db primatives */ update = nsslowkey_NewHandle(handle->updatedb); - if ( update == NULL) { - return SECSuccess; + if (update == NULL) { + return SECSuccess; } /* update has now inherited the database handle */ @@ -610,22 +609,22 @@ nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle) */ version = nsslowkey_version(update); if (version != 2) { - goto done; + goto done; } saltKey.data = SALT_STRING; saltKey.size = sizeof(SALT_STRING) - 1; ret = keydb_Get(update, &saltKey, &saltData, 0); - if ( ret ) { - /* no salt in old db, so it is corrupted */ - goto done; + if (ret) { + /* no salt in old db, so it is corrupted */ + goto done; } oldSalt = decodeKeyDBGlobalSalt(&saltData); - if ( oldSalt == NULL ) { - /* bad salt in old db, so it is corrupted */ - goto done; + if (oldSalt == NULL) { + /* bad salt in old db, so it is corrupted */ + goto done; } /* @@ -633,117 +632,116 @@ nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle) */ checkKey.data = KEYDB_PW_CHECK_STRING; checkKey.size = KEYDB_PW_CHECK_LEN; - - ret = keydb_Get(update, &checkKey, &checkData, 0 ); + + ret = keydb_Get(update, &checkKey, &checkData, 0); if (ret) { - /* - * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must - * be an old server database, and it does have a password associated - * with it. Put a fake entry in so we can identify this db when we do - * get the password for it. - */ - if (seckey_HasAServerKey(update)) { - DBT fcheckKey; - DBT fcheckData; - - /* - * include a fake string - */ - fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING; - fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN; - fcheckData.data = "1"; - fcheckData.size = 1; - /* put global salt into the new database now */ - ret = keydb_Put( handle, &saltKey, &saltData, 0); - if ( ret ) { - goto done; - } - ret = keydb_Put( handle, &fcheckKey, &fcheckData, 0); - if ( ret ) { - goto done; - } - } else { - goto done; - } + /* + * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must + * be an old server database, and it does have a password associated + * with it. Put a fake entry in so we can identify this db when we do + * get the password for it. + */ + if (seckey_HasAServerKey(update)) { + DBT fcheckKey; + DBT fcheckData; + + /* + * include a fake string + */ + fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING; + fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN; + fcheckData.data = "1"; + fcheckData.size = 1; + /* put global salt into the new database now */ + ret = keydb_Put(handle, &saltKey, &saltData, 0); + if (ret) { + goto done; + } + ret = keydb_Put(handle, &fcheckKey, &fcheckData, 0); + if (ret) { + goto done; + } + } else { + goto done; + } } else { - /* put global salt into the new database now */ - ret = keydb_Put( handle, &saltKey, &saltData, 0); - if ( ret ) { - goto done; - } - - dbkey = decode_dbkey(&checkData, 2); - if ( dbkey == NULL ) { - goto done; - } - checkitem = dbkey->derPK; - dbkey->derPK.data = NULL; - - /* format the new pw check entry */ - rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem); - if ( rv != SECSuccess ) { - goto done; - } - - rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE); - if ( rv != SECSuccess ) { - goto done; - } - - /* free the dbkey */ - sec_destroy_dbkey(dbkey); - dbkey = NULL; - } - - + /* put global salt into the new database now */ + ret = keydb_Put(handle, &saltKey, &saltData, 0); + if (ret) { + goto done; + } + + dbkey = decode_dbkey(&checkData, 2); + if (dbkey == NULL) { + goto done; + } + checkitem = dbkey->derPK; + dbkey->derPK.data = NULL; + + /* format the new pw check entry */ + rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem); + if (rv != SECSuccess) { + goto done; + } + + rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE); + if (rv != SECSuccess) { + goto done; + } + + /* free the dbkey */ + sec_destroy_dbkey(dbkey); + dbkey = NULL; + } + /* now traverse the database */ ret = keydb_Seq(update, &key, &data, R_FIRST); - if ( ret ) { - goto done; + if (ret) { + goto done; } - + do { - /* skip version record */ - if ( data.size > 1 ) { - /* skip salt */ - if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) { - if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) { - continue; - } - } - /* skip pw check entry */ - if ( key.size == checkKey.size ) { - if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) { - continue; - } - } - - /* keys stored by nickname will have 0 as the last byte of the - * db key. Other keys must be stored by modulus. We will not - * update those because they are left over from a keygen that - * never resulted in a cert. - */ - if ( ((unsigned char *)key.data)[key.size-1] != 0 ) { - continue; - } - - dbkey = decode_dbkey(&data, 2); - if ( dbkey == NULL ) { - continue; - } - - /* This puts the key into the new database with the same - * index (nickname) that it had before. The second pass - * of the update will have the password. It will decrypt - * and re-encrypt the entries using a new algorithm. - */ - dbkey->nickname = (char *)key.data; - rv = put_dbkey(handle, &key, dbkey, PR_FALSE); - dbkey->nickname = NULL; - - sec_destroy_dbkey(dbkey); - } - } while ( keydb_Seq(update, &key, &data, R_NEXT) == 0 ); + /* skip version record */ + if (data.size > 1) { + /* skip salt */ + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + /* skip pw check entry */ + if (key.size == checkKey.size) { + if (PORT_Memcmp(key.data, checkKey.data, key.size) == 0) { + continue; + } + } + + /* keys stored by nickname will have 0 as the last byte of the + * db key. Other keys must be stored by modulus. We will not + * update those because they are left over from a keygen that + * never resulted in a cert. + */ + if (((unsigned char *)key.data)[key.size - 1] != 0) { + continue; + } + + dbkey = decode_dbkey(&data, 2); + if (dbkey == NULL) { + continue; + } + + /* This puts the key into the new database with the same + * index (nickname) that it had before. The second pass + * of the update will have the password. It will decrypt + * and re-encrypt the entries using a new algorithm. + */ + dbkey->nickname = (char *)key.data; + rv = put_dbkey(handle, &key, dbkey, PR_FALSE); + dbkey->nickname = NULL; + + sec_destroy_dbkey(dbkey); + } + } while (keydb_Seq(update, &key, &data, R_NEXT) == 0); dbkey = NULL; @@ -752,21 +750,21 @@ done: ret = keydb_Sync(handle, 0); nsslowkey_CloseKeyDB(update); - - if ( oldSalt ) { - SECITEM_FreeItem(oldSalt, PR_TRUE); + + if (oldSalt) { + SECITEM_FreeItem(oldSalt, PR_TRUE); } - - if ( dbkey ) { - sec_destroy_dbkey(dbkey); + + if (dbkey) { + sec_destroy_dbkey(dbkey); } - return(SECSuccess); + return (SECSuccess); } static SECStatus -openNewDB(const char *appName, const char *prefix, const char *dbname, - NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg) +openNewDB(const char *appName, const char *prefix, const char *dbname, + NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg) { SECStatus rv = SECFailure; int status = RDB_FAIL; @@ -776,21 +774,21 @@ openNewDB(const char *appName, const char *prefix, const char *dbname, int ret; if (appName) { - handle->db = rdbopen( appName, prefix, "key", NO_CREATE, &status); + handle->db = rdbopen(appName, prefix, "key", NO_CREATE, &status); } else { - handle->db = dbopen( dbname, NO_CREATE, 0600, DB_HASH, 0 ); + handle->db = dbopen(dbname, NO_CREATE, 0600, DB_HASH, 0); } /* if create fails then we lose */ - if ( handle->db == NULL ) { - return (status == RDB_RETRY) ? SECWouldBlock: SECFailure; + if (handle->db == NULL) { + return (status == RDB_RETRY) ? SECWouldBlock : SECFailure; } /* force a transactional read, which will verify that one and only one * process attempts the update. */ if (nsslowkey_version(handle) == NSSLOWKEY_DB_FILE_VERSION) { - /* someone else has already updated the database for us */ - db_InitComplete(handle->db); - return SECSuccess; + /* someone else has already updated the database for us */ + db_InitComplete(handle->db); + return SECSuccess; } /* @@ -799,76 +797,75 @@ openNewDB(const char *appName, const char *prefix, const char *dbname, */ if (appName) { NSSLOWKEYDBHandle *updateHandle; - updatedb = dbopen( dbname, NO_RDONLY, 0600, DB_HASH, 0 ); - if (!updatedb) { - goto noupdate; - } + updatedb = dbopen(dbname, NO_RDONLY, 0600, DB_HASH, 0); + if (!updatedb) { + goto noupdate; + } - /* nsslowkey_version needs a full handle because it calls + /* nsslowkey_version needs a full handle because it calls * the kdb_Get() function, which needs to lock. */ updateHandle = nsslowkey_NewHandle(updatedb); - if (!updateHandle) { - updatedb->close(updatedb); - goto noupdate; - } - - handle->version = nsslowkey_version(updateHandle); - if (handle->version != NSSLOWKEY_DB_FILE_VERSION) { - nsslowkey_CloseKeyDB(updateHandle); - goto noupdate; - } - - /* copy the new DB from the old one */ - db_Copy(handle->db, updatedb); - nsslowkey_CloseKeyDB(updateHandle); - db_InitComplete(handle->db); - return SECSuccess; + if (!updateHandle) { + updatedb->close(updatedb); + goto noupdate; + } + + handle->version = nsslowkey_version(updateHandle); + if (handle->version != NSSLOWKEY_DB_FILE_VERSION) { + nsslowkey_CloseKeyDB(updateHandle); + goto noupdate; + } + + /* copy the new DB from the old one */ + db_Copy(handle->db, updatedb); + nsslowkey_CloseKeyDB(updateHandle); + db_InitComplete(handle->db); + return SECSuccess; } noupdate: /* update the version number */ rv = makeGlobalVersion(handle); - if ( rv != SECSuccess ) { - goto loser; + if (rv != SECSuccess) { + goto loser; } /* * try to update from v2 db */ updname = (*namecb)(cbarg, 2); - if ( updname != NULL ) { - handle->updatedb = dbopen( updname, NO_RDONLY, 0600, DB_HASH, 0 ); - PORT_Free( updname ); - - if ( handle->updatedb ) { - /* - * Try to update the db using a null password. If the db - * doesn't have a password, then this will work. If it does - * have a password, then this will fail and we will do the - * update later - */ - rv = nsslowkey_UpdateKeyDBPass1(handle); - if ( rv == SECSuccess ) { - updated = PR_TRUE; - } - } - + if (updname != NULL) { + handle->updatedb = dbopen(updname, NO_RDONLY, 0600, DB_HASH, 0); + PORT_Free(updname); + + if (handle->updatedb) { + /* + * Try to update the db using a null password. If the db + * doesn't have a password, then this will work. If it does + * have a password, then this will fail and we will do the + * update later + */ + rv = nsslowkey_UpdateKeyDBPass1(handle); + if (rv == SECSuccess) { + updated = PR_TRUE; + } + } } /* we are using the old salt if we updated from an old db */ - if ( ! updated ) { - rv = makeGlobalSalt(handle); - if ( rv != SECSuccess ) { - goto loser; - } + if (!updated) { + rv = makeGlobalSalt(handle); + if (rv != SECSuccess) { + goto loser; + } } - + /* sync the database */ ret = keydb_Sync(handle, 0); - if ( ret ) { - rv = SECFailure; - goto loser; + if (ret) { + rv = SECFailure; + goto loser; } rv = SECSuccess; @@ -877,16 +874,16 @@ loser: return rv; } - static DB * -openOldDB(const char *appName, const char *prefix, const char *dbname, - PRBool openflags) { +openOldDB(const char *appName, const char *prefix, const char *dbname, + PRBool openflags) +{ DB *db = NULL; if (appName) { - db = rdbopen( appName, prefix, "key", openflags, NULL); + db = rdbopen(appName, prefix, "key", openflags, NULL); } else { - db = dbopen( dbname, openflags, 0600, DB_HASH, 0 ); + db = dbopen(dbname, openflags, 0600, DB_HASH, 0); } return db; @@ -899,11 +896,11 @@ verifyVersion(NSSLOWKEYDBHandle *handle) int version = nsslowkey_version(handle); handle->version = version; - if (version != NSSLOWKEY_DB_FILE_VERSION ) { - if (handle->db) { - keydb_Close(handle); - handle->db = NULL; - } + if (version != NSSLOWKEY_DB_FILE_VERSION) { + if (handle->db) { + keydb_Close(handle); + handle->db = NULL; + } } return handle->db != NULL; } @@ -912,10 +909,10 @@ static NSSLOWKEYDBHandle * nsslowkey_NewHandle(DB *dbHandle) { NSSLOWKEYDBHandle *handle; - handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc (sizeof(NSSLOWKEYDBHandle)); + handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc(sizeof(NSSLOWKEYDBHandle)); if (handle == NULL) { - PORT_SetError (SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } handle->appname = NULL; @@ -931,68 +928,63 @@ nsslowkey_NewHandle(DB *dbHandle) NSSLOWKEYDBHandle * nsslowkey_OpenKeyDB(PRBool readOnly, const char *appName, const char *prefix, - NSSLOWKEYDBNameFunc namecb, void *cbarg) + NSSLOWKEYDBNameFunc namecb, void *cbarg) { NSSLOWKEYDBHandle *handle = NULL; SECStatus rv; int openflags; char *dbname = NULL; - handle = nsslowkey_NewHandle(NULL); openflags = readOnly ? NO_RDONLY : NO_RDWR; - dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION); - if ( dbname == NULL ) { - goto loser; + if (dbname == NULL) { + goto loser; } - handle->appname = appName ? PORT_Strdup(appName) : NULL ; - handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : - (prefix ? PORT_Strdup(prefix) : NULL); + handle->appname = appName ? PORT_Strdup(appName) : NULL; + handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : (prefix ? PORT_Strdup(prefix) : NULL); handle->readOnly = readOnly; - - handle->db = openOldDB(appName, prefix, dbname, openflags); if (handle->db) { - verifyVersion(handle); - if (handle->version == 255) { - goto loser; - } + verifyVersion(handle); + if (handle->version == 255) { + goto loser; + } } /* if first open fails, try to create a new DB */ - if ( handle->db == NULL ) { - if ( readOnly ) { - goto loser; - } - - rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg); - /* two processes started to initialize the database at the same time. - * The multiprocess code blocked the second one, then had it retry to - * see if it can just open the database normally */ - if (rv == SECWouldBlock) { - handle->db = openOldDB(appName,prefix,dbname, openflags); - verifyVersion(handle); - if (handle->db == NULL) { - goto loser; - } - } else if (rv != SECSuccess) { - goto loser; - } + if (handle->db == NULL) { + if (readOnly) { + goto loser; + } + + rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg); + /* two processes started to initialize the database at the same time. + * The multiprocess code blocked the second one, then had it retry to + * see if it can just open the database normally */ + if (rv == SECWouldBlock) { + handle->db = openOldDB(appName, prefix, dbname, openflags); + verifyVersion(handle); + if (handle->db == NULL) { + goto loser; + } + } else if (rv != SECSuccess) { + goto loser; + } } handle->global_salt = GetKeyDBGlobalSalt(handle); - if ( dbname ) - PORT_Free( dbname ); + if (dbname) + PORT_Free(dbname); return handle; loser: - if ( dbname ) - PORT_Free( dbname ); + if (dbname) + PORT_Free(dbname); PORT_SetError(SEC_ERROR_BAD_DATABASE); nsslowkey_CloseKeyDB(handle); return NULL; @@ -1005,22 +997,24 @@ void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle) { if (handle != NULL) { - if (handle->db != NULL) { - keydb_Close(handle); - } - if (handle->updatedb) { - handle->updatedb->close(handle->updatedb); + if (handle->db != NULL) { + keydb_Close(handle); } - if (handle->dbname) PORT_Free(handle->dbname); - if (handle->appname) PORT_Free(handle->appname); - if (handle->global_salt) { - SECITEM_FreeItem(handle->global_salt,PR_TRUE); - } - if (handle->lock != NULL) { - SKIP_AFTER_FORK(PZ_DestroyLock(handle->lock)); - } - - PORT_Free(handle); + if (handle->updatedb) { + handle->updatedb->close(handle->updatedb); + } + if (handle->dbname) + PORT_Free(handle->dbname); + if (handle->appname) + PORT_Free(handle->appname); + if (handle->global_salt) { + SECITEM_FreeItem(handle->global_salt, PR_TRUE); + } + if (handle->lock != NULL) { + SKIP_AFTER_FORK(PZ_DestroyLock(handle->lock)); + } + + PORT_Free(handle); } } @@ -1043,8 +1037,8 @@ nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, const SECItem *pubkey) int ret; if (handle == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return(SECFailure); + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); } /* set up db key and data */ @@ -1053,44 +1047,44 @@ nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, const SECItem *pubkey) /* delete it from the database */ ret = keydb_Del(handle, &namekey, 0); - if ( ret ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return(SECFailure); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); } /* sync the database */ ret = keydb_Sync(handle, 0); - if ( ret ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return(SECFailure); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); } - return(SECSuccess); + return (SECSuccess); } /* * Store a key in the database, indexed by its public key modulus.(value!) */ SECStatus -nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, - NSSLOWKEYPrivateKey *privkey, - SECItem *pubKeyData, - char *nickname, - SDB *sdb) +nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb) { - return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, - nickname, sdb, PR_FALSE); + return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, + nickname, sdb, PR_FALSE); } SECStatus -nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, - NSSLOWKEYPrivateKey *privkey, - SECItem *pubKeyData, - char *nickname, - SDB *sdb) +nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb) { - return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, - nickname, sdb, PR_TRUE); + return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, + nickname, sdb, PR_TRUE); } /* see if the symetric CKA_ID already Exists. @@ -1105,10 +1099,10 @@ nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id) namekey.data = (char *)id->data; namekey.size = id->len; status = keydb_Get(handle, &namekey, &dummy, 0); - if ( status ) { - return PR_FALSE; + if (status) { + return PR_FALSE; } - + return PR_TRUE; } @@ -1122,64 +1116,64 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cer DBT namekey; DBT dummy; int status; - + /* get cert's public key */ pubkey = nsslowcert_ExtractPublicKey(cert); - if ( pubkey == NULL ) { - return PR_FALSE; + if (pubkey == NULL) { + return PR_FALSE; } /* TNH - make key from NSSLOWKEYPublicKey */ switch (pubkey->keyType) { - case NSSLOWKEYRSAKey: - namekey.data = pubkey->u.rsa.modulus.data; - namekey.size = pubkey->u.rsa.modulus.len; - break; - case NSSLOWKEYDSAKey: - namekey.data = pubkey->u.dsa.publicValue.data; - namekey.size = pubkey->u.dsa.publicValue.len; - break; - case NSSLOWKEYDHKey: - namekey.data = pubkey->u.dh.publicValue.data; - namekey.size = pubkey->u.dh.publicValue.len; - break; + case NSSLOWKEYRSAKey: + namekey.data = pubkey->u.rsa.modulus.data; + namekey.size = pubkey->u.rsa.modulus.len; + break; + case NSSLOWKEYDSAKey: + namekey.data = pubkey->u.dsa.publicValue.data; + namekey.size = pubkey->u.dsa.publicValue.len; + break; + case NSSLOWKEYDHKey: + namekey.data = pubkey->u.dh.publicValue.data; + namekey.size = pubkey->u.dh.publicValue.len; + break; #ifndef NSS_DISABLE_ECC - case NSSLOWKEYECKey: - namekey.data = pubkey->u.ec.publicValue.data; - namekey.size = pubkey->u.ec.publicValue.len; - break; + case NSSLOWKEYECKey: + namekey.data = pubkey->u.ec.publicValue.data; + namekey.size = pubkey->u.ec.publicValue.len; + break; #endif /* NSS_DISABLE_ECC */ - default: - /* XXX We don't do Fortezza or DH yet. */ - return PR_FALSE; + default: + /* XXX We don't do Fortezza or DH yet. */ + return PR_FALSE; } if (handle->version != 3) { - unsigned char buf[SHA1_LENGTH]; - SHA1_HashBuf(buf,namekey.data,namekey.size); - /* NOTE: don't use pubkey after this! it's now thrashed */ - PORT_Memcpy(namekey.data,buf,sizeof(buf)); - namekey.size = sizeof(buf); + unsigned char buf[SHA1_LENGTH]; + SHA1_HashBuf(buf, namekey.data, namekey.size); + /* NOTE: don't use pubkey after this! it's now thrashed */ + PORT_Memcpy(namekey.data, buf, sizeof(buf)); + namekey.size = sizeof(buf); } status = keydb_Get(handle, &namekey, &dummy, 0); /* some databases have the key stored as a signed value */ if (status) { - unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size+1); - if (buf) { - PORT_Memcpy(&buf[1], namekey.data, namekey.size); - buf[0] = 0; - namekey.data = buf; - namekey.size ++; - status = keydb_Get(handle, &namekey, &dummy, 0); - PORT_Free(buf); - } + unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size + 1); + if (buf) { + PORT_Memcpy(&buf[1], namekey.data, namekey.size); + buf[0] = 0; + namekey.data = buf; + namekey.size++; + status = keydb_Get(handle, &namekey, &dummy, 0); + PORT_Free(buf); + } } lg_nsslowkey_DestroyPublicKey(pubkey); - if ( status ) { - return PR_FALSE; + if (status) { + return PR_FALSE; } - + return PR_TRUE; } @@ -1189,12 +1183,12 @@ typedef struct NSSLowPasswordDataParamStr { } NSSLowPasswordDataParam; static const SEC_ASN1Template NSSLOWPasswordParamTemplate[] = -{ - {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLowPasswordDataParam) }, - {SEC_ASN1_OCTET_STRING, offsetof(NSSLowPasswordDataParam, salt) }, - {SEC_ASN1_INTEGER, offsetof(NSSLowPasswordDataParam, iter) }, - {0} -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLowPasswordDataParam) }, + { SEC_ASN1_OCTET_STRING, offsetof(NSSLowPasswordDataParam, salt) }, + { SEC_ASN1_INTEGER, offsetof(NSSLowPasswordDataParam, iter) }, + { 0 } + }; struct LGEncryptedDataInfoStr { SECAlgorithmID algorithm; SECItem encryptedData; @@ -1203,12 +1197,12 @@ typedef struct LGEncryptedDataInfoStr LGEncryptedDataInfo; const SEC_ASN1Template lg_EncryptedDataInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(LGEncryptedDataInfo) }, + 0, NULL, sizeof(LGEncryptedDataInfo) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(LGEncryptedDataInfo,algorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(LGEncryptedDataInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(LGEncryptedDataInfo,encryptedData) }, + offsetof(LGEncryptedDataInfo, encryptedData) }, { 0 } }; @@ -1224,24 +1218,24 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) SECStatus rv; param.salt = *salt; - param.iter.type = siBuffer; /* encode as signed integer */ + param.iter.type = siBuffer; /* encode as signed integer */ param.iter.data = &one; param.iter.len = 1; edi.encryptedData = *data; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - return NULL; + return NULL; } encParam = SEC_ASN1EncodeItem(arena, NULL, ¶m, - NSSLOWPasswordParamTemplate); + NSSLOWPasswordParamTemplate); if (encParam == NULL) { - goto loser; + goto loser; } rv = SECOID_SetAlgorithmID(arena, &edi.algorithm, alg, encParam); if (rv != SECSuccess) { - goto loser; + goto loser; } epw = SEC_ASN1EncodeItem(NULL, NULL, &edi, lg_EncryptedDataInfoTemplate); @@ -1260,69 +1254,68 @@ nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt) SECStatus rv; salt->data = NULL; - param.iter.type = siBuffer; /* decode as signed integer */ + param.iter.type = siBuffer; /* decode as signed integer */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - return NULL; + return NULL; } - rv = SEC_QuickDERDecodeItem(arena, &edi, lg_EncryptedDataInfoTemplate, - derData); + rv = SEC_QuickDERDecodeItem(arena, &edi, lg_EncryptedDataInfoTemplate, + derData); if (rv != SECSuccess) { - goto loser; + goto loser; } *alg = SECOID_GetAlgorithmTag(&edi.algorithm); rv = SEC_QuickDERDecodeItem(arena, ¶m, NSSLOWPasswordParamTemplate, - &edi.algorithm.parameters); + &edi.algorithm.parameters); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); if (rv != SECSuccess) { - goto loser; + goto loser; } pwe = SECITEM_DupItem(&edi.encryptedData); loser: if (!pwe && salt->data) { - PORT_Free(salt->data); - salt->data = NULL; + PORT_Free(salt->data); + salt->data = NULL; } PORT_FreeArena(arena, PR_FALSE); return pwe; } - /* * check to see if the user has a password */ static SECStatus -nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entry) +nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry) { DBT checkkey; /*, checkdata; */ NSSLOWKEYDBKey *dbkey = NULL; - SECItem *global_salt = NULL; - SECItem *item = NULL; - SECItem entryData, oid; - SECItem none = { siBuffer, NULL, 0 }; + SECItem *global_salt = NULL; + SECItem *item = NULL; + SECItem entryData, oid; + SECItem none = { siBuffer, NULL, 0 }; SECStatus rv = SECFailure; SECOidTag algorithm; if (handle == NULL) { - /* PORT_SetError */ - return(SECFailure); + /* PORT_SetError */ + return (SECFailure); } global_salt = GetKeyDBGlobalSalt(handle); if (!global_salt) { - global_salt = &none; + global_salt = &none; } if (global_salt->len > sizeof(entry->data)) { - /* PORT_SetError */ - goto loser; + /* PORT_SetError */ + goto loser; } - + PORT_Memcpy(entry->data, global_salt->data, global_salt->len); entry->salt.data = entry->data; entry->salt.len = global_salt->len; @@ -1332,24 +1325,24 @@ nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entr checkkey.size = KEYDB_PW_CHECK_LEN; dbkey = get_dbkey(handle, &checkkey); if (dbkey == NULL) { - /* handle 'FAKE' check here */ - goto loser; + /* handle 'FAKE' check here */ + goto loser; } oid.len = dbkey->derPK.data[0]; oid.data = &dbkey->derPK.data[1]; - if (dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 +oid.len)) { - goto loser; + if (dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len)) { + goto loser; } algorithm = SECOID_FindOIDTag(&oid); entryData.type = siBuffer; - entryData.len = dbkey->derPK.len - (oid.len+1); - entryData.data = &dbkey->derPK.data[oid.len+1]; + entryData.len = dbkey->derPK.len - (oid.len + 1); + entryData.data = &dbkey->derPK.data[oid.len + 1]; item = nsslowkey_EncodePW(algorithm, &dbkey->salt, &entryData); if (!item || (item->len + entry->salt.len) > sizeof(entry->data)) { - goto loser; + goto loser; } PORT_Memcpy(entry->value.data, item->data, item->len); entry->value.len = item->len; @@ -1357,13 +1350,13 @@ nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entr loser: if (item) { - SECITEM_FreeItem(item, PR_TRUE); + SECITEM_FreeItem(item, PR_TRUE); } if (dbkey) { - sec_destroy_dbkey(dbkey); + sec_destroy_dbkey(dbkey); } if (global_salt != &none) { - SECITEM_FreeItem(global_salt,PR_TRUE); + SECITEM_FreeItem(global_salt, PR_TRUE); } return rv; } @@ -1372,20 +1365,20 @@ loser: * check to see if the user has a password */ static SECStatus -nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entry) +nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry) { DBT checkkey; NSSLOWKEYDBKey *dbkey = NULL; - SECItem *item = NULL; - SECItem salt; + SECItem *item = NULL; + SECItem salt; SECOidTag algid = SEC_OID_UNKNOWN; SECStatus rv = SECFailure; PLArenaPool *arena; int ret; if (handle == NULL) { - /* PORT_SetError */ - return(SECFailure); + /* PORT_SetError */ + return (SECFailure); } checkkey.data = KEYDB_PW_CHECK_STRING; @@ -1394,80 +1387,79 @@ nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle,NSSLOWKEYPasswordEntry *entr salt.data = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - return SECFailure; + return SECFailure; } item = nsslowkey_DecodePW(&entry->value, &algid, &salt); if (item == NULL) { - goto loser; + goto loser; } dbkey = PORT_ArenaZNew(arena, NSSLOWKEYDBKey); if (dbkey == NULL) { - goto loser; + goto loser; } dbkey->arena = arena; rv = SECITEM_CopyItem(arena, &dbkey->salt, &salt); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = encodePWCheckEntry(arena, &dbkey->derPK, algid, item); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE); if (rv != SECSuccess) { - goto loser; + goto loser; } if (handle->global_salt) { - SECITEM_FreeItem(handle->global_salt, PR_TRUE); - handle->global_salt = NULL; + SECITEM_FreeItem(handle->global_salt, PR_TRUE); + handle->global_salt = NULL; } rv = StoreKeyDBGlobalSalt(handle, &entry->salt); if (rv != SECSuccess) { - goto loser; + goto loser; } ret = keydb_Sync(handle, 0); - if ( ret ) { - rv = SECFailure; - goto loser; + if (ret) { + rv = SECFailure; + goto loser; } handle->global_salt = GetKeyDBGlobalSalt(handle); loser: if (item) { - SECITEM_FreeItem(item, PR_TRUE); + SECITEM_FreeItem(item, PR_TRUE); } if (arena) { - PORT_FreeArena(arena, PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } if (salt.data) { - PORT_Free(salt.data); + PORT_Free(salt.data); } return rv; } #ifdef EC_DEBUG -#define SEC_PRINT(str1, str2, num, sitem) \ +#define SEC_PRINT(str1, str2, num, sitem) \ printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \ - str1, str2, num, sitem->len); \ - for (i = 0; i < sitem->len; i++) { \ - printf("%02x:", sitem->data[i]); \ - } \ - printf("\n") + str1, str2, num, sitem->len); \ + for (i = 0; i < sitem->len; i++) { \ + printf("%02x:", sitem->data[i]); \ + } \ + printf("\n") #else -#define SEC_PRINT(a, b, c, d) +#define SEC_PRINT(a, b, c, d) #endif /* EC_DEBUG */ - -SECStatus -seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, - SDB *sdbpw, SECItem *result) +SECStatus +seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, + SDB *sdbpw, SECItem *result) { NSSLOWKEYPrivateKeyInfo *pki = NULL; SECStatus rv = SECFailure; @@ -1483,187 +1475,186 @@ seckey_encrypt_private_key( PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, #endif temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(temparena == NULL) - goto loser; + if (temparena == NULL) + goto loser; /* allocate structures */ - pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, - sizeof(NSSLOWKEYPrivateKeyInfo)); + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, + sizeof(NSSLOWKEYPrivateKeyInfo)); der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem)); - if((pki == NULL) || (der_item == NULL)) - goto loser; - + if ((pki == NULL) || (der_item == NULL)) + goto loser; /* setup private key info */ - dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), - NSSLOWKEY_PRIVATE_KEY_INFO_VERSION); - if(dummy == NULL) - goto loser; + dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), + NSSLOWKEY_PRIVATE_KEY_INFO_VERSION); + if (dummy == NULL) + goto loser; /* Encode the key, and set the algorithm (with params) */ switch (pk->keyType) { - case NSSLOWKEYRSAKey: - lg_prepare_low_rsa_priv_key_for_asn1(pk); - dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - lg_nsslowkey_RSAPrivateKeyTemplate); - if (dummy == NULL) { - rv = SECFailure; - goto loser; - } - - rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), - SEC_OID_PKCS1_RSA_ENCRYPTION, 0); - if (rv == SECFailure) { - goto loser; - } - - break; - case NSSLOWKEYDSAKey: - lg_prepare_low_dsa_priv_key_for_asn1(pk); - dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - lg_nsslowkey_DSAPrivateKeyTemplate); - if (dummy == NULL) { - rv = SECFailure; - goto loser; - } - - lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); - dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params, - lg_nsslowkey_PQGParamsTemplate); - if (dummy == NULL) { - rv = SECFailure; - goto loser; - } - - rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), - SEC_OID_ANSIX9_DSA_SIGNATURE, dummy); - if (rv == SECFailure) { - goto loser; - } - - break; - case NSSLOWKEYDHKey: - lg_prepare_low_dh_priv_key_for_asn1(pk); - dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - lg_nsslowkey_DHPrivateKeyTemplate); - if (dummy == NULL) { - rv = SECFailure; - goto loser; - } - - rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), - SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy); - if (rv == SECFailure) { - goto loser; - } - break; + case NSSLOWKEYRSAKey: + lg_prepare_low_rsa_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_RSAPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_PKCS1_RSA_ENCRYPTION, 0); + if (rv == SECFailure) { + goto loser; + } + + break; + case NSSLOWKEYDSAKey: + lg_prepare_low_dsa_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_DSAPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params, + lg_nsslowkey_PQGParamsTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_ANSIX9_DSA_SIGNATURE, dummy); + if (rv == SECFailure) { + goto loser; + } + + break; + case NSSLOWKEYDHKey: + lg_prepare_low_dh_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_DHPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy); + if (rv == SECFailure) { + goto loser; + } + break; #ifndef NSS_DISABLE_ECC - case NSSLOWKEYECKey: - lg_prepare_low_ec_priv_key_for_asn1(pk); - /* Public value is encoded as a bit string so adjust length - * to be in bits before ASN encoding and readjust - * immediately after. - * - * Since the SECG specification recommends not including the - * parameters as part of ECPrivateKey, we zero out the curveOID - * length before encoding and restore it later. - */ - pk->u.ec.publicValue.len <<= 3; - savelen = pk->u.ec.ecParams.curveOID.len; - pk->u.ec.ecParams.curveOID.len = 0; - dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, - lg_nsslowkey_ECPrivateKeyTemplate); - pk->u.ec.ecParams.curveOID.len = savelen; - pk->u.ec.publicValue.len >>= 3; - - if (dummy == NULL) { - rv = SECFailure; - goto loser; - } - - dummy = &pk->u.ec.ecParams.DEREncoding; - - /* At this point dummy should contain the encoded params */ - rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), - SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy); - - if (rv == SECFailure) { - goto loser; - } - + case NSSLOWKEYECKey: + lg_prepare_low_ec_priv_key_for_asn1(pk); + /* Public value is encoded as a bit string so adjust length + * to be in bits before ASN encoding and readjust + * immediately after. + * + * Since the SECG specification recommends not including the + * parameters as part of ECPrivateKey, we zero out the curveOID + * length before encoding and restore it later. + */ + pk->u.ec.publicValue.len <<= 3; + savelen = pk->u.ec.ecParams.curveOID.len; + pk->u.ec.ecParams.curveOID.len = 0; + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_ECPrivateKeyTemplate); + pk->u.ec.ecParams.curveOID.len = savelen; + pk->u.ec.publicValue.len >>= 3; + + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + dummy = &pk->u.ec.ecParams.DEREncoding; + + /* At this point dummy should contain the encoded params */ + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy); + + if (rv == SECFailure) { + goto loser; + } + #ifdef EC_DEBUG - fordebug = &(pki->privateKey); - SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", - pk->keyType, fordebug); + fordebug = &(pki->privateKey); + SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", + pk->keyType, fordebug); #endif - break; + break; #endif /* NSS_DISABLE_ECC */ - default: - /* We don't support DH or Fortezza private keys yet */ - PORT_Assert(PR_FALSE); - break; + default: + /* We don't support DH or Fortezza private keys yet */ + PORT_Assert(PR_FALSE); + break; } /* setup encrypted private key info */ - dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, - lg_nsslowkey_PrivateKeyInfoTemplate); + dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, + lg_nsslowkey_PrivateKeyInfoTemplate); - SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", - pk->keyType, der_item); + SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", + pk->keyType, der_item); - if(dummy == NULL) { - rv = SECFailure; - goto loser; + if (dummy == NULL) { + rv = SECFailure; + goto loser; } rv = lg_util_encrypt(temparena, sdbpw, dummy, &cipherText); if (rv != SECSuccess) { - goto loser; + goto loser; } - rv = SECITEM_CopyItem ( permarena, result, cipherText); + rv = SECITEM_CopyItem(permarena, result, cipherText); loser: - if(temparena != NULL) - PORT_FreeArena(temparena, PR_TRUE); + if (temparena != NULL) + PORT_FreeArena(temparena, PR_TRUE); return rv; } -static SECStatus +static SECStatus seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SDB *sdbpw, - NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update) + NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update) { NSSLOWKEYDBKey *dbkey = NULL; PLArenaPool *arena = NULL; SECStatus rv = SECFailure; - if((keydb == NULL) || (index == NULL) || (sdbpw == NULL) || - (pk == NULL)) - return SECFailure; - + if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL) || + (pk == NULL)) + return SECFailure; + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(arena == NULL) - return SECFailure; + if (arena == NULL) + return SECFailure; dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey)); - if(dbkey == NULL) - goto loser; + if (dbkey == NULL) + goto loser; dbkey->arena = arena; dbkey->nickname = nickname; rv = seckey_encrypt_private_key(arena, pk, sdbpw, &dbkey->derPK); - if(rv != SECSuccess) - goto loser; + if (rv != SECSuccess) + goto loser; rv = put_dbkey(keydb, index, dbkey, update); - /* let success fall through */ +/* let success fall through */ loser: - if(arena != NULL) - PORT_FreeArena(arena, PR_TRUE); + if (arena != NULL) + PORT_FreeArena(arena, PR_TRUE); return rv; } @@ -1673,19 +1664,19 @@ loser: * Note that the nickname is optional. It was only used by keyutil. */ SECStatus -nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, - NSSLOWKEYPrivateKey *privkey, - SECItem *pubKeyData, - char *nickname, - SDB *sdbpw, - PRBool update) +nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdbpw, + PRBool update) { DBT namekey; SECStatus rv; if (handle == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return(SECFailure); + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); } /* set up db key and data */ @@ -1694,14 +1685,14 @@ nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, /* encrypt the private key */ rv = seckey_put_private_key(handle, &namekey, sdbpw, privkey, nickname, - update); - - return(rv); + update); + + return (rv); } static NSSLOWKEYPrivateKey * -seckey_decrypt_private_key(SECItem*epki, - SDB *sdbpw) +seckey_decrypt_private_key(SECItem *epki, + SDB *sdbpw) { NSSLOWKEYPrivateKey *pk = NULL; NSSLOWKEYPrivateKeyInfo *pki = NULL; @@ -1712,174 +1703,174 @@ seckey_decrypt_private_key(SECItem*epki, SECItem *fordebug = NULL; #endif - if((epki == NULL) || (sdbpw == NULL)) - goto loser; + if ((epki == NULL) || (sdbpw == NULL)) + goto loser; temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if((temparena == NULL) || (permarena == NULL)) - goto loser; + if ((temparena == NULL) || (permarena == NULL)) + goto loser; /* allocate temporary items */ - pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, - sizeof(NSSLOWKEYPrivateKeyInfo)); + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, + sizeof(NSSLOWKEYPrivateKeyInfo)); /* allocate permanent arena items */ pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena, - sizeof(NSSLOWKEYPrivateKey)); + sizeof(NSSLOWKEYPrivateKey)); - if((pk == NULL) || (pki == NULL)) - goto loser; + if ((pk == NULL) || (pki == NULL)) + goto loser; pk->arena = permarena; rv = lg_util_decrypt(sdbpw, epki, &dest); if (rv != SECSuccess) { - goto loser; + goto loser; } - - if(dest != NULL) - { + + if (dest != NULL) { SECItem newPrivateKey; SECItem newAlgParms; SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1, - dest); - - rv = SEC_QuickDERDecodeItem(temparena, pki, - lg_nsslowkey_PrivateKeyInfoTemplate, dest); - if(rv == SECSuccess) - { - switch(SECOID_GetAlgorithmTag(&pki->algorithm)) { - case SEC_OID_X500_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_ENCRYPTION: - pk->keyType = NSSLOWKEYRSAKey; - lg_prepare_low_rsa_priv_key_for_asn1(pk); - if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, - &pki->privateKey) ) break; - rv = SEC_QuickDERDecodeItem(permarena, pk, - lg_nsslowkey_RSAPrivateKeyTemplate, - &newPrivateKey); - if (rv == SECSuccess) { - break; - } - /* Try decoding with the alternative template, but only allow - * a zero-length modulus for a secret key object. - * See bug 715073. - */ - rv = SEC_QuickDERDecodeItem(permarena, pk, - lg_nsslowkey_RSAPrivateKeyTemplate2, - &newPrivateKey); - /* A publicExponent of 0 is the defining property of a secret - * key disguised as an RSA key. When decoding with the - * alternative template, only accept a secret key with an - * improperly encoded modulus and a publicExponent of 0. - */ - if (rv == SECSuccess) { - if (pk->u.rsa.modulus.len == 2 && - pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER && - pk->u.rsa.modulus.data[1] == 0 && - pk->u.rsa.publicExponent.len == 1 && - pk->u.rsa.publicExponent.data[0] == 0) { - /* Fix the zero-length integer by setting it to 0. */ - pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data; - pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len; - } else { - PORT_SetError(SEC_ERROR_BAD_DER); - rv = SECFailure; - } - } - break; - case SEC_OID_ANSIX9_DSA_SIGNATURE: - pk->keyType = NSSLOWKEYDSAKey; - lg_prepare_low_dsa_priv_key_for_asn1(pk); - if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, - &pki->privateKey) ) break; - rv = SEC_QuickDERDecodeItem(permarena, pk, - lg_nsslowkey_DSAPrivateKeyTemplate, - &newPrivateKey); - if (rv != SECSuccess) - goto loser; - lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); - if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms, - &pki->algorithm.parameters) ) break; - rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params, - lg_nsslowkey_PQGParamsTemplate, - &newAlgParms); - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - pk->keyType = NSSLOWKEYDHKey; - lg_prepare_low_dh_priv_key_for_asn1(pk); - if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, - &pki->privateKey) ) break; - rv = SEC_QuickDERDecodeItem(permarena, pk, - lg_nsslowkey_DHPrivateKeyTemplate, - &newPrivateKey); - break; + dest); + + rv = SEC_QuickDERDecodeItem(temparena, pki, + lg_nsslowkey_PrivateKeyInfoTemplate, dest); + if (rv == SECSuccess) { + switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + pk->keyType = NSSLOWKEYRSAKey; + lg_prepare_low_rsa_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_RSAPrivateKeyTemplate, + &newPrivateKey); + if (rv == SECSuccess) { + break; + } + /* Try decoding with the alternative template, but only allow + * a zero-length modulus for a secret key object. + * See bug 715073. + */ + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_RSAPrivateKeyTemplate2, + &newPrivateKey); + /* A publicExponent of 0 is the defining property of a secret + * key disguised as an RSA key. When decoding with the + * alternative template, only accept a secret key with an + * improperly encoded modulus and a publicExponent of 0. + */ + if (rv == SECSuccess) { + if (pk->u.rsa.modulus.len == 2 && + pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER && + pk->u.rsa.modulus.data[1] == 0 && + pk->u.rsa.publicExponent.len == 1 && + pk->u.rsa.publicExponent.data[0] == 0) { + /* Fix the zero-length integer by setting it to 0. */ + pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data; + pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len; + } else { + PORT_SetError(SEC_ERROR_BAD_DER); + rv = SECFailure; + } + } + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + pk->keyType = NSSLOWKEYDSAKey; + lg_prepare_low_dsa_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_DSAPrivateKeyTemplate, + &newPrivateKey); + if (rv != SECSuccess) + goto loser; + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms, + &pki->algorithm.parameters)) + break; + rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params, + lg_nsslowkey_PQGParamsTemplate, + &newAlgParms); + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + pk->keyType = NSSLOWKEYDHKey; + lg_prepare_low_dh_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_DHPrivateKeyTemplate, + &newPrivateKey); + break; #ifndef NSS_DISABLE_ECC - case SEC_OID_ANSIX962_EC_PUBLIC_KEY: - pk->keyType = NSSLOWKEYECKey; - lg_prepare_low_ec_priv_key_for_asn1(pk); + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + pk->keyType = NSSLOWKEYECKey; + lg_prepare_low_ec_priv_key_for_asn1(pk); #ifdef EC_DEBUG - fordebug = &pki->privateKey; - SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", - pk->keyType, fordebug); + fordebug = &pki->privateKey; + SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", + pk->keyType, fordebug); #endif - if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, - &pki->privateKey) ) break; - rv = SEC_QuickDERDecodeItem(permarena, pk, - lg_nsslowkey_ECPrivateKeyTemplate, - &newPrivateKey); - if (rv != SECSuccess) - goto loser; + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_ECPrivateKeyTemplate, + &newPrivateKey); + if (rv != SECSuccess) + goto loser; - lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams); + lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams); - rv = SECITEM_CopyItem(permarena, - &pk->u.ec.ecParams.DEREncoding, - &pki->algorithm.parameters); + rv = SECITEM_CopyItem(permarena, + &pk->u.ec.ecParams.DEREncoding, + &pki->algorithm.parameters); - if (rv != SECSuccess) - goto loser; + if (rv != SECSuccess) + goto loser; - /* Fill out the rest of EC params */ - rv = LGEC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding, - &pk->u.ec.ecParams); + /* Fill out the rest of EC params */ + rv = LGEC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding, + &pk->u.ec.ecParams); - if (rv != SECSuccess) - goto loser; + if (rv != SECSuccess) + goto loser; - if (pk->u.ec.publicValue.len != 0) { - pk->u.ec.publicValue.len >>= 3; - } + if (pk->u.ec.publicValue.len != 0) { + pk->u.ec.publicValue.len >>= 3; + } - break; + break; #endif /* NSS_DISABLE_ECC */ - default: - rv = SECFailure; - break; - } - } - else if(PORT_GetError() == SEC_ERROR_BAD_DER) - { - PORT_SetError(SEC_ERROR_BAD_PASSWORD); - goto loser; - } - } - - /* let success fall through */ + default: + rv = SECFailure; + break; + } + } else if (PORT_GetError() == SEC_ERROR_BAD_DER) { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + goto loser; + } + } + +/* let success fall through */ loser: - if(temparena != NULL) - PORT_FreeArena(temparena, PR_TRUE); - if(dest != NULL) - SECITEM_ZfreeItem(dest, PR_TRUE); + if (temparena != NULL) + PORT_FreeArena(temparena, PR_TRUE); + if (dest != NULL) + SECITEM_ZfreeItem(dest, PR_TRUE); - if(rv != SECSuccess) - { - if(permarena != NULL) - PORT_FreeArena(permarena, PR_TRUE); - pk = NULL; + if (rv != SECSuccess) { + if (permarena != NULL) + PORT_FreeArena(permarena, PR_TRUE); + pk = NULL; } return pk; @@ -1888,8 +1879,8 @@ loser: static NSSLOWKEYPrivateKey * seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SDB *sdbpw) { - if( ( dbkey == NULL ) || ( sdbpw == NULL ) ) { - return NULL; + if ((dbkey == NULL) || (sdbpw == NULL)) { + return NULL; } return seckey_decrypt_private_key(&(dbkey->derPK), sdbpw); @@ -1897,35 +1888,35 @@ seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SDB *sdbpw) static NSSLOWKEYPrivateKey * seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname, - SDB *sdbpw) + SDB *sdbpw) { NSSLOWKEYDBKey *dbkey = NULL; NSSLOWKEYPrivateKey *pk = NULL; - if( ( keydb == NULL ) || ( index == NULL ) || ( sdbpw == NULL ) ) { - return NULL; + if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL)) { + return NULL; } dbkey = get_dbkey(keydb, index); - if(dbkey == NULL) { - goto loser; - } - - if ( nickname ) { - if ( dbkey->nickname && ( dbkey->nickname[0] != 0 ) ) { - *nickname = PORT_Strdup(dbkey->nickname); - } else { - *nickname = NULL; - } - } - + if (dbkey == NULL) { + goto loser; + } + + if (nickname) { + if (dbkey->nickname && (dbkey->nickname[0] != 0)) { + *nickname = PORT_Strdup(dbkey->nickname); + } else { + *nickname = NULL; + } + } + pk = seckey_decode_encrypted_private_key(dbkey, sdbpw); - - /* let success fall through */ + +/* let success fall through */ loser: - if ( dbkey != NULL ) { - sec_destroy_dbkey(dbkey); + if (dbkey != NULL) { + sec_destroy_dbkey(dbkey); } return pk; @@ -1940,14 +1931,14 @@ loser: */ NSSLOWKEYPrivateKey * nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, - SDB *sdbpw) + SDB *sdbpw) { DBT namekey; NSSLOWKEYPrivateKey *pk = NULL; if (handle == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; } /* set up db key */ @@ -1955,24 +1946,24 @@ nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, namekey.size = modulus->len; pk = seckey_get_private_key(handle, &namekey, NULL, sdbpw); - + /* no need to free dbkey, since its on the stack, and the data it * points to is owned by the database */ - return(pk); + return (pk); } char * -nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, - SECItem *modulus, SDB *sdbpw) +nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, + SECItem *modulus, SDB *sdbpw) { DBT namekey; NSSLOWKEYPrivateKey *pk = NULL; char *nickname = NULL; if (handle == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; } /* set up db key */ @@ -1981,51 +1972,50 @@ nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw); if (pk) { - lg_nsslowkey_DestroyPrivateKey(pk); + lg_nsslowkey_DestroyPrivateKey(pk); } - + /* no need to free dbkey, since its on the stack, and the data it * points to is owned by the database */ - return(nickname); + return (nickname); } /* ===== ENCODING ROUTINES ===== */ static SECStatus encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg, - SECItem *encCheck) + SECItem *encCheck) { SECOidData *oidData; - + oidData = SECOID_FindOIDByTag(alg); - if ( oidData == NULL ) { - return SECFailure; + if (oidData == NULL) { + return SECFailure; } entry->len = 1 + oidData->oid.len + encCheck->len; - if ( arena ) { - entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len); + if (arena) { + entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len); } else { - entry->data = (unsigned char *)PORT_Alloc(entry->len); + entry->data = (unsigned char *)PORT_Alloc(entry->len); } - - if ( entry->data == NULL ) { - return SECFailure; + + if (entry->data == NULL) { + return SECFailure; } - + /* first length of oid */ entry->data[0] = (unsigned char)oidData->oid.len; /* next oid itself */ PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len); /* finally the encrypted check string */ - PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data, - encCheck->len); + PORT_Memcpy(&entry->data[1 + oidData->oid.len], encCheck->data, + encCheck->len); return SECSuccess; } - -#define MAX_DB_SIZE 0xffff +#define MAX_DB_SIZE 0xffff /* * Clear out all the keys in the existing database */ @@ -2035,47 +2025,47 @@ nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle) SECStatus rv; int errors = 0; - if ( handle->db == NULL ) { - return(SECSuccess); + if (handle->db == NULL) { + return (SECSuccess); } if (handle->readOnly) { - /* set an error code */ - return SECFailure; - } + /* set an error code */ + return SECFailure; + } if (handle->appname == NULL && handle->dbname == NULL) { - return SECFailure; + return SECFailure; } keydb_Close(handle); if (handle->appname) { - handle->db= - rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL); + handle->db = + rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL); } else { - handle->db = dbopen( handle->dbname, NO_CREATE, 0600, DB_HASH, 0 ); + handle->db = dbopen(handle->dbname, NO_CREATE, 0600, DB_HASH, 0); } if (handle->db == NULL) { - /* set an error code */ - return SECFailure; + /* set an error code */ + return SECFailure; } - + rv = makeGlobalVersion(handle); - if ( rv != SECSuccess ) { - errors++; - goto done; + if (rv != SECSuccess) { + errors++; + goto done; } if (handle->global_salt) { - rv = StoreKeyDBGlobalSalt(handle, handle->global_salt); + rv = StoreKeyDBGlobalSalt(handle, handle->global_salt); } else { - rv = makeGlobalSalt(handle); - if ( rv == SECSuccess ) { - handle->global_salt = GetKeyDBGlobalSalt(handle); - } + rv = makeGlobalSalt(handle); + if (rv == SECSuccess) { + handle->global_salt = GetKeyDBGlobalSalt(handle); + } } - if ( rv != SECSuccess ) { - errors++; + if (rv != SECSuccess) { + errors++; } done: @@ -2092,15 +2082,15 @@ keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) int ret; PRLock *kdbLock = kdb->lock; DB *db = kdb->db; - + PORT_Assert(kdbLock != NULL); PZ_Lock(kdbLock); - ret = (* db->get)(db, key, data, flags); + ret = (*db->get)(db, key, data, flags); (void)PZ_Unlock(kdbLock); - return(ret); + return (ret); } static int @@ -2113,11 +2103,11 @@ keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) PORT_Assert(kdbLock != NULL); PZ_Lock(kdbLock); - ret = (* db->put)(db, key, data, flags); - + ret = (*db->put)(db, key, data, flags); + (void)PZ_Unlock(kdbLock); - return(ret); + return (ret); } static int @@ -2130,11 +2120,11 @@ keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags) PORT_Assert(kdbLock != NULL); PZ_Lock(kdbLock); - ret = (* db->sync)(db, flags); - + ret = (*db->sync)(db, flags); + (void)PZ_Unlock(kdbLock); - return(ret); + return (ret); } static int @@ -2147,11 +2137,11 @@ keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags) PORT_Assert(kdbLock != NULL); PZ_Lock(kdbLock); - ret = (* db->del)(db, key, flags); - + ret = (*db->del)(db, key, flags); + (void)PZ_Unlock(kdbLock); - return(ret); + return (ret); } static int @@ -2160,15 +2150,15 @@ keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) int ret; PRLock *kdbLock = kdb->lock; DB *db = kdb->db; - + PORT_Assert(kdbLock != NULL); PZ_Lock(kdbLock); - - ret = (* db->seq)(db, key, data, flags); + + ret = (*db->seq)(db, key, data, flags); (void)PZ_Unlock(kdbLock); - return(ret); + return (ret); } static void @@ -2180,15 +2170,15 @@ keydb_Close(NSSLOWKEYDBHandle *kdb) PORT_Assert(kdbLock != NULL); SKIP_AFTER_FORK(PZ_Lock(kdbLock)); - (* db->close)(db); - + (*db->close)(db); + SKIP_AFTER_FORK(PZ_Unlock(kdbLock)); return; } /* - * SDB Entry Points for the Key DB + * SDB Entry Points for the Key DB */ CK_RV @@ -2202,9 +2192,9 @@ lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) if (keydb == NULL) { return CKR_TOKEN_WRITE_PROTECTED; } - if (PORT_Strcmp(id,"password") != 0) { - /* shouldn't happen */ - return CKR_GENERAL_ERROR; /* no extra data stored */ + if (PORT_Strcmp(id, "password") != 0) { + /* shouldn't happen */ + return CKR_GENERAL_ERROR; /* no extra data stored */ } rv = nsslowkey_GetPWCheckEntry(keydb, &entry); if (rv != SECSuccess) { @@ -2218,8 +2208,8 @@ lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) } CK_RV -lg_PutMetaData(SDB *sdb, const char *id, - const SECItem *item1, const SECItem *item2) +lg_PutMetaData(SDB *sdb, const char *id, + const SECItem *item1, const SECItem *item2) { NSSLOWKEYDBHandle *keydb; NSSLOWKEYPasswordEntry entry; @@ -2229,9 +2219,9 @@ lg_PutMetaData(SDB *sdb, const char *id, if (keydb == NULL) { return CKR_TOKEN_WRITE_PROTECTED; } - if (PORT_Strcmp(id,"password") != 0) { - /* shouldn't happen */ - return CKR_GENERAL_ERROR; /* no extra data stored */ + if (PORT_Strcmp(id, "password") != 0) { + /* shouldn't happen */ + return CKR_GENERAL_ERROR; /* no extra data stored */ } entry.salt = *item1; entry.value = *item2; @@ -2258,4 +2248,3 @@ lg_Reset(SDB *sdb) } return CKR_OK; } - |