From: Greg Hudson Date: Thu, 16 Jun 2016 17:54:01 +0000 (-0400) Subject: Simplify pkcs7_dataDecode() in PKINIT X-Git-Tag: krb5-1.15-beta1~144 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ddc70a62dcb4f31c16593d9909838cd3ca84c887;p=thirdparty%2Fkrb5.git Simplify pkcs7_dataDecode() in PKINIT RFC 4556 requires that the EnvelopedData in the encKeyPack contain only one RecipientInfo. Take advantage of this constraint to simplify pkcs7_dataDecode(). --- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index d5e27698ec..be936116a8 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -5814,7 +5814,6 @@ pkcs7_dataDecode(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, PKCS7 *p7) { - int i = 0; unsigned int jj = 0, tmp_len = 0; BIO *out=NULL,*etmp=NULL,*bio=NULL; unsigned char *tmp=NULL; @@ -5824,8 +5823,6 @@ pkcs7_dataDecode(krb5_context context, X509_ALGOR *enc_alg=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; PKCS7_RECIP_INFO *ri=NULL; - X509 *cert = sk_X509_value(id_cryptoctx->my_certs, - id_cryptoctx->cert_index); p7->state=PKCS7_S_HEADER; @@ -5846,71 +5843,23 @@ pkcs7_dataDecode(krb5_context context, /* It was encrypted, we need to decrypt the secret key * with the private key */ - /* Find the recipientInfo which matches the passed certificate - * (if any) - */ - - if (cert) { - for (i=0; iissuer_and_serial->issuer, - cert->cert_info->issuer); - if (!tmp_ret) { - tmp_ret = M_ASN1_INTEGER_cmp(cert->cert_info->serialNumber, - ri->issuer_and_serial->serial); - if (!tmp_ret) - break; - } - ri=NULL; - } - if (ri == NULL) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, - PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); - goto cleanup; - } - + /* RFC 4556 section 3.2.3.2 requires that there be exactly one + * recipientInfo. */ + if (sk_PKCS7_RECIP_INFO_num(rsk) != 1) { + pkiDebug("invalid number of EnvelopedData RecipientInfos\n"); + goto cleanup; } - /* If we haven't got a certificate try each ri in turn */ - - if (cert == NULL) { - for (i=0; ienc_key), - (unsigned int) M_ASN1_STRING_length(ri->enc_key), - &tmp, &tmp_len); - if (jj) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB); - goto cleanup; - } - - if (!jj && tmp_len > 0) { - jj = tmp_len; - break; - } - - ERR_clear_error(); - ri = NULL; - } - - if (ri == NULL) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_KEY); - goto cleanup; - } - } - else { - jj = pkinit_decode_data(context, id_cryptoctx, - M_ASN1_STRING_data(ri->enc_key), - (unsigned int) M_ASN1_STRING_length(ri->enc_key), - &tmp, &tmp_len); - if (jj || tmp_len <= 0) { - PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB); - goto cleanup; - } - jj = tmp_len; + ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); + jj = pkinit_decode_data(context, id_cryptoctx, + M_ASN1_STRING_data(ri->enc_key), + (unsigned int)M_ASN1_STRING_length(ri->enc_key), + &tmp, &tmp_len); + if (jj || tmp_len <= 0) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_EVP_LIB); + goto cleanup; } + jj = tmp_len; evp_ctx=NULL; BIO_get_cipher_ctx(etmp,&evp_ctx);