password.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 1,046 行 · 第 1/3 页

    PR_Free(info);
  }
  result = PR_FALSE;
 done:
  if (passwd)
    PR_Free(passwd);
  return result;
}

/* Encrypt password for storage */
#define SSM_PAD_BLOCK_SIZE(x, y) ((((x) + ((y)-1))/(y))*(y)) 

SSMStatus SSM_EncryptPasswd(PK11SlotInfo * slot, char * passwd, 
                            SSM_TokenInfo ** tokenInfo)
{
  int resultLen;
  char *hashResult = NULL;
  SSMStatus rv = SSM_SUCCESS;
  SECStatus srv;
  SSM_TokenInfo * info;

  /* Hash the password. */
  resultLen = HASH_ResultLen(HASH_AlgSHA1);
  hashResult = (char *) PORT_ZAlloc(resultLen); /* because the original PORT_ZAlloc'd */
  if (!hashResult)
    goto loser;
  
  srv = HASH_HashBuf(HASH_AlgSHA1, (unsigned char *) hashResult, (unsigned char *) passwd, strlen(passwd));
  if (srv != SECSuccess)
    goto loser;
  
  /* fill in the tokenInfo structure */
  info = (SSM_TokenInfo *) PORT_ZAlloc(sizeof(SSM_TokenInfo));
  if (!info) {
    SSM_DEBUG("EncryptPwd: could not allocate memory to token list entry.\n");
    PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
    goto loser;
  }
  info->encrypted = hashResult;
  info->encryptedLen = resultLen;
  info->slot = slot;
  info->tokenID = SSM_GetTokenKey(slot);
  *tokenInfo = info;
  goto done;
 loser:
  if (rv == SSM_SUCCESS) rv = SSM_FAILURE;
  PR_FREEIF(hashResult);
 done:
  return rv;
}

SSMStatus SSM_NotEncryptPasswd(PK11SlotInfo * slot, char * passwd, 
                               SSM_TokenInfo * info)
{
  CK_MECHANISM_TYPE mechanism;
  /* CK_SESSION_HANDLE session = CK_INVALID_SESSION; */
  PRInt32 keyLength, blockSize, outlen;
  PRUint32 encryptedLength;
  PK11SymKey * symKey;
  SECStatus rv;
  char * encrypted = NULL;
  PK11Context * context=NULL;
  SECItem *params; 
  
  
  if (!slot || !passwd || !info) {
    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
    goto loser;
  }
  mechanism = CRMF_GetBestWrapPadMechanism(slot);
  keyLength = PK11_GetBestKeyLength(slot, mechanism);
  /* session = PK11_GetRWSession(slot);
     if (session == CK_INVALID_SESSION)
     goto loser;*/
  blockSize = PK11_GetBlockSize(mechanism, NULL);
  
  /* 
   * A password is encrypted when we first authenticate to token. 
   * In this case, generate a symmetric Key on the slot. 
   * If the key is already present, it means that the password for this 
   *       slot has already been encrypted and stored, need to encrypt 
   *       new password with the same key to compare against the stored
   *       password. 
   */ 
  /* If no symKey found, generate one */
  if (!info->symKey) {
    symKey = PK11_KeyGen(slot, mechanism, NULL, keyLength, NULL);
    if (!symKey) { 
      SSM_DEBUG("Failed to generate symKey to encrypt passwd.\n");
      goto loser;
    }
  } else 
    symKey = info->symKey;
  
  encryptedLength = SSM_PAD_BLOCK_SIZE(strlen(passwd)+1, blockSize);
  encrypted = (char *) PORT_ZAlloc(encryptedLength);
  if (!encrypted) {
    SSM_DEBUG("Could not allocate space for encrypted password. \n");
    goto loser;
  }
  params = CRMF_GetIVFromMechanism(mechanism);
  context=PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, 
                                     symKey, params);
  if (params != NULL) {
    SECITEM_FreeItem(params, PR_TRUE);
  } 
  if (!context) {
    SSM_DEBUG("Can't create context to encrypt password: %d.\n", 
              PR_GetError());
    goto loser;
  }
  rv = PK11_CipherOp(context, (unsigned char *) encrypted, &outlen, 
                     (int) encryptedLength, 
                     (unsigned char *) passwd, strlen(passwd));
  if (rv != PR_SUCCESS) {
    SSM_DEBUG("Error encrypting password: %d\n", PR_GetError());
    goto loser;
  }
  rv = PK11_DigestFinal(context, (unsigned char *) &encrypted[outlen], 
                        (unsigned int *) &outlen, (unsigned int) blockSize);
  if (rv != PR_SUCCESS) {
    SSM_DEBUG("Error encrypting password: %d\n", PR_GetError());
    goto loser;
  }
  PK11_DestroyContext(context, PR_TRUE);
  /*if (session != CK_INVALID_SESSION)
    PK11_RestoreROSession(slot, session);*/
  
  /* fill in the tokenInfo structure */
  info->encrypted = encrypted;
  info->encryptedLen = encryptedLength;
  info->slot = slot;
  return SSM_SUCCESS;
 loser:
  SSM_DEBUG("Failed to encrypt password.\n");
  if (context != NULL)
    PK11_DestroyContext(context, PR_TRUE);
  /*if (session != CK_INVALID_SESSION)
    PK11_RestoreROSession(slot, session);*/
  if (encrypted && *encrypted) 
    PR_Free(encrypted);
  return SSM_FAILURE;
}

/* Needs to be fixed using NLS lib and proper string storage. -jane */
char * SSM_GetPrompt(PK11SlotInfo *slot, PRBool retry, PRBool init)
{
  char * prompt = NULL, * tmp = NULL, * key;
  SSMTextGenContext * cx;
  SSMStatus rv;

  PR_ASSERT(init != PR_TRUE);
 
  rv = SSMTextGen_NewTopLevelContext(NULL, &cx);
  if (rv != SSM_SUCCESS || !cx) 
    goto loser;
  if (retry) 
    key = "retry_token_password";
  else 
    key = "ask_token_password";
  
  rv = SSM_GetAndExpandTextKeyedByString(cx, key, &tmp);
  if (rv != SSM_SUCCESS || !tmp)
    goto loser;
  prompt = PR_smprintf(tmp, PK11_GetTokenName(slot));
  
 loser:
  PR_FREEIF(tmp);
  return prompt;
}


/* Send a password request for the client */
SSMStatus SSM_AskUserPassword(SSMResource * res, 
                             PK11SlotInfo * slot, PRInt32 retry, PRBool init)
{
  SECItem message;
  char * prompt = NULL;
  PRInt32 tokenKey = SSM_GetTokenKey(slot);
  SSMStatus rv = PR_FAILURE;
  SSMConnection *conn = (SSMConnection *)res->m_connection;
  PasswordRequest request;
  
  prompt = SSM_GetPrompt(slot, retry, init);
  retry++;
  if (!prompt) {
    SSM_DEBUG("%ld: error getting prompt for password request.\n", conn);
    goto loser;
  }
  request.tokenKey = tokenKey;
  request.prompt = prompt;
  request.clientContext = res->m_clientContext;
  if (CMT_EncodeMessage(PasswordRequestTemplate, (CMTItem*)&message, &request) != CMTSuccess) {
      goto loser;
  }
  if (message.len == 0 || !message.data) {
    SSM_DEBUG("%ld: could not create password request message.\n", conn);
    goto loser;
  }
  message.type = (SECItemType) (SSM_EVENT_MESSAGE | SSM_AUTH_EVENT);
  rv = SSM_SendQMessage(SSM_OUT_QUEUE(conn), SSM_PRIORITY_UI, message.type, 
                        message.len, (char *)message.data, PR_TRUE);
  if (rv != PR_SUCCESS) { 
    SSM_DEBUG("%ld: Can't enqueue password request. \n", conn);
    goto loser;
  }
 loser:
  if (prompt)
    PR_Free(prompt);
  if (message.data)
    PR_Free(message.data);
  return rv;
}

SSMStatus SSMControlConnection_WaitPassword(SSMConnection * conn, 
                                           PRInt32 key, char ** str)
{
  char * passwd;
  PRIntervalTime before;
  SSMStatus rv = PR_FAILURE;
  
  *str = NULL;
  /* Wait no longer than our time-out period. */
  before = PR_IntervalNow();
  SSM_LockPasswdTable(conn);    
 wait:
  SSM_DEBUG("%ld : waiting on password table for the password\n", conn); 
  SSM_WaitPasswdTable(conn);
  /* Returned from wait.
   * Look for password.
   */
  rv = SSM_HashFind(SSM_PWD_TABLE(conn), key, (void **)&passwd);
  if (rv!=PR_SUCCESS || !passwd || passwd ==(char *)SSM_NO_PASSWORD) {
    /* password not found, check for timeout */
    if (PR_IntervalNow() - before > SSM_PASSWORD_WAIT_TIME) {
      SSM_DEBUG("%ld:Timed out waiting for password.Bailing out.\n", 
                conn);
      SSM_UnlockPasswdTable(conn);
      return PR_FAILURE;
    } 
    else 
      goto wait; /* continue waiting */
  } /* end of no password found */
  SSM_UnlockPasswdTable(conn);
  *str = passwd;
  return rv;
}

extern PK11SlotListElement * 
PK11_GetNextSafe(PK11SlotList * list, PK11SlotListElement * element,PRBool start);
                                       
PK11SlotListElement *
ssm_GetSlotWithPwd(PK11SlotList * slotlist, PK11SlotListElement * current,
                        PRBool start)
{
  PK11SlotListElement * next = NULL;
  PR_ASSERT(slotlist);
  if (!current || start)
    next = PK11_GetFirstSafe(slotlist);
  else
    next = PK11_GetNextSafe(slotlist, current, PR_FALSE);

  while (next                          && 
         PK11_NeedUserInit(next->slot) && 
         !PK11_NeedLogin(next->slot)     )
    next = PK11_GetNextSafe(slotlist, next, PR_FALSE);

  return next;
}

PRIntn
ssm_NumSlotsWithPassword(PK11SlotList * slotList)
{
  PRIntn numslots = 0;
  PK11SlotListElement * element = PK11_GetFirstSafe(slotList);
  while (element) {
    if (PK11_NeedLogin(element->slot) || !PK11_NeedUserInit(element->slot))
      numslots++;
    element = PK11_GetNextSafe(slotList, element,PR_FALSE);
  }
  return numslots;
}

char*
SSM_GetSlotNameForPasswordChange(HTTPRequest * req)
{
    PK11SlotList *slotList = NULL;
    PK11SlotInfo *slot=NULL;
    PK11SlotListElement *listElem = NULL;
    SSMResource *target;
    char *slotName=NULL;
    SSMStatus rv;
    
    slotName = NULL;
    target = REQ_TARGET(req);
    slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_TRUE, 
                                 PR_TRUE, target);
    if (!slotList || !slotList->head)
      goto loser;
    if (ssm_NumSlotsWithPassword(slotList)>1) {
      char * mech = PR_smprintf("mech=%d&unused1=unused1&unused2=unused2",
                                CKM_INVALID_MECHANISM);
      SSM_LockUIEvent(target);
      rv = SSMControlConnection_SendUIEvent(req->ctrlconn,
                                            "get", "select_token",
                                            target,mech,
                                            &target->m_clientContext, 
                                              PR_TRUE);
      SSM_WaitUIEvent(target, PR_INTERVAL_NO_TIMEOUT);
      slot = (PK11SlotInfo *) target->m_uiData;
      if (!slot) 
        goto loser;
    } else {
      listElem = ssm_GetSlotWithPwd(slotList, NULL, PR_TRUE);
      slot = listElem->slot;
    }

    if (!slot) {
      goto loser;
    }
    slotName = PK11_GetTokenName(slot);
    PK11_FreeSlot(slot);
    PK11_FreeSlotList(slotList);
    return PL_strdup(slotName);
 loser:
    if (slot)
      PK11_FreeSlot(slot);
    if (slotList)
      PK11_FreeSlotList(slotList);
    return NULL;
}

SSMStatus SSM_ReSetPasswordKeywordHandler(SSMTextGenContext * cx)
{  
  char * slotname = NULL;
  PK11SlotInfo * slot; 
  char * tmp = NULL;
  SSMStatus rv;
  SSMResource * target = cx->m_request->target;
  PK11SlotList * slotList = NULL;
  PK11SlotListElement * el = NULL;

  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(&cx->m_result != NULL);

  rv = SSM_HTTPParamValue(cx->m_request, "action", &slotname);
  
  if (!slotname || strcmp(slotname, "")== 0)