END_TEST
START_TEST(test_base64_encode)
{
const unsigned char obfbuf[] = "test";
const char expected[] = "dGVzdA==";
char *obfpwd = NULL;
test_ctx = talloc_new(NULL);
fail_if(test_ctx == NULL);
/* Base64 encode the buffer */
obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf));
fail_if(obfpwd == NULL);
fail_if(strcmp(obfpwd,expected) != 0);
talloc_free(test_ctx);
}
static int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx,
const char *secret, const char *enctype,
char **ciphertext)
{
struct sec_data _secret;
char *output;
int ret;
if (enctype == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n");
return EINVAL;
}
if (strcmp(enctype, "masterkey") != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "Uknown encryption type '%s'\n", enctype);
return EINVAL;
}
ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256,
(uint8_t *)lctx->master_key.data,
lctx->master_key.length,
(const uint8_t *)secret, strlen(secret) + 1,
(uint8_t **)&_secret.data, &_secret.length);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret));
return ret;
}
output = sss_base64_encode(mem_ctx,
(uint8_t *)_secret.data, _secret.length);
if (!output) return ENOMEM;
*ciphertext = output;
return EOK;
}
static errno_t process_attr_list(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
const char **attr_list,
struct sized_string **_keys,
struct sized_string **_vals,
size_t *array_size, size_t *sum,
size_t *found)
{
size_t c;
size_t d;
struct sized_string *keys;
struct sized_string *vals;
struct ldb_val val;
struct ldb_message_element *el;
bool use_base64;
keys = *_keys;
vals = *_vals;
for (c = 0; attr_list[c] != NULL; c++) {
el = ldb_msg_find_element(msg, attr_list[c]);
if (el != NULL && el->num_values > 0) {
if (el->num_values > 1) {
*array_size += el->num_values;
keys = talloc_realloc(mem_ctx, keys, struct sized_string,
*array_size);
vals = talloc_realloc(mem_ctx, vals, struct sized_string,
*array_size);
if (keys == NULL || vals == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
return ENOMEM;
}
}
use_base64 = false;
if (strcmp(attr_list[c], SYSDB_USER_CERT) == 0) {
use_base64 = true;
}
for (d = 0; d < el->num_values; d++) {
to_sized_string(&keys[*found], attr_list[c]);
*sum += keys[*found].len;
if (use_base64) {
val.data = (uint8_t *)sss_base64_encode(vals,
el->values[d].data,
el->values[d].length);
if (val.data != NULL) {
val.length = strlen((char *)val.data);
}
} else {
val = el->values[d];
}
if (val.data == NULL || val.data[val.length] != '\0') {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unexpected attribute value found for [%s].\n",
attr_list[c]);
return EINVAL;
}
to_sized_string(&vals[*found], (const char *)val.data);
*sum += vals[*found].len;
(*found)++;
}
}
}
int sdap_parse_entry(TALLOC_CTX *memctx,
struct sdap_handle *sh, struct sdap_msg *sm,
struct sdap_attr_map *map, int attrs_num,
struct sysdb_attrs **_attrs, char **_dn,
bool disable_range_retrieval)
{
struct sysdb_attrs *attrs;
BerElement *ber = NULL;
struct berval **vals;
struct ldb_val v;
char *str;
int lerrno;
int a, i, ret;
const char *name;
bool store;
bool base64;
char *base_attr;
char *dn = NULL;
uint32_t range_offset;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
lerrno = 0;
ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
if (ret != LDAP_OPT_SUCCESS) {
DEBUG(1, ("ldap_set_option failed [%s], ignored.\n",
sss_ldap_err2string(ret)));
}
attrs = sysdb_new_attrs(tmp_ctx);
if (!attrs) {
ret = ENOMEM;
goto done;
}
str = ldap_get_dn(sh->ldap, sm->msg);
if (!str) {
ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
DEBUG(1, ("ldap_get_dn failed: %d(%s)\n",
lerrno, sss_ldap_err2string(lerrno)));
ret = EIO;
goto done;
}
DEBUG(9, ("OriginalDN: [%s].\n", str));
ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str);
if (ret) goto done;
if (_dn) {
dn = talloc_strdup(tmp_ctx, str);
if (!dn) {
ret = ENOMEM;
ldap_memfree(str);
goto done;
}
}
ldap_memfree(str);
if (map) {
vals = ldap_get_values_len(sh->ldap, sm->msg, "objectClass");
if (!vals) {
DEBUG(1, ("Unknown entry type, no objectClasses found!\n"));
ret = EINVAL;
goto done;
}
for (i = 0; vals[i]; i++) {
/* the objectclass is always the first name in the map */
if (strncasecmp(map[0].name,
vals[i]->bv_val, vals[i]->bv_len) == 0) {
/* ok it's an entry of the right type */
break;
}
}
if (!vals[i]) {
DEBUG(1, ("objectClass not matching: %s\n",
map[0].name));
ldap_value_free_len(vals);
ret = EINVAL;
goto done;
}
ldap_value_free_len(vals);
}
str = ldap_first_attribute(sh->ldap, sm->msg, &ber);
if (!str) {
ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
DEBUG(lerrno == LDAP_SUCCESS
? SSSDBG_TRACE_INTERNAL
: SSSDBG_MINOR_FAILURE,
("Entry has no attributes [%d(%s)]!?\n",
lerrno, sss_ldap_err2string(lerrno)));
if (map) {
ret = EINVAL;
goto done;
}
}
while (str) {
base64 = false;
ret = sdap_parse_range(tmp_ctx, str, &base_attr, &range_offset,
disable_range_retrieval);
switch(ret) {
case EAGAIN:
/* This attribute contained range values and needs more to
* be retrieved
*/
/* TODO: return the set of attributes that need additional retrieval
* For now, we'll continue below and treat it as regular values.
*/
/* FALLTHROUGH */
case ECANCELED:
/* FALLTHROUGH */
case EOK:
break;
default:
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not determine if attribute [%s] was ranged\n", str));
goto done;
}
if (map) {
for (a = 1; a < attrs_num; a++) {
/* check if this attr is valid with the chosen schema */
if (!map[a].name) continue;
/* check if it is an attr we are interested in */
if (strcasecmp(base_attr, map[a].name) == 0) break;
}
/* interesting attr */
if (a < attrs_num) {
store = true;
name = map[a].sys_name;
if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) {
base64 = true;
}
} else {
store = false;
name = NULL;
}
} else {
name = base_attr;
store = true;
}
if (ret == ECANCELED) {
ret = EOK;
store = false;
}
if (store) {
vals = ldap_get_values_len(sh->ldap, sm->msg, str);
if (!vals) {
ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
if (lerrno != LDAP_SUCCESS) {
DEBUG(1, ("LDAP Library error: %d(%s)",
lerrno, sss_ldap_err2string(lerrno)));
ret = EIO;
goto done;
}
DEBUG(5, ("Attribute [%s] has no values, skipping.\n", str));
} else {
if (!vals[0]) {
DEBUG(1, ("Missing value after ldap_get_values() ??\n"));
ret = EINVAL;
goto done;
}
for (i = 0; vals[i]; i++) {
if (vals[i]->bv_len == 0) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Value of attribute [%s] is empty. "
"Skipping this value.\n", str));
continue;
}
if (base64) {
v.data = (uint8_t *)sss_base64_encode(attrs,
(uint8_t *)vals[i]->bv_val, vals[i]->bv_len);
if (!v.data) {
ret = ENOMEM;
goto done;
}
v.length = strlen((const char *)v.data);
} else {
v.data = (uint8_t *)vals[i]->bv_val;
v.length = vals[i]->bv_len;
}
ret = sysdb_attrs_add_val(attrs, name, &v);
if (ret) goto done;
}
ldap_value_free_len(vals);
}
}
ldap_memfree(str);
str = ldap_next_attribute(sh->ldap, sm->msg, ber);
}
ber_free(ber, 0);
ber = NULL;
ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno);
if (lerrno) {
DEBUG(1, ("LDAP Library error: %d(%s)",
lerrno, sss_ldap_err2string(lerrno)));
ret = EIO;
goto done;
}
*_attrs = talloc_steal(memctx, attrs);
if (_dn) *_dn = talloc_steal(memctx, dn);
ret = EOK;
done:
if (ber) ber_free(ber, 0);
talloc_free(tmp_ctx);
return ret;
}
int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
enum obfmethod meth, char **obfpwd)
{
SECStatus sret;
int ret;
TALLOC_CTX *tmp_ctx = NULL;
struct crypto_mech_data *mech_props;
struct sss_nss_crypto_ctx *cctx;
unsigned char *plaintext;
unsigned char *cryptotext;
int ct_maxsize;
int ctlen;
unsigned int digestlen;
int result_len;
unsigned char *obfbuf;
size_t obufsize = 0;
size_t p = 0;
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return ENOMEM;
}
/* initialize NSS if needed */
ret = nspr_nss_init();
if (ret != EOK) {
ret = EIO;
goto done;
}
mech_props = get_crypto_mech_data(meth);
if (mech_props == NULL) {
ret = EINVAL;
goto done;
}
ret = nss_ctx_init(tmp_ctx, mech_props, &cctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n");
goto done;
}
/* generate random encryption and IV key */
ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->key);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Could not generate encryption key\n");
goto done;
}
ret = generate_random_key(cctx, cctx->slot, mech_props, &cctx->iv);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Could not generate initialization vector\n");
goto done;
}
ret = nss_encrypt_decrypt_init(mech_props, true, cctx);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot initialize NSS context properties\n");
goto done;
}
plaintext = (unsigned char *) talloc_strndup(tmp_ctx, password, plen);
if (!plaintext) {
ret = ENOMEM;
goto done;
}
/* cryptotext buffer must be at least len(plaintext)+blocksize */
ct_maxsize = plen + (mech_props->bsize);
cryptotext = talloc_array(tmp_ctx, unsigned char, ct_maxsize);
if (!cryptotext) {
ret = ENOMEM;
goto done;
}
/* sample data we'll encrypt and decrypt */
sret = PK11_CipherOp(cctx->ectx, cryptotext, &ctlen, ct_maxsize,
plaintext, plen);
if (sret != SECSuccess) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot execute the encryption operation (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
sret = PK11_DigestFinal(cctx->ectx, cryptotext+ctlen, &digestlen,
ct_maxsize-ctlen);
if (sret != SECSuccess) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot execute the digest operation (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
result_len = ctlen + digestlen;
if (result_len < 0 || result_len > UINT16_MAX) {
ret = ERANGE;
goto done;
}
/* Pack the obfuscation buffer */
/* The buffer consists of:
* uint16_t the type of the cipher
* uint16_t length of the cryptotext in bytes (clen)
* uint8_t[klen] key
* uint8_t[blen] IV
* uint8_t[clen] cryptotext
* 4 bytes of "sentinel" denoting end of the buffer
*/
obufsize = sizeof(uint16_t) + sizeof(uint16_t) +
mech_props->keylen + mech_props->bsize +
result_len + OBF_BUFFER_SENTINEL_SIZE;
obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize);
if (!obfbuf) {
ret = ENOMEM;
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, "Writing method: %d\n", meth);
SAFEALIGN_SET_UINT16(&obfbuf[p], meth, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "Writing bufsize: %d\n", result_len);
SAFEALIGN_SET_UINT16(&obfbuf[p], result_len, &p);
safealign_memcpy(&obfbuf[p], cctx->key->data, mech_props->keylen, &p);
safealign_memcpy(&obfbuf[p], cctx->iv->data, mech_props->bsize, &p);
safealign_memcpy(&obfbuf[p], cryptotext, result_len, &p);
safealign_memcpy(&obfbuf[p], OBF_BUFFER_SENTINEL,
OBF_BUFFER_SENTINEL_SIZE, &p);
/* Base64 encode the resulting buffer */
*obfpwd = sss_base64_encode(mem_ctx, obfbuf, obufsize);
if (*obfpwd == NULL) {
ret = ENOMEM;
goto done;
}
ret = EOK;
done:
talloc_free(tmp_ctx);
nspr_nss_cleanup();
return ret;
}
