diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-11-08 01:48:35 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:25:21 -0500 |
| commit | f722b0743811a4a5caf5288fa901cc8f683b9ffd (patch) | |
| tree | 3aaa2473a79fc58ad937723b67510f4bf0d0cc6a /source4/heimdal/kdc/pkinit.c | |
| parent | e10791a36451da82906cd7cec66c7a54802353b5 (diff) | |
| download | samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.gz samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.tar.bz2 samba-f722b0743811a4a5caf5288fa901cc8f683b9ffd.zip | |
r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c
Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)
Diffstat (limited to 'source4/heimdal/kdc/pkinit.c')
| -rwxr-xr-x | source4/heimdal/kdc/pkinit.c | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index e3d77c0621..1a300cce3e 100755 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $"); #ifdef PKINIT @@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context, &eContent, &signer_certs); if (ret) { - kdc_log(context, config, 0, - "PK-INIT failed to verify signature %d", ret); + char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret); + krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", + s, ret); + free(s); goto out; } @@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context, return ret; } + { + hx509_query *q; + hx509_cert cert; + + ret = hx509_query_alloc(kdc_identity->hx509ctx, &q); + if (ret) { + krb5_warnx(context, "PKINIT: out of memory"); + return ENOMEM; + } + + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); + hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); + + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, + &cert); + hx509_query_free(kdc_identity->hx509ctx, q); + if (ret == 0) { + if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert, + oid_id_pkkdcekuoid(), 0)) + krb5_warnx(context, "WARNING Found KDC certificate " + "is missing the PK-INIT KDC EKU, this is bad for " + "interoperability."); + hx509_cert_free(cert); + } else + krb5_warnx(context, "PKINIT: failed to find a signing " + "certifiate with a public key"); + } + ret = krb5_config_get_bool_default(context, NULL, FALSE, |