geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Addressed issues found during the SuSE security review.

Browse Source
This commit is contained in:
Juan Carlos Luciani 2007-02-02 23:02:43 +00:00
parent 77a151fa13
commit 791b0be583
14 changed files with 456 additions and 320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CASA-auth-token/client/library/authmsg.c
View File

@ -92,8 +92,8 @@ BuildAuthenticateMsg(
// L2 // L2
//=======================================================================-- //=======================================================================--
{ {
char *pMsg = NULL; char *pMsg = NULL;
int bufferSize; size_t bufferSize;
DbgTrace(1, "-BuildAuthenticateMsg- Start\n", 0); DbgTrace(1, "-BuildAuthenticateMsg- Start\n", 0);
@ -670,7 +670,7 @@ AuthRespEndElementHandler(
CasaStatus CasaStatus
CreateAuthenticateResp( CreateAuthenticateResp(
IN char *pRespMsg, IN char *pRespMsg,
IN int respLen, IN size_t respLen,
INOUT AuthenticateResp **ppAuthenticateResp) INOUT AuthenticateResp **ppAuthenticateResp)
// //
// Arguments: // Arguments:

514
CASA-auth-token/client/library/cache.c
View File

@ -76,7 +76,8 @@ CreateAuthTokenCacheEntry(
int32_t miCasaStatus; int32_t miCasaStatus;
SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"}; SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"};
SSCS_SECRET_ID_T sharedId = {27, "CASA_AUTHENTICATION_TOKENS"}; SSCS_SECRET_ID_T sharedId = {27, "CASA_AUTHENTICATION_TOKENS"};
int32_t tokenSize, wrapperEntrySize, entrySize, keySize; uint32_t entrySize, keySize;
size_t tokenSize, wrapperEntrySize, cacheKeyStrLen, groupOrHostNameStrLen;
WrapperAuthCacheEntry *pWrapperEntry = NULL; WrapperAuthCacheEntry *pWrapperEntry = NULL;
AuthCacheEntry *pEntry = NULL; AuthCacheEntry *pEntry = NULL;
char *pKey; char *pKey;
@ -93,71 +94,91 @@ CreateAuthTokenCacheEntry(
} }
wrapperEntrySize = tokenSize + sizeof(WrapperAuthCacheEntry); wrapperEntrySize = tokenSize + sizeof(WrapperAuthCacheEntry);
entrySize = tokenSize + sizeof(AuthCacheEntry);
// Allocate space for the entry wrapper // Verify that entrySize will not overflow
// if ((tokenSize + sizeof(AuthCacheEntry)) <= U32_MAX)
// The WrapperAuthCacheEntry structure contains room for the tokens NULL terminator
pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
if (pWrapperEntry)
{ {
// Save the entry size entrySize = tokenSize + sizeof(AuthCacheEntry);
pWrapperEntry->size = wrapperEntrySize;
// Set the AuthCacheEntry pointer // Allocate space for the entry wrapper
pEntry = &pWrapperEntry->entry; //
// The WrapperAuthCacheEntry structure contains room for the tokens NULL terminator
// Set the status pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
pEntry->status = status; if (pWrapperEntry)
if (pEntry->status == CASA_STATUS_SUCCESS)
{ {
memcpy(&pEntry->token[0], pToken, tokenSize); // Save the entry size
} pWrapperEntry->size = wrapperEntrySize;
pEntry->token[tokenSize] = '\0'; // Set the AuthCacheEntry pointer
pEntry = &pWrapperEntry->entry;
// Set the time when the entry was added to the cache // Set the status
pEntry->creationTime = GetTickCount(); pEntry->status = status;
// First determine the time when the entry is due to expire if (pEntry->status == CASA_STATUS_SUCCESS)
if (entryLifetime != 0)
{
pEntry->expirationTime = pEntry->creationTime + (entryLifetime * 1000);
pEntry->doesNotExpire = false;
}
else
{
// The entry does not expire
pEntry->expirationTime = 0;
pEntry->doesNotExpire = true;
}
keySize = (uint32_t)strlen(pCacheKey) + (uint32_t)strlen(pGroupOrHostName) + 2;
pKey = malloc(keySize);
if (pKey)
{
strncpy(pKey, pCacheKey, keySize);
strncat(pKey, "@", keySize);
strncat(pKey, pGroupOrHostName, keySize);
miCasaStatus = miCASAWriteBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(uint8_t *) pEntry,
(uint32_t*) &entrySize,
NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{ {
DbgTrace(0, "-CreateAuthTokenCacheEntry- miCASAWriteBinaryKey failure, status = %0X\n", miCasaStatus); memcpy(&pEntry->token[0], pToken, tokenSize);
} }
free(pKey); pEntry->token[tokenSize] = '\0';
// Set the time when the entry was added to the cache
pEntry->creationTime = GetTickCount();
// First determine the time when the entry is due to expire
if (entryLifetime != 0)
{
pEntry->expirationTime = pEntry->creationTime + (entryLifetime * 1000);
pEntry->doesNotExpire = false;
}
else
{
// The entry does not expire
pEntry->expirationTime = 0;
pEntry->doesNotExpire = true;
}
cacheKeyStrLen = strlen(pCacheKey);
groupOrHostNameStrLen = strlen(pGroupOrHostName);
// Verify that keySize will not overflow
if ((cacheKeyStrLen + groupOrHostNameStrLen + 2) <= U32_MAX)
{
keySize = (uint32_t) (cacheKeyStrLen + groupOrHostNameStrLen + 2);
pKey = malloc(keySize);
if (pKey)
{
strncpy(pKey, pCacheKey, keySize);
strncat(pKey, "@", keySize);
strncat(pKey, pGroupOrHostName, keySize);
miCasaStatus = miCASAWriteBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(uint8_t *) pEntry,
&entrySize,
NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-CreateAuthTokenCacheEntry- miCASAWriteBinaryKey failure, status = %0X\n", miCasaStatus);
}
free(pKey);
}
else
{
DbgTrace(0, "-CreateAuthTokenCacheEntry- Memory allocation failure\n", 0);
}
}
else
{
DbgTrace(0, "-CreateAuthTokenCacheEntry- keySize overflow prevented\n", 0);
}
} }
else else
{ {
@ -166,7 +187,7 @@ CreateAuthTokenCacheEntry(
} }
else else
{ {
DbgTrace(0, "-CreateAuthTokenCacheEntry- Memory allocation failure\n", 0); DbgTrace(0, "-CreateAuthTokenCacheEntry- entrySize overflow prevented\n", 0);
} }
DbgTrace(1, "-CreateAuthTokenCacheEntry- End, pEntry = %0lX\n", (long) pEntry); DbgTrace(1, "-CreateAuthTokenCacheEntry- End, pEntry = %0lX\n", (long) pEntry);
@ -199,7 +220,8 @@ CreateSessionTokenCacheEntry(
int32_t miCasaStatus; int32_t miCasaStatus;
SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"}; SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"};
SSCS_SECRET_ID_T sharedId = {20, "CASA_SESSION_TOKENS"}; SSCS_SECRET_ID_T sharedId = {20, "CASA_SESSION_TOKENS"};
int32_t tokenSize, wrapperEntrySize, entrySize; uint32_t entrySize;
size_t tokenSize, wrapperEntrySize, cacheKeyStrLen;
WrapperAuthCacheEntry *pWrapperEntry = NULL; WrapperAuthCacheEntry *pWrapperEntry = NULL;
AuthCacheEntry *pEntry = NULL; AuthCacheEntry *pEntry = NULL;
@ -215,64 +237,83 @@ CreateSessionTokenCacheEntry(
} }
wrapperEntrySize = tokenSize + sizeof(WrapperAuthCacheEntry); wrapperEntrySize = tokenSize + sizeof(WrapperAuthCacheEntry);
entrySize = tokenSize + sizeof(AuthCacheEntry);
// Allocate space for the entry wrapper // Verify that entrySize will not overflow
// if ((tokenSize + sizeof(AuthCacheEntry)) <= U32_MAX)
// The WrapperAuthCacheEntry structure contains room for the tokens NULL terminator
pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
if (pWrapperEntry)
{ {
// Save the entry size entrySize = tokenSize + sizeof(AuthCacheEntry);
pWrapperEntry->size = wrapperEntrySize;
// Set the AuthCacheEntry pointer // Allocate space for the entry wrapper
pEntry = &pWrapperEntry->entry; //
// The WrapperAuthCacheEntry structure contains room for the tokens NULL terminator
// Set the status pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
pEntry->status = status; if (pWrapperEntry)
if (pEntry->status == CASA_STATUS_SUCCESS)
{ {
memcpy(&pEntry->token[0], pToken, tokenSize); // Save the entry size
} pWrapperEntry->size = wrapperEntrySize;
pEntry->token[tokenSize] = '\0'; // Set the AuthCacheEntry pointer
pEntry = &pWrapperEntry->entry;
// Set the time when the entry was added to the cache // Set the status
pEntry->creationTime = GetTickCount(); pEntry->status = status;
// First determine the time when the entry is due to expire if (pEntry->status == CASA_STATUS_SUCCESS)
if (entryLifetime != 0) {
{ memcpy(&pEntry->token[0], pToken, tokenSize);
pEntry->expirationTime = pEntry->creationTime + (entryLifetime * 1000); }
pEntry->doesNotExpire = false;
pEntry->token[tokenSize] = '\0';
// Set the time when the entry was added to the cache
pEntry->creationTime = GetTickCount();
// First determine the time when the entry is due to expire
if (entryLifetime != 0)
{
pEntry->expirationTime = pEntry->creationTime + (entryLifetime * 1000);
pEntry->doesNotExpire = false;
}
else
{
// The entry does not expire
pEntry->expirationTime = 0;
pEntry->doesNotExpire = true;
}
cacheKeyStrLen = strlen(pCacheKey) + 1;
// Verify that the cacheKeyStrLen can be casted to a uint32_t
if (cacheKeyStrLen <= U32_MAX)
{
miCasaStatus = miCASAWriteBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
(uint32_t) cacheKeyStrLen,
(uint8_t *) pEntry,
&entrySize,
NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-CreateSessionTokenCacheEntry- miCASAWriteBinaryKey failure, status = %0X\n", miCasaStatus);
}
}
else
{
DbgTrace(0, "-CreateSessionTokenCacheEntry- cacheKeyStrLen overflow prevented\n", 0);
}
} }
else else
{ {
// The entry does not expire DbgTrace(0, "-CreateSessionTokenCacheEntry- Memory allocation failure\n", 0);
pEntry->expirationTime = 0;
pEntry->doesNotExpire = true;
}
miCasaStatus = miCASAWriteBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
(uint32_t) strlen(pCacheKey) + 1,
(uint8_t *) pEntry,
(uint32_t*) &entrySize,
NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-CreateSessionTokenCacheEntry- miCASAWriteBinaryKey failure, status = %0X\n", miCasaStatus);
} }
} }
else else
{ {
DbgTrace(0, "-CreateSessionTokenCacheEntry- Memory allocation failure\n", 0); DbgTrace(0, "-CreateSessionTokenCacheEntry- entrySize overflow prevented\n", 0);
} }
DbgTrace(1, "-CreateSessionTokenCacheEntry- End, pEntry = %0lX\n", (long) pEntry); DbgTrace(1, "-CreateSessionTokenCacheEntry- End, pEntry = %0lX\n", (long) pEntry);
@ -401,7 +442,8 @@ FindSessionTokenEntryInCache(
int32_t miCasaStatus; int32_t miCasaStatus;
SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"}; SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"};
SSCS_SECRET_ID_T sharedId = {20, "CASA_SESSION_TOKENS"}; SSCS_SECRET_ID_T sharedId = {20, "CASA_SESSION_TOKENS"};
int32_t valueLength, wrapperEntrySize, bytesRequired; uint32_t valueLength, bytesRequired;
size_t wrapperEntrySize, cacheKeyStrLen;
WrapperAuthCacheEntry *pWrapperEntry = NULL; WrapperAuthCacheEntry *pWrapperEntry = NULL;
AuthCacheEntry *pEntry = NULL; AuthCacheEntry *pEntry = NULL;
@ -410,72 +452,82 @@ FindSessionTokenEntryInCache(
valueLength = 0; valueLength = 0;
bytesRequired = 0; bytesRequired = 0;
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext, cacheKeyStrLen = strlen(pCacheKey) + 1;
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
(uint32_t) strlen(pCacheKey) + 1,
NULL,
(uint32_t*) &valueLength,
(SSCS_PASSWORD_T*) NULL,
(uint32_t*) &bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_E_ENUM_BUFF_TOO_SHORT // Verify that the cacheKeyStrLen can be casted to a uint32_t
&& bytesRequired != 0) if (cacheKeyStrLen <= U32_MAX)
{ {
wrapperEntrySize = bytesRequired + sizeof(WrapperAuthCacheEntry) - sizeof(AuthCacheEntry); miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize); 0,
if (pWrapperEntry) &sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
cacheKeyStrLen,
NULL,
&valueLength,
(SSCS_PASSWORD_T*) NULL,
&bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_E_ENUM_BUFF_TOO_SHORT
&& bytesRequired != 0)
{ {
pWrapperEntry->size = wrapperEntrySize; wrapperEntrySize = bytesRequired + sizeof(WrapperAuthCacheEntry) - sizeof(AuthCacheEntry);
pEntry = &pWrapperEntry->entry; pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
valueLength = bytesRequired; if (pWrapperEntry)
bytesRequired = 0;
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
(uint32_t) strlen(pCacheKey) + 1,
(uint8_t *) pEntry,
(uint32_t*) &valueLength,
(SSCS_PASSWORD_T*) NULL,
(uint32_t*) &bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_SUCCESS)
{ {
if (pEntry->doesNotExpire == false pWrapperEntry->size = wrapperEntrySize;
&& CacheEntryLifetimeExpired(pEntry->creationTime, pEntry->expirationTime)) pEntry = &pWrapperEntry->entry;
{ valueLength = bytesRequired;
// Remove the entry from the cache bytesRequired = 0;
miCasaStatus = miCASARemoveKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
(uint32_t) strlen(pCacheKey) + 1,
(SSCS_PASSWORD_T*) NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-FindSessionTokenEntryInCache- miCASARemoveKey error = %0X\n", miCasaStatus);
}
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
cacheKeyStrLen,
(uint8_t *) pEntry,
&valueLength,
(SSCS_PASSWORD_T*) NULL,
&bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_SUCCESS)
{
if (pEntry->doesNotExpire == false
&& CacheEntryLifetimeExpired(pEntry->creationTime, pEntry->expirationTime))
{
// Remove the entry from the cache
miCasaStatus = miCASARemoveKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pCacheKey,
cacheKeyStrLen,
(SSCS_PASSWORD_T*) NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-FindSessionTokenEntryInCache- miCASARemoveKey error = %0X\n", miCasaStatus);
}
FreeAuthCacheEntry(pEntry);
pEntry = NULL;
}
}
else
{
DbgTrace(0, "-FindSessionTokenEntryInCache- miCASAReadBinaryKey error = %0X\n", miCasaStatus);
FreeAuthCacheEntry(pEntry); FreeAuthCacheEntry(pEntry);
pEntry = NULL; pEntry = NULL;
} }
} }
else
{
DbgTrace(0, "-FindSessionTokenEntryInCache- miCASAReadBinaryKey error = %0X\n", miCasaStatus);
FreeAuthCacheEntry(pEntry);
pEntry = NULL;
}
} }
} }
else
{
DbgTrace(0, "-FindSessionTokenEntryInCache- cacheKeyStrLen overflow prevented\n", 0);
}
DbgTrace(1, "-FindSessionTokenEntryInCache- End, pEntry = %0lX\n", (long) pEntry); DbgTrace(1, "-FindSessionTokenEntryInCache- End, pEntry = %0lX\n", (long) pEntry);
@ -504,7 +556,8 @@ FindAuthTokenEntryInCache(
int32_t miCasaStatus; int32_t miCasaStatus;
SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"}; SSCS_KEYCHAIN_ID_T sessionKeyChain = {26, "SSCS_SESSION_KEY_CHAIN_ID"};
SSCS_SECRET_ID_T sharedId = {27, "CASA_AUTHENTICATION_TOKENS"}; SSCS_SECRET_ID_T sharedId = {27, "CASA_AUTHENTICATION_TOKENS"};
int32_t valueLength, wrapperEntrySize, bytesRequired, keySize; uint32_t valueLength, bytesRequired, keySize;
size_t wrapperEntrySize, cacheKeyStrLen, groupOrHostNameStrLen;
WrapperAuthCacheEntry *pWrapperEntry = NULL; WrapperAuthCacheEntry *pWrapperEntry = NULL;
AuthCacheEntry *pEntry = NULL; AuthCacheEntry *pEntry = NULL;
char *pKey; char *pKey;
@ -512,85 +565,96 @@ FindAuthTokenEntryInCache(
DbgTrace(1, "-FindAuthTokenEntryInCache- Start\n", 0); DbgTrace(1, "-FindAuthTokenEntryInCache- Start\n", 0);
keySize = (uint32_t)strlen(pCacheKey) + (uint32_t)strlen(pGroupOrHostName) + 2; cacheKeyStrLen = strlen(pCacheKey);
groupOrHostNameStrLen = strlen(pGroupOrHostName);
pKey = malloc(keySize); // Verify that keySize will not overflow
if (pKey) if ((cacheKeyStrLen + groupOrHostNameStrLen + 2) <= U32_MAX)
{ {
strncpy(pKey, pCacheKey, keySize); keySize = (uint32_t) (cacheKeyStrLen + groupOrHostNameStrLen + 2);
strncat(pKey, "@", keySize);
strncat(pKey, pGroupOrHostName, keySize);
valueLength = 0; pKey = malloc(keySize);
bytesRequired = 0; if (pKey)
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
NULL,
(uint32_t*) &valueLength,
(SSCS_PASSWORD_T*) NULL,
(uint32_t*) &bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_E_ENUM_BUFF_TOO_SHORT
&& bytesRequired != 0)
{ {
wrapperEntrySize = bytesRequired + sizeof(WrapperAuthCacheEntry) - sizeof(AuthCacheEntry); strncpy(pKey, pCacheKey, keySize);
pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize); strncat(pKey, "@", keySize);
if (pWrapperEntry) strncat(pKey, pGroupOrHostName, keySize);
valueLength = 0;
bytesRequired = 0;
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
NULL,
&valueLength,
(SSCS_PASSWORD_T*) NULL,
&bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_E_ENUM_BUFF_TOO_SHORT
&& bytesRequired != 0)
{ {
pWrapperEntry->size = wrapperEntrySize; wrapperEntrySize = bytesRequired + sizeof(WrapperAuthCacheEntry) - sizeof(AuthCacheEntry);
pEntry = &pWrapperEntry->entry; pWrapperEntry = (WrapperAuthCacheEntry*) malloc(wrapperEntrySize);
valueLength = bytesRequired; if (pWrapperEntry)
bytesRequired = 0;
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(uint8_t *) pEntry,
(uint32_t*) &valueLength,
(SSCS_PASSWORD_T*) NULL,
(uint32_t*) &bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_SUCCESS)
{ {
if (pEntry->doesNotExpire == false pWrapperEntry->size = wrapperEntrySize;
&& CacheEntryLifetimeExpired(pEntry->creationTime, pEntry->expirationTime)) pEntry = &pWrapperEntry->entry;
{ valueLength = bytesRequired;
// Remove the entry from the cache bytesRequired = 0;
miCasaStatus = miCASARemoveKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(SSCS_PASSWORD_T*) NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-FindAuthTokenEntryInCache- miCASARemoveKey error = %0X\n", miCasaStatus);
}
miCasaStatus = miCASAReadBinaryKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(uint8_t *) pEntry,
&valueLength,
(SSCS_PASSWORD_T*) NULL,
&bytesRequired,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus == NSSCS_SUCCESS)
{
if (pEntry->doesNotExpire == false
&& CacheEntryLifetimeExpired(pEntry->creationTime, pEntry->expirationTime))
{
// Remove the entry from the cache
miCasaStatus = miCASARemoveKey(g_hCASAContext,
0,
&sessionKeyChain,
&sharedId,
(SS_UTF8_T*) pKey,
keySize,
(SSCS_PASSWORD_T*) NULL,
(SSCS_EXT_T*) pCredStoreScope);
if (miCasaStatus != NSSCS_SUCCESS)
{
DbgTrace(0, "-FindAuthTokenEntryInCache- miCASARemoveKey error = %0X\n", miCasaStatus);
}
FreeAuthCacheEntry(pEntry);
pEntry = NULL;
}
}
else
{
DbgTrace(0, "-FindAuthTokenEntryInCache- miCASAReadBinaryKey error = %0X\n", miCasaStatus);
FreeAuthCacheEntry(pEntry); FreeAuthCacheEntry(pEntry);
pEntry = NULL; pEntry = NULL;
} }
} }
else
{
DbgTrace(0, "-FindAuthTokenEntryInCache- miCASAReadBinaryKey error = %0X\n", miCasaStatus);
FreeAuthCacheEntry(pEntry);
pEntry = NULL;
}
} }
}
free(pKey); free(pKey);
}
}
else
{
DbgTrace(0, "-FindAuthTokenEntryInCache- keySize overflow prevented\n", 0);
} }
DbgTrace(1, "-FindAuthTokenEntryInCache- End, pEntry = %0lX\n", (long) pEntry); DbgTrace(1, "-FindAuthTokenEntryInCache- End, pEntry = %0lX\n", (long) pEntry);

10
CASA-auth-token/client/library/engine.c
View File

@ -83,7 +83,7 @@ ObtainSessionToken(
CASA_STATUS_UNSUCCESSFUL); CASA_STATUS_UNSUCCESSFUL);
LIST_ENTRY *pListEntry; LIST_ENTRY *pListEntry;
AuthCacheEntry *pCacheEntry = NULL; AuthCacheEntry *pCacheEntry = NULL;
AuthContext *pAuthContext; AuthContext *pAuthContext = NULL;
DbgTrace(1, "-ObtainSessionToken- Start\n", 0); DbgTrace(1, "-ObtainSessionToken- Start\n", 0);
@ -137,9 +137,9 @@ ObtainSessionToken(
pCredStoreScope); pCredStoreScope);
if (pCacheEntry == NULL) if (pCacheEntry == NULL)
{ {
char *pReqMsg = NULL; char *pReqMsg = NULL;
char *pRespMsg = NULL; char *pRespMsg = NULL;
int respLen; size_t respLen;
// Get authentication mechanism token // Get authentication mechanism token
retStatus = GetAuthMechToken(pAuthContext, retStatus = GetAuthMechToken(pAuthContext,
@ -328,7 +328,7 @@ ObtainAuthTokenFromServer(
{ {
char *pReqMsg = NULL; char *pReqMsg = NULL;
char *pRespMsg = NULL; char *pRespMsg = NULL;
int respLen; size_t respLen;
AuthPolicy *pAuthPolicy = NULL; AuthPolicy *pAuthPolicy = NULL;
GetAuthPolicyResp *pGetAuthPolicyResp = NULL; GetAuthPolicyResp *pGetAuthPolicyResp = NULL;
GetAuthTokenResp *pGetAuthTokenResp = NULL; GetAuthTokenResp *pGetAuthTokenResp = NULL;

4
CASA-auth-token/client/library/getpolicymsg.c
View File

@ -86,8 +86,8 @@ BuildGetAuthPolicyMsg(
// L2 // L2
//=======================================================================-- //=======================================================================--
{ {
char *pMsg = NULL; char *pMsg = NULL;
int bufferSize; size_t bufferSize;
DbgTrace(1, "-BuildGetAuthPolicyMsg- Start\n", 0); DbgTrace(1, "-BuildGetAuthPolicyMsg- Start\n", 0);

4
CASA-auth-token/client/library/gettokenmsg.c
View File

@ -88,8 +88,8 @@ BuildGetAuthTokenMsg(
// L2 // L2
//=======================================================================-- //=======================================================================--
{ {
char *pMsg = NULL; char *pMsg = NULL;
int bufferSize; size_t bufferSize;
DbgTrace(1, "-BuildGetAuthTokenMsg- Start\n", 0); DbgTrace(1, "-BuildGetAuthTokenMsg- Start\n", 0);

19
CASA-auth-token/client/library/internal.h
View File

@ -39,6 +39,12 @@
//===[ Type definitions ]================================================== //===[ Type definitions ]==================================================
#define MAX_RPC_REPLY_SZ (256 * 1024)
#ifndef U32_MAX
#define U32_MAX (~(uint32_t)0)
#endif
// //
// Authentication Context structure // Authentication Context structure
// //
@ -179,6 +185,15 @@ void
RelGetAuthPolicyResp( RelGetAuthPolicyResp(
IN GetAuthPolicyResp *pGetAuthPolicyResp); IN GetAuthPolicyResp *pGetAuthPolicyResp);
extern
int
InitializeLibrary(void);
extern
void
UnInitializeLibrary(void);
// //
// Functions exported by authpolicy.c // Functions exported by authpolicy.c
// //
@ -209,7 +224,7 @@ extern
CasaStatus CasaStatus
CreateAuthenticateResp( CreateAuthenticateResp(
IN char *pRespMsg, IN char *pRespMsg,
IN int respLen, IN size_t respLen,
INOUT AuthenticateResp **ppAuthenticateResp); INOUT AuthenticateResp **ppAuthenticateResp);
extern extern
@ -391,7 +406,7 @@ Rpc(
IN long flags, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen); INOUT size_t *pResponseDataLen);
extern extern
CasaStatus CasaStatus

2
CASA-auth-token/client/library/invalidcert.c
View File

@ -77,8 +77,6 @@ AllowInvalidCertsFromHost(
// L0 // L0
//=======================================================================-- //=======================================================================--
{ {
bool retStatus = true;
DbgTrace(2, "-AllowInvalidCertsFromHost- Start\n", 0); DbgTrace(2, "-AllowInvalidCertsFromHost- Start\n", 0);
// tbd // tbd

6
CASA-auth-token/client/library/linux/platform.c
View File

@ -36,7 +36,7 @@ typedef struct _NormalizedHostNameCacheEntry
LIST_ENTRY listEntry; LIST_ENTRY listEntry;
char *pHostName; char *pHostName;
char *pNormalizedHostName; char *pNormalizedHostName;
int buffLengthRequired; size_t buffLengthRequired;
} NormalizedHostNameCacheEntry, *PNormalizedHostNameCacheEntry; } NormalizedHostNameCacheEntry, *PNormalizedHostNameCacheEntry;
@ -720,7 +720,7 @@ NormalizeHostName(
NI_NAMEREQD) == 0) NI_NAMEREQD) == 0)
{ {
// We resolved the address to a DNS name, use it as the normalized name. // We resolved the address to a DNS name, use it as the normalized name.
pEntry->buffLengthRequired = (int) strlen(pDnsHostName) + 1; pEntry->buffLengthRequired = strlen(pDnsHostName) + 1;
pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired); pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired);
if (pEntry->pNormalizedHostName) if (pEntry->pNormalizedHostName)
{ {
@ -738,7 +738,7 @@ NormalizeHostName(
// Not able to resolve the name in DNS, just use the host name as // Not able to resolve the name in DNS, just use the host name as
// the normalized name. // the normalized name.
pEntry->buffLengthRequired = (int) strlen(pHostName) + 1; pEntry->buffLengthRequired = strlen(pHostName) + 1;
pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired); pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired);
if (pEntry->pNormalizedHostName) if (pEntry->pNormalizedHostName)
{ {

6
CASA-auth-token/client/library/linux/platform.h
View File

@ -83,12 +83,12 @@ typedef struct _RpcSession
{ {
CURL *hCurl; CURL *hCurl;
char *pPartialHttpUrl; char *pPartialHttpUrl;
int partialHttpUrlLen; size_t partialHttpUrlLen;
char *pPartialHttpsUrl; char *pPartialHttpsUrl;
int partialHttpsUrlLen; size_t partialHttpsUrlLen;
struct curl_slist *headers; struct curl_slist *headers;
char *pRecvData; char *pRecvData;
int recvDataLen; size_t recvDataLen;
} RpcSession, *PRpcSession; } RpcSession, *PRpcSession;

56
CASA-auth-token/client/library/linux/rpc.c
View File

@ -79,34 +79,56 @@ CurlWriteCallback(
if (pSession->pRecvData == NULL) if (pSession->pRecvData == NULL)
{ {
// We have not yet consumed receive data for the current Rpc // We have not yet consumed receive data for the current Rpc
pSession->pRecvData = (char*) malloc(numDataItems * dataItemSz); // if the data does not exceed our maximum Rpc reply size.
if (pSession->pRecvData) if ((numDataItems * dataItemSz) <= MAX_RPC_REPLY_SZ)
{ {
// Consume the data pSession->pRecvData = (char*) malloc(numDataItems * dataItemSz);
memcpy(pSession->pRecvData, pData, numDataItems * dataItemSz); if (pSession->pRecvData)
pSession->recvDataLen = numDataItems * dataItemSz; {
// Consume the data
memcpy(pSession->pRecvData, pData, numDataItems * dataItemSz);
pSession->recvDataLen = numDataItems * dataItemSz;
}
else
{
DbgTrace(0, "-CurlWriteCallback- Buffer allocation error\n", 0);
dataConsumed = CURLE_WRITE_ERROR; // To abort RPC
}
} }
else else
{ {
DbgTrace(0, "-CurlWriteCallback- Buffer allocation error\n", 0); DbgTrace(0, "-CurlWriteCallback- Max Rpc reply size exceeded\n", 0);
dataConsumed = CURLE_WRITE_ERROR; // To abort RPC dataConsumed = CURLE_WRITE_ERROR; // To abort RPC
} }
} }
else else
{ {
// We have already consumed receive data for the current Rpc, append the new data to it. // We have already consumed receive data for the current Rpc, append the new data to it
char *pNewRecvDataBuf = (char*) malloc(pSession->recvDataLen + (numDataItems * dataItemSz)); // if the data does not exceed our maximum Rpc reply size.
if (pNewRecvDataBuf) if ((pSession->recvDataLen + (numDataItems * dataItemSz)) <= MAX_RPC_REPLY_SZ)
{ {
memcpy(pNewRecvDataBuf, pSession->pRecvData, pSession->recvDataLen); char *pNewRecvDataBuf = (char*) malloc(pSession->recvDataLen + (numDataItems * dataItemSz));
memcpy(pNewRecvDataBuf + pSession->recvDataLen, pData, numDataItems * dataItemSz); if (pNewRecvDataBuf)
pSession->recvDataLen += numDataItems * dataItemSz; {
free(pSession->pRecvData); memcpy(pNewRecvDataBuf, pSession->pRecvData, pSession->recvDataLen);
pSession->pRecvData = pNewRecvDataBuf; memcpy(pNewRecvDataBuf + pSession->recvDataLen, pData, numDataItems * dataItemSz);
pSession->recvDataLen += numDataItems * dataItemSz;
free(pSession->pRecvData);
pSession->pRecvData = pNewRecvDataBuf;
}
else
{
DbgTrace(0, "-CurlWriteCallback- Buffer allocation error\n", 0);
dataConsumed = CURLE_WRITE_ERROR; // To abort RPC
// Forget about already consumed data
free(pSession->pRecvData);
pSession->pRecvData = NULL;
}
} }
else else
{ {
DbgTrace(0, "-CurlWriteCallback- Buffer allocation error\n", 0); DbgTrace(0, "-CurlWriteCallback- Max Rpc reply size exceeded\n", 0);
dataConsumed = CURLE_WRITE_ERROR; // To abort RPC dataConsumed = CURLE_WRITE_ERROR; // To abort RPC
// Forget about already consumed data // Forget about already consumed data
@ -308,7 +330,7 @@ InternalRpc(
IN long flags, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT size_t *pResponseDataLen)
// //
// Arguments: // Arguments:
// //
@ -494,7 +516,7 @@ Rpc(
IN long flags, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT size_t *pResponseDataLen)
// //
// Arguments: // Arguments:
// //

80
CASA-auth-token/client/library/mechanisms/pwd/get.c
View File

@ -76,6 +76,7 @@ GetUserCredentials(
uint32_t credtype = SSCS_CRED_TYPE_BASIC_F; uint32_t credtype = SSCS_CRED_TYPE_BASIC_F;
SSCS_BASIC_CREDENTIAL credential = {0}; SSCS_BASIC_CREDENTIAL credential = {0};
SSCS_SECRET_ID_T secretId = {0}; SSCS_SECRET_ID_T secretId = {0};
size_t secretIdLen;
DbgTrace(1, "-GetUserCredentials- Start\n", 0); DbgTrace(1, "-GetUserCredentials- Start\n", 0);
@ -85,45 +86,56 @@ GetUserCredentials(
// Get the length of the realm string into the secret id structure // Get the length of the realm string into the secret id structure
// and verify thatr it is not too long. // and verify thatr it is not too long.
secretId.len = sscs_Utf8Strlen(pRealm) + 1; secretIdLen = sscs_Utf8Strlen(pRealm) + 1;
if (secretId.len <= NSSCS_MAX_SECRET_ID_LEN) if (secretIdLen <= U32_MAX)
{ {
// Set the secret id in the structure secretId.len = secretIdLen;
sscs_Utf8Strcpy((char*) secretId.id, pRealm); if (secretId.len <= NSSCS_MAX_SECRET_ID_LEN)
// Specify that we want the common name
credential.unFlags = USERNAME_TYPE_CN_F;
// Now try to get the credentials
rcode = miCASAGetCredential(0,
&secretId,
NULL,
&credtype,
&credential,
(SSCS_EXT_T*) pCredStoreScope);
if (rcode != NSSCS_SUCCESS)
{ {
// There were no credentials for the realm, now try to obtain the // Set the secret id in the structure
// desktop credentials. sscs_Utf8Strcpy((char*) secretId.id, pRealm);
secretId.len = sscs_Utf8Strlen("Desktop") + 1;
if (secretId.len <= NSSCS_MAX_SECRET_ID_LEN) // Specify that we want the common name
credential.unFlags = USERNAME_TYPE_CN_F;
// Now try to get the credentials
rcode = miCASAGetCredential(0,
&secretId,
NULL,
&credtype,
&credential,
(SSCS_EXT_T*) pCredStoreScope);
if (rcode != NSSCS_SUCCESS)
{ {
sscs_Utf8Strcpy((char*) secretId.id, "Desktop"); // There were no credentials for the realm, now try to obtain the
rcode = miCASAGetCredential(0, // desktop credentials.
&secretId, secretId.len = sscs_Utf8Strlen("Desktop") + 1;
NULL, if (secretId.len <= NSSCS_MAX_SECRET_ID_LEN)
&credtype, {
&credential, sscs_Utf8Strcpy((char*) secretId.id, "Desktop");
(SSCS_EXT_T*) pCredStoreScope); rcode = miCASAGetCredential(0,
} &secretId,
else NULL,
{ &credtype,
DbgTrace(0, "-GetUserCredentials- Desktop name too long\n", 0); &credential,
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, (SSCS_EXT_T*) pCredStoreScope);
CASA_FACILITY_PWTOKEN, }
CASA_STATUS_UNSUCCESSFUL); else
{
DbgTrace(0, "-GetUserCredentials- Desktop name too long\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_PWTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
} }
} }
else
{
DbgTrace(0, "-GetUserCredentials- Realm name too long\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_PWTOKEN,
CASA_STATUS_UNSUCCESSFUL);
}
} }
else else
{ {

4
CASA-auth-token/client/library/mechanisms/pwd/internal.h
View File

@ -37,6 +37,10 @@
//===[ Type definitions ]================================================== //===[ Type definitions ]==================================================
#ifndef U32_MAX
#define U32_MAX (~(uint32_t)0)
#endif
//===[ Inlines functions ]=============================================== //===[ Inlines functions ]===============================================
//===[ Function prototypes ]=============================================== //===[ Function prototypes ]===============================================

6
CASA-auth-token/client/library/windows/platform.c
View File

@ -36,7 +36,7 @@ typedef struct _NormalizedHostNameCacheEntry
LIST_ENTRY listEntry; LIST_ENTRY listEntry;
char *pHostName; char *pHostName;
char *pNormalizedHostName; char *pNormalizedHostName;
int buffLengthRequired; size_t buffLengthRequired;
} NormalizedHostNameCacheEntry, *PNormalizedHostNameCacheEntry; } NormalizedHostNameCacheEntry, *PNormalizedHostNameCacheEntry;
@ -458,7 +458,7 @@ NormalizeHostName(
NI_NAMEREQD) == 0) NI_NAMEREQD) == 0)
{ {
// We resolved the address to a DNS name, use it as the normalized name. // We resolved the address to a DNS name, use it as the normalized name.
pEntry->buffLengthRequired = (int) strlen(pDnsHostName) + 1; pEntry->buffLengthRequired = strlen(pDnsHostName) + 1;
pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired); pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired);
if (pEntry->pNormalizedHostName) if (pEntry->pNormalizedHostName)
{ {
@ -476,7 +476,7 @@ NormalizeHostName(
// Not able to resolve the name in DNS, just use the host name as // Not able to resolve the name in DNS, just use the host name as
// the normalized name. // the normalized name.
pEntry->buffLengthRequired = (int) strlen(pHostName) + 1; pEntry->buffLengthRequired = strlen(pHostName) + 1;
pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired); pEntry->pNormalizedHostName = (char*) malloc(pEntry->buffLengthRequired);
if (pEntry->pNormalizedHostName) if (pEntry->pNormalizedHostName)
{ {

51
CASA-auth-token/client/library/windows/rpc.c
View File

@ -343,7 +343,7 @@ InternalRpc(
IN long flags, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT size_t *pResponseDataLen)
// //
// Arguments: // Arguments:
// //
@ -467,9 +467,9 @@ InternalRpc(
// Check that the request completed successfully // Check that the request completed successfully
if (memcmp(httpCompStatus, L"200", sizeof(httpCompStatus)) == 0) if (memcmp(httpCompStatus, L"200", sizeof(httpCompStatus)) == 0)
{ {
char *pResponseData; char *pResponseData;
int responseDataBufSize = INITIAL_RESPONSE_DATA_BUF_SIZE; size_t responseDataBufSize = INITIAL_RESPONSE_DATA_BUF_SIZE;
int responseDataRead = 0; size_t responseDataRead = 0;
// Now read the response data, to do so we need to allocate a buffer. // Now read the response data, to do so we need to allocate a buffer.
pResponseData = (char*) malloc(INITIAL_RESPONSE_DATA_BUF_SIZE); pResponseData = (char*) malloc(INITIAL_RESPONSE_DATA_BUF_SIZE);
@ -494,22 +494,43 @@ InternalRpc(
{ {
char *pTmpBuf; char *pTmpBuf;
// We need to upgrade the receive buffer // We need to upgrade the receive buffer.
pTmpBuf = (char*) malloc(responseDataBufSize + INCREMENT_RESPONSE_DATA_BUF_SIZE); //
if (pTmpBuf) // Do not allow the reply to exceed our maximum
if (responseDataBufSize < MAX_RPC_REPLY_SZ)
{ {
memcpy(pTmpBuf, pResponseData, responseDataBufSize); size_t incrementSz;
free(pResponseData);
pResponseData = pTmpBuf; // Determine the buffer size imcrement so that the maximum rpc reply
pCurrLocation = pResponseData + responseDataBufSize; // size is not exceeded.
responseDataBufSize += INCREMENT_RESPONSE_DATA_BUF_SIZE; if ((responseDataBufSize + INCREMENT_RESPONSE_DATA_BUF_SIZE) <= MAX_RPC_REPLY_SZ)
incrementSz = INCREMENT_RESPONSE_DATA_BUF_SIZE;
else
incrementSz = MAX_RPC_REPLY_SZ - responseDataBufSize;
pTmpBuf = (char*) malloc(responseDataBufSize + incrementSz);
if (pTmpBuf)
{
memcpy(pTmpBuf, pResponseData, responseDataBufSize);
free(pResponseData);
pResponseData = pTmpBuf;
pCurrLocation = pResponseData + responseDataBufSize;
responseDataBufSize += incrementSz;
}
else
{
DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES);
}
} }
else else
{ {
DbgTrace(0, "-InternalRpc- Buffer allocation failure\n", 0); DbgTrace(0, "-InternalRpc- Reply maximum exceeded\n", 0);
retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR, retStatus = CasaStatusBuild(CASA_SEVERITY_ERROR,
CASA_FACILITY_AUTHTOKEN, CASA_FACILITY_AUTHTOKEN,
CASA_STATUS_INSUFFICIENT_RESOURCES); CASA_STATUS_UNSUCCESSFUL);
} }
} }
} }
@ -743,7 +764,7 @@ Rpc(
IN long flags, IN long flags,
IN char *pRequestData, IN char *pRequestData,
INOUT char **ppResponseData, INOUT char **ppResponseData,
INOUT int *pResponseDataLen) INOUT size_t *pResponseDataLen)
// //
// Arguments: // Arguments:
// //