X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Fcommon%2Fceph_crypto_cms.cc;fp=src%2Fceph%2Fsrc%2Fcommon%2Fceph_crypto_cms.cc;h=0000000000000000000000000000000000000000;hb=7da45d65be36d36b880cc55c5036e96c24b53f00;hp=109f702bf7399c9eaf1d74480172265f88cbbbeb;hpb=691462d09d0987b47e112d6ee8740375df3c51b2;p=stor4nfv.git diff --git a/src/ceph/src/common/ceph_crypto_cms.cc b/src/ceph/src/common/ceph_crypto_cms.cc deleted file mode 100644 index 109f702..0000000 --- a/src/ceph/src/common/ceph_crypto_cms.cc +++ /dev/null @@ -1,345 +0,0 @@ -/* ***** BEGIN LICENSE BLOCK ***** - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ - - -#include "common/config.h" -#include "common/debug.h" - -#ifdef USE_NSS -#include -#include -#include -#include -#endif - -#define dout_subsys ceph_subsys_crypto - -#ifndef USE_NSS -int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) -{ - return -ENOTSUP; -} - -#else - -static int cms_verbose = 0; - -static SECStatus -DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input, - SECAlgorithmID **algids) -{ - NSSCMSDigestContext *digcx; - SECStatus rv; - - digcx = NSS_CMSDigestContext_StartMultiple(algids); - if (digcx == NULL) - return SECFailure; - - NSS_CMSDigestContext_Update(digcx, input->data, input->len); - - rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests); - return rv; -} - - -struct optionsStr { - SECCertUsage certUsage; - CERTCertDBHandle *certHandle; -}; - -struct decodeOptionsStr { - struct optionsStr *options; - SECItem content; - int headerLevel; - PRBool suppressContent; - NSSCMSGetDecryptKeyCallback dkcb; - PK11SymKey *bulkkey; - PRBool keepCerts; -}; - -static NSSCMSMessage * -decode(CephContext *cct, SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out) -{ - NSSCMSDecoderContext *dcx; - SECStatus rv; - NSSCMSMessage *cmsg; - int nlevels, i; - SECItem sitem; - bufferptr bp; - SECItem *item; - - memset(&sitem, 0, sizeof(sitem)); - - PORT_SetError(0); - dcx = NSS_CMSDecoder_Start(NULL, - NULL, NULL, /* content callback */ - NULL, NULL, /* password callback */ - decodeOptions->dkcb, /* decrypt key callback */ - decodeOptions->bulkkey); - if (dcx == NULL) { - ldout(cct, 0) << "ERROR: failed to set up message decoder" << dendl; - return NULL; - } - rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len); - if (rv != SECSuccess) { - ldout(cct, 0) << "ERROR: failed to decode message" << dendl; - NSS_CMSDecoder_Cancel(dcx); - return NULL; - } - cmsg = NSS_CMSDecoder_Finish(dcx); - if (cmsg == NULL) { - ldout(cct, 0) << "ERROR: failed to decode message" << dendl; - return NULL; - } - - if (decodeOptions->headerLevel >= 0) { - ldout(cct, 20) << "SMIME: " << dendl; - } - - nlevels = NSS_CMSMessage_ContentLevelCount(cmsg); - for (i = 0; i < nlevels; i++) { - NSSCMSContentInfo *cinfo; - SECOidTag typetag; - - cinfo = NSS_CMSMessage_ContentLevel(cmsg, i); - typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - - ldout(cct, 20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl; - - switch (typetag) { - case SEC_OID_PKCS7_SIGNED_DATA: - { - NSSCMSSignedData *sigd = NULL; - SECItem **digests; - int nsigners; - int j; - - if (decodeOptions->headerLevel >= 0) - ldout(cct, 20) << "type=signedData; " << dendl; - sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo); - if (sigd == NULL) { - ldout(cct, 0) << "ERROR: signedData component missing" << dendl; - goto loser; - } - - /* if we have a content file, but no digests for this signedData */ - if (decodeOptions->content.data != NULL && - !NSS_CMSSignedData_HasDigests(sigd)) { - PLArenaPool *poolp; - SECAlgorithmID **digestalgs; - - /* detached content: grab content file */ - sitem = decodeOptions->content; - - if ((poolp = PORT_NewArena(1024)) == NULL) { - ldout(cct, 0) << "ERROR: Out of memory" << dendl; - goto loser; - } - digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd); - if (DigestFile (poolp, &digests, &sitem, digestalgs) - != SECSuccess) { - ldout(cct, 0) << "ERROR: problem computing message digest" << dendl; - PORT_FreeArena(poolp, PR_FALSE); - goto loser; - } - if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) - != SECSuccess) { - ldout(cct, 0) << "ERROR: problem setting message digests" << dendl; - PORT_FreeArena(poolp, PR_FALSE); - goto loser; - } - PORT_FreeArena(poolp, PR_FALSE); - } - - /* import the certificates */ - if (NSS_CMSSignedData_ImportCerts(sigd, - decodeOptions->options->certHandle, - decodeOptions->options->certUsage, - decodeOptions->keepCerts) - != SECSuccess) { - ldout(cct, 0) << "ERROR: cert import failed" << dendl; - goto loser; - } - - /* find out about signers */ - nsigners = NSS_CMSSignedData_SignerInfoCount(sigd); - if (decodeOptions->headerLevel >= 0) - ldout(cct, 20) << "nsigners=" << nsigners << dendl; - if (nsigners == 0) { - /* Might be a cert transport message - ** or might be an invalid message, such as a QA test message - ** or a message from an attacker. - */ - SECStatus rv; - rv = NSS_CMSSignedData_VerifyCertsOnly(sigd, - decodeOptions->options->certHandle, - decodeOptions->options->certUsage); - if (rv != SECSuccess) { - ldout(cct, 0) << "ERROR: Verify certs-only failed!" << dendl; - goto loser; - } - return cmsg; - } - - /* still no digests? */ - if (!NSS_CMSSignedData_HasDigests(sigd)) { - ldout(cct, 0) << "ERROR: no message digests" << dendl; - goto loser; - } - - for (j = 0; j < nsigners; j++) { - const char * svs; - NSSCMSSignerInfo *si; - NSSCMSVerificationStatus vs; - SECStatus bad; - - si = NSS_CMSSignedData_GetSignerInfo(sigd, j); - if (decodeOptions->headerLevel >= 0) { - char *signercn; - static char empty[] = { "" }; - - signercn = NSS_CMSSignerInfo_GetSignerCommonName(si); - if (signercn == NULL) - signercn = empty; - ldout(cct, 20) << "\t\tsigner" << j << ".id=" << signercn << dendl; - if (signercn != empty) - PORT_Free(signercn); - } - bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j, - decodeOptions->options->certHandle, - decodeOptions->options->certUsage); - vs = NSS_CMSSignerInfo_GetVerificationStatus(si); - svs = NSS_CMSUtil_VerificationStatusToString(vs); - if (decodeOptions->headerLevel >= 0) { - ldout(cct, 20) << "signer" << j << "status=" << svs << dendl; - /* goto loser ? */ - } else if (bad) { - ldout(cct, 0) << "ERROR: signer " << j << " status = " << svs << dendl; - goto loser; - } - } - } - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - { - NSSCMSEnvelopedData *envd; - if (decodeOptions->headerLevel >= 0) - ldout(cct, 20) << "type=envelopedData; " << dendl; - envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo); - if (envd == NULL) { - ldout(cct, 0) << "ERROR: envelopedData component missing" << dendl; - goto loser; - } - } - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - { - NSSCMSEncryptedData *encd; - if (decodeOptions->headerLevel >= 0) - ldout(cct, 20) << "type=encryptedData; " << dendl; - encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo); - if (encd == NULL) { - ldout(cct, 0) << "ERROR: encryptedData component missing" << dendl; - goto loser; - } - } - break; - case SEC_OID_PKCS7_DATA: - if (decodeOptions->headerLevel >= 0) - ldout(cct, 20) << "type=data; " << dendl; - break; - default: - break; - } - } - - item = (sitem.data ? &sitem : NSS_CMSMessage_GetContent(cmsg)); - out.append((char *)item->data, item->len); - return cmsg; - -loser: - if (cmsg) - NSS_CMSMessage_Destroy(cmsg); - return NULL; -} - -int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) -{ - NSSCMSMessage *cmsg = NULL; - struct decodeOptionsStr decodeOptions = { }; - struct optionsStr options; - SECItem input; - - memset(&options, 0, sizeof(options)); - memset(&input, 0, sizeof(input)); - - input.data = (unsigned char *)cms_bl.c_str(); - input.len = cms_bl.length(); - - decodeOptions.content.data = NULL; - decodeOptions.content.len = 0; - decodeOptions.suppressContent = PR_FALSE; - decodeOptions.headerLevel = -1; - decodeOptions.keepCerts = PR_FALSE; - options.certUsage = certUsageEmailSigner; - - options.certHandle = CERT_GetDefaultCertDB(); - if (!options.certHandle) { - ldout(cct, 0) << "ERROR: No default cert DB" << dendl; - return -EIO; - } - if (cms_verbose) { - fprintf(stderr, "Got default certdb\n"); - } - - decodeOptions.options = &options; - - int ret = 0; - - cmsg = decode(cct, &input, &decodeOptions, decoded_bl); - if (!cmsg) { - ldout(cct, 0) << "ERROR: problem decoding" << dendl; - ret = -EINVAL; - } - - if (cmsg) - NSS_CMSMessage_Destroy(cmsg); - - SECITEM_FreeItem(&decodeOptions.content, PR_FALSE); - - return ret; -} -#endif