END_TEST START_TEST(test_base64_encode) { const unsigned char obfbuf[] = "test"; const char expected[] = "dGVzdA=="; char *obfpwd = NULL; test_ctx = talloc_new(NULL); fail_if(test_ctx == NULL); /* Base64 encode the buffer */ obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf)); fail_if(obfpwd == NULL); fail_if(strcmp(obfpwd,expected) != 0); talloc_free(test_ctx); }
static int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, const char *secret, const char *enctype, char **ciphertext) { struct sec_data _secret; char *output; int ret; if (enctype == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); return EINVAL; } if (strcmp(enctype, "masterkey") != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Uknown encryption type '%s'\n", enctype); return EINVAL; } ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, (uint8_t *)lctx->master_key.data, lctx->master_key.length, (const uint8_t *)secret, strlen(secret) + 1, (uint8_t **)&_secret.data, &_secret.length); if (ret) { DEBUG(SSSDBG_OP_FAILURE, "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); return ret; } output = sss_base64_encode(mem_ctx, (uint8_t *)_secret.data, _secret.length); if (!output) return ENOMEM; *ciphertext = output; return EOK; }
static errno_t process_attr_list(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char **attr_list, struct sized_string **_keys, struct sized_string **_vals, size_t *array_size, size_t *sum, size_t *found) { size_t c; size_t d; struct sized_string *keys; struct sized_string *vals; struct ldb_val val; struct ldb_message_element *el; bool use_base64; keys = *_keys; vals = *_vals; for (c = 0; attr_list[c] != NULL; c++) { el = ldb_msg_find_element(msg, attr_list[c]); if (el != NULL && el->num_values > 0) { if (el->num_values > 1) { *array_size += el->num_values; keys = talloc_realloc(mem_ctx, keys, struct sized_string, *array_size); vals = talloc_realloc(mem_ctx, vals, struct sized_string, *array_size); if (keys == NULL || vals == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); return ENOMEM; } } use_base64 = false; if (strcmp(attr_list[c], SYSDB_USER_CERT) == 0) { use_base64 = true; } for (d = 0; d < el->num_values; d++) { to_sized_string(&keys[*found], attr_list[c]); *sum += keys[*found].len; if (use_base64) { val.data = (uint8_t *)sss_base64_encode(vals, el->values[d].data, el->values[d].length); if (val.data != NULL) { val.length = strlen((char *)val.data); } } else { val = el->values[d]; } if (val.data == NULL || val.data[val.length] != '\0') { DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected attribute value found for [%s].\n", attr_list[c]); return EINVAL; } to_sized_string(&vals[*found], (const char *)val.data); *sum += vals[*found].len; (*found)++; } } }
int sdap_parse_entry(TALLOC_CTX *memctx, struct sdap_handle *sh, struct sdap_msg *sm, struct sdap_attr_map *map, int attrs_num, struct sysdb_attrs **_attrs, char **_dn, bool disable_range_retrieval) { struct sysdb_attrs *attrs; BerElement *ber = NULL; struct berval **vals; struct ldb_val v; char *str; int lerrno; int a, i, ret; const char *name; bool store; bool base64; char *base_attr; char *dn = NULL; uint32_t range_offset; TALLOC_CTX *tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; lerrno = 0; ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); if (ret != LDAP_OPT_SUCCESS) { DEBUG(1, ("ldap_set_option failed [%s], ignored.\n", sss_ldap_err2string(ret))); } attrs = sysdb_new_attrs(tmp_ctx); if (!attrs) { ret = ENOMEM; goto done; } str = ldap_get_dn(sh->ldap, sm->msg); if (!str) { ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); DEBUG(1, ("ldap_get_dn failed: %d(%s)\n", lerrno, sss_ldap_err2string(lerrno))); ret = EIO; goto done; } DEBUG(9, ("OriginalDN: [%s].\n", str)); ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str); if (ret) goto done; if (_dn) { dn = talloc_strdup(tmp_ctx, str); if (!dn) { ret = ENOMEM; ldap_memfree(str); goto done; } } ldap_memfree(str); if (map) { vals = ldap_get_values_len(sh->ldap, sm->msg, "objectClass"); if (!vals) { DEBUG(1, ("Unknown entry type, no objectClasses found!\n")); ret = EINVAL; goto done; } for (i = 0; vals[i]; i++) { /* the objectclass is always the first name in the map */ if (strncasecmp(map[0].name, vals[i]->bv_val, vals[i]->bv_len) == 0) { /* ok it's an entry of the right type */ break; } } if (!vals[i]) { DEBUG(1, ("objectClass not matching: %s\n", map[0].name)); ldap_value_free_len(vals); ret = EINVAL; goto done; } ldap_value_free_len(vals); } str = ldap_first_attribute(sh->ldap, sm->msg, &ber); if (!str) { ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); DEBUG(lerrno == LDAP_SUCCESS ? SSSDBG_TRACE_INTERNAL : SSSDBG_MINOR_FAILURE, ("Entry has no attributes [%d(%s)]!?\n", lerrno, sss_ldap_err2string(lerrno))); if (map) { ret = EINVAL; goto done; } } while (str) { base64 = false; ret = sdap_parse_range(tmp_ctx, str, &base_attr, &range_offset, disable_range_retrieval); switch(ret) { case EAGAIN: /* This attribute contained range values and needs more to * be retrieved */ /* TODO: return the set of attributes that need additional retrieval * For now, we'll continue below and treat it as regular values. */ /* FALLTHROUGH */ case ECANCELED: /* FALLTHROUGH */ case EOK: break; default: DEBUG(SSSDBG_MINOR_FAILURE, ("Could not determine if attribute [%s] was ranged\n", str)); goto done; } if (map) { for (a = 1; a < attrs_num; a++) { /* check if this attr is valid with the chosen schema */ if (!map[a].name) continue; /* check if it is an attr we are interested in */ if (strcasecmp(base_attr, map[a].name) == 0) break; } /* interesting attr */ if (a < attrs_num) { store = true; name = map[a].sys_name; if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) { base64 = true; } } else { store = false; name = NULL; } } else { name = base_attr; store = true; } if (ret == ECANCELED) { ret = EOK; store = false; } if (store) { vals = ldap_get_values_len(sh->ldap, sm->msg, str); if (!vals) { ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); if (lerrno != LDAP_SUCCESS) { DEBUG(1, ("LDAP Library error: %d(%s)", lerrno, sss_ldap_err2string(lerrno))); ret = EIO; goto done; } DEBUG(5, ("Attribute [%s] has no values, skipping.\n", str)); } else { if (!vals[0]) { DEBUG(1, ("Missing value after ldap_get_values() ??\n")); ret = EINVAL; goto done; } for (i = 0; vals[i]; i++) { if (vals[i]->bv_len == 0) { DEBUG(SSSDBG_MINOR_FAILURE, ("Value of attribute [%s] is empty. " "Skipping this value.\n", str)); continue; } if (base64) { v.data = (uint8_t *)sss_base64_encode(attrs, (uint8_t *)vals[i]->bv_val, vals[i]->bv_len); if (!v.data) { ret = ENOMEM; goto done; } v.length = strlen((const char *)v.data); } else { v.data = (uint8_t *)vals[i]->bv_val; v.length = vals[i]->bv_len; } ret = sysdb_attrs_add_val(attrs, name, &v); if (ret) goto done; } ldap_value_free_len(vals); } } ldap_memfree(str); str = ldap_next_attribute(sh->ldap, sm->msg, ber); } ber_free(ber, 0); ber = NULL; ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); if (lerrno) { DEBUG(1, ("LDAP Library error: %d(%s)", lerrno, sss_ldap_err2string(lerrno))); ret = EIO; goto done; } *_attrs = talloc_steal(memctx, attrs); if (_dn) *_dn = talloc_steal(memctx, dn); ret = EOK; done: if (ber) ber_free(ber, 0); talloc_free(tmp_ctx); return ret; }
int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, enum obfmethod meth, char **obfpwd) { SECStatus sret; int ret; TALLOC_CTX *tmp_ctx = NULL; struct crypto_mech_data *mech_props; struct sss_nss_crypto_ctx *cctx; unsigned char *plaintext; unsigned char *cryptotext; int ct_maxsize; int ctlen; unsigned int digestlen; int result_len; unsigned char *obfbuf; size_t obufsize = 0; size_t p = 0; tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return ENOMEM; } /* initialize NSS if needed */ ret = nspr_nss_init(); if (ret != EOK) { ret = EIO; goto done; } mech_props = get_crypto_mech_data(meth); if (mech_props == NULL) { ret = EINVAL; goto done; } ret = nss_ctx_init(tmp_ctx, mech_props, &cctx); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n"); goto done; } /* generate random encryption and IV key */ ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->key); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate encryption key\n"); goto done; } ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->iv); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate initialization vector\n"); goto done; } ret = nss_encrypt_decrypt_init(mech_props, true, cctx); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context properties\n"); goto done; } plaintext = (unsigned char *) talloc_strndup(tmp_ctx, password, plen); if (!plaintext) { ret = ENOMEM; goto done; } /* cryptotext buffer must be at least len(plaintext)+blocksize */ ct_maxsize = plen + (mech_props->bsize); cryptotext = talloc_array(tmp_ctx, unsigned char, ct_maxsize); if (!cryptotext) { ret = ENOMEM; goto done; } /* sample data we'll encrypt and decrypt */ sret = PK11_CipherOp(cctx->ectx, cryptotext, &ctlen, ct_maxsize, plaintext, plen); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation (err %d)\n", PR_GetError()); ret = EIO; goto done; } sret = PK11_DigestFinal(cctx->ectx, cryptotext+ctlen, &digestlen, ct_maxsize-ctlen); if (sret != SECSuccess) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the digest operation (err %d)\n", PR_GetError()); ret = EIO; goto done; } result_len = ctlen + digestlen; if (result_len < 0 || result_len > UINT16_MAX) { ret = ERANGE; goto done; } /* Pack the obfuscation buffer */ /* The buffer consists of: * uint16_t the type of the cipher * uint16_t length of the cryptotext in bytes (clen) * uint8_t[klen] key * uint8_t[blen] IV * uint8_t[clen] cryptotext * 4 bytes of "sentinel" denoting end of the buffer */ obufsize = sizeof(uint16_t) + sizeof(uint16_t) + mech_props->keylen + mech_props->bsize + result_len + OBF_BUFFER_SENTINEL_SIZE; obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); if (!obfbuf) { ret = ENOMEM; goto done; } DEBUG(SSSDBG_TRACE_INTERNAL, "Writing method: %d\n", meth); SAFEALIGN_SET_UINT16(&obfbuf[p], meth, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "Writing bufsize: %d\n", result_len); SAFEALIGN_SET_UINT16(&obfbuf[p], result_len, &p); safealign_memcpy(&obfbuf[p], cctx->key->data, mech_props->keylen, &p); safealign_memcpy(&obfbuf[p], cctx->iv->data, mech_props->bsize, &p); safealign_memcpy(&obfbuf[p], cryptotext, result_len, &p); safealign_memcpy(&obfbuf[p], OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE, &p); /* Base64 encode the resulting buffer */ *obfpwd = sss_base64_encode(mem_ctx, obfbuf, obufsize); if (*obfpwd == NULL) { ret = ENOMEM; goto done; } ret = EOK; done: talloc_free(tmp_ctx); nspr_nss_cleanup(); return ret; }