s4:heimdal: import lorikeet-heimdal-201001120029 (commit a5e675fed7c5db8a7370b77ed0bfa724196aa84d)

author: Andrew Bartlett <abartlet@samba.org> 2010-01-12 18:16:45 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2010-03-27 11:51:27 +1100
commit: 89eaef025376339ef25d07cdc4748920fceaa968 (patch)
tree: f514f4632c9d54a372a7f1f0ca845a0c3a488fbf /source4/heimdal/lib/hx509
parent: fac8ca52ade6e490eea3cf3d0fc98287da321c13 (diff)
download: samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.gz
samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.bz2
samba-89eaef025376339ef25d07cdc4748920fceaa968.zip
11 files changed, 96 insertions, 29 deletions
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index ebf02a99e3..4783edd681 100644
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -1023,9 +1023,12 @@ certificate_is_self_signed(hx509_context context,
     ret = _hx509_name_cmp(&cert->tbsCertificate.subject,
 			  &cert->tbsCertificate.issuer, &diff);
     *self_signed = (diff == 0);
-    if (ret)
+    if (ret) {
 	hx509_set_error_string(context, 0, ret,
 			       "Failed to check if self signed");
+    } else
+	ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm);
+
     return ret;
 }
 
@@ -3251,7 +3254,7 @@ _hx509_cert_get_eku(hx509_context context,
  * @param context A hx509 context.
  * @param c the certificate to encode.
  * @param os the encode certificate, set to NULL, 0 on case of
- * error. Free the returned structure with hx509_xfree().
+ * error. Free the os->data with hx509_xfree().
  *
  * @return An hx509 error code, see hx509_get_error_string().
  *
diff --git a/source4/heimdal/lib/hx509/cms.c b/source4/heimdal/lib/hx509/cms.c
index 4766c34655..5506cee463 100644
--- a/source4/heimdal/lib/hx509/cms.c
+++ b/source4/heimdal/lib/hx509/cms.c
@@ -1491,7 +1491,7 @@ hx509_cms_create_signed(hx509_context context,
      * signatures).
      */
     if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) {
-	ret = hx509_certs_iter(context, certs, sig_process, &sigctx);
+	ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx);
 	if (ret)
 	    goto out;
     }
@@ -1525,7 +1525,7 @@ hx509_cms_create_signed(hx509_context context,
 	    goto out;
 	}
 
-	ret = hx509_certs_iter(context, sigctx.certs, cert_process, &sigctx);
+	ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx);
 	if (ret)
 	    goto out;
     }
diff --git a/source4/heimdal/lib/hx509/crypto.c b/source4/heimdal/lib/hx509/crypto.c
index 050a0902b3..bee64c145f 100644
--- a/source4/heimdal/lib/hx509/crypto.c
+++ b/source4/heimdal/lib/hx509/crypto.c
@@ -87,8 +87,9 @@ struct signature_alg {
     const heim_oid *key_oid;
     const AlgorithmIdentifier *digest_alg;
     int flags;
-#define PROVIDE_CONF 1
-#define REQUIRE_SIGNER 2
+#define PROVIDE_CONF	0x1
+#define REQUIRE_SIGNER	0x2
+#define SELF_SIGNED_OK	0x4
 
 #define SIG_DIGEST	0x100
 #define SIG_PUBLIC_SIG	0x200
@@ -1200,7 +1201,7 @@ static const struct signature_alg ecdsa_with_sha256_alg = {
     &_hx509_signature_ecdsa_with_sha256_data,
     &asn1_oid_id_ecPublicKey,
     &_hx509_signature_sha256_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     ecdsa_verify_signature,
@@ -1214,7 +1215,7 @@ static const struct signature_alg ecdsa_with_sha1_alg = {
     &_hx509_signature_ecdsa_with_sha1_data,
     &asn1_oid_id_ecPublicKey,
     &_hx509_signature_sha1_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     ecdsa_verify_signature,
@@ -1243,7 +1244,7 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = {
     &_hx509_signature_rsa_with_sha1_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     NULL,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1256,7 +1257,7 @@ static const struct signature_alg rsa_with_sha256_alg = {
     &_hx509_signature_rsa_with_sha256_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     &_hx509_signature_sha256_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1269,7 +1270,7 @@ static const struct signature_alg rsa_with_sha1_alg = {
     &_hx509_signature_rsa_with_sha1_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     &_hx509_signature_sha1_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1482,6 +1483,27 @@ _hx509_signature_best_before(hx509_context context,
 }
 
 int
+_hx509_self_signed_valid(hx509_context context,
+			 const AlgorithmIdentifier *alg)
+{
+    const struct signature_alg *md;
+
+    md = find_sig_alg(&alg->algorithm);
+    if (md == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+    if ((md->flags & SELF_SIGNED_OK) == 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
+			       "Algorithm %s not trusted for self signatures",
+			       md->name);
+	return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
+    }
+    return 0;
+}
+
+
+int
 _hx509_verify_signature(hx509_context context,
 			const hx509_cert cert,
 			const AlgorithmIdentifier *alg,
diff --git a/source4/heimdal/lib/hx509/hx_locl.h b/source4/heimdal/lib/hx509/hx_locl.h
index 2d1c036d53..3e3ab23c6d 100644
--- a/source4/heimdal/lib/hx509/hx_locl.h
+++ b/source4/heimdal/lib/hx509/hx_locl.h
@@ -39,16 +39,19 @@
 #include <stdlib.h>
 #include <ctype.h>
 #include <errno.h>
+#ifdef HAVE_STRINGS_H
 #include <strings.h>
+#endif
 #include <assert.h>
 #include <stdarg.h>
 #include <err.h>
 #include <limits.h>
 
+#include <roken.h>
+
 #include <getarg.h>
 #include <base64.h>
 #include <hex.h>
-#include <roken.h>
 #include <com_err.h>
 #include <parse_units.h>
 #include <parse_bytes.h>
diff --git a/source4/heimdal/lib/hx509/keyset.c b/source4/heimdal/lib/hx509/keyset.c
index 4a96cff530..465ca1b4d3 100644
--- a/source4/heimdal/lib/hx509/keyset.c
+++ b/source4/heimdal/lib/hx509/keyset.c
@@ -3,6 +3,8 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -323,7 +325,7 @@ hx509_certs_end_seq(hx509_context context,
  * @param certs certificate store to iterate over.
  * @param func function to call for each certificate. The function
  * should return non-zero to abort the iteration, that value is passed
- * back to te caller of hx509_certs_iter().
+ * back to the caller of hx509_certs_iter_f().
  * @param ctx context variable that will passed to the function.
  *
  * @return Returns an hx509 error code.
@@ -332,10 +334,10 @@ hx509_certs_end_seq(hx509_context context,
  */
 
 int
-hx509_certs_iter(hx509_context context,
-		 hx509_certs certs,
-		 int (*func)(hx509_context, void *, hx509_cert),
-		 void *ctx)
+hx509_certs_iter_f(hx509_context context,
+		   hx509_certs certs,
+		   int (*func)(hx509_context, void *, hx509_cert),
+		   void *ctx)
 {
     hx509_cursor cursor;
     hx509_cert c;
@@ -364,13 +366,46 @@ hx509_certs_iter(hx509_context context,
     return ret;
 }
 
+/**
+ * Iterate over all certificates in a keystore and call an function
+ * for each fo them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func function to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
+#ifdef __BLOCKS__
+
+static int
+certs_iter(hx509_context context, void *ctx, hx509_cert cert)
+{
+    int (^func)(hx509_cert) = ctx;
+    return func(cert);
+}
+
+int
+hx509_certs_iter(hx509_context context,
+		 hx509_certs certs,
+		 int (^func)(hx509_cert))
+{
+    return hx509_certs_iter_f(context, certs, certs_iter, func);
+}
+#endif
+
 
 /**
- * Function to use to hx509_certs_iter() as a function argument, the
- * ctx variable to hx509_certs_iter() should be a FILE file descriptor.
+ * Function to use to hx509_certs_iter_f() as a function argument, the
+ * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
  *
  * @param context a hx509 context.
- * @param ctx used by hx509_certs_iter().
+ * @param ctx used by hx509_certs_iter_f().
  * @param c a certificate
  *
  * @return Returns an hx509 error code.
@@ -587,7 +622,7 @@ hx509_certs_merge(hx509_context context, hx509_certs to, hx509_certs from)
 {
     if (from == NULL)
 	return 0;
-    return hx509_certs_iter(context, from, certs_merge_func, to);
+    return hx509_certs_iter_f(context, from, certs_merge_func, to);
 }
 
 /**
diff --git a/source4/heimdal/lib/hx509/ks_dir.c b/source4/heimdal/lib/hx509/ks_dir.c
index 9ce9b5c8e6..8c8c6e50c8 100644
--- a/source4/heimdal/lib/hx509/ks_dir.c
+++ b/source4/heimdal/lib/hx509/ks_dir.c
@@ -113,7 +113,7 @@ dir_iter_start(hx509_context context,
 	free(d);
 	return errno;
     }
-    rk_cloexec(dirfd(d->dir));
+    rk_cloexec_dir(d->dir);
     d->certs = NULL;
     d->iter = NULL;
 
diff --git a/source4/heimdal/lib/hx509/ks_file.c b/source4/heimdal/lib/hx509/ks_file.c
index f137b84641..645dc405a2 100644
--- a/source4/heimdal/lib/hx509/ks_file.c
+++ b/source4/heimdal/lib/hx509/ks_file.c
@@ -571,7 +571,7 @@ file_store(hx509_context context,
     rk_cloexec_file(sc.f);
     sc.format = ksf->format;
 
-    ret = hx509_certs_iter(context, ksf->certs, store_func, &sc);
+    ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc);
     fclose(sc.f);
     return ret;
 }
diff --git a/source4/heimdal/lib/hx509/ks_keychain.c b/source4/heimdal/lib/hx509/ks_keychain.c
index 01d0c55d1c..9c6521790a 100644
--- a/source4/heimdal/lib/hx509/ks_keychain.c
+++ b/source4/heimdal/lib/hx509/ks_keychain.c
@@ -43,6 +43,7 @@ OSStatus SecKeyGetCSPHandle(SecKeyRef, CSSM_CSP_HANDLE *);
 OSStatus SecKeyGetCredentials(SecKeyRef, CSSM_ACL_AUTHORIZATION_TAG,
 			      int, const CSSM_ACCESS_CREDENTIALS **);
 #define kSecCredentialTypeDefault 0
+#define CSSM_SIZE uint32_t
 #endif
 
 
diff --git a/source4/heimdal/lib/hx509/ks_p12.c b/source4/heimdal/lib/hx509/ks_p12.c
index c17ce3f6ac..d94ab197cd 100644
--- a/source4/heimdal/lib/hx509/ks_p12.c
+++ b/source4/heimdal/lib/hx509/ks_p12.c
@@ -571,7 +571,7 @@ p12_store(hx509_context context,
     memset(&as, 0, sizeof(as));
     memset(&pfx, 0, sizeof(pfx));
 
-    ret = hx509_certs_iter(context, p12->certs, store_func, &as);
+    ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
     if (ret)
 	goto out;
 
diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c
index c796e19173..457f6c4d04 100644
--- a/source4/heimdal/lib/hx509/peer.c
+++ b/source4/heimdal/lib/hx509/peer.c
@@ -3,6 +3,8 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -144,6 +146,7 @@ hx509_peer_info_add_cms_alg(hx509_context context,
 	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
 	return ENOMEM;
     }
+    peer->val = ptr;
     ret = copy_AlgorithmIdentifier(val, &peer->val[peer->len]);
     if (ret == 0)
 	peer->len += 1;
diff --git a/source4/heimdal/lib/hx509/revoke.c b/source4/heimdal/lib/hx509/revoke.c
index 21140b3c7e..6d2cac4afb 100644
--- a/source4/heimdal/lib/hx509/revoke.c
+++ b/source4/heimdal/lib/hx509/revoke.c
@@ -989,7 +989,7 @@ hx509_ocsp_request(hx509_context context,
     ctx.digest = digest;
     ctx.parent = NULL;
 
-    ret = hx509_certs_iter(context, reqcerts, add_to_req, &ctx);
+    ret = hx509_certs_iter_f(context, reqcerts, add_to_req, &ctx);
     hx509_cert_free(ctx.parent);
     if (ret)
 	goto out;
@@ -1004,17 +1004,17 @@ hx509_ocsp_request(hx509_context context,
 
 	es = req.tbsRequest.requestExtensions;
 	
-	es->val = calloc(1, sizeof(es->val[0]));
+	es->val = calloc(es->len, sizeof(es->val[0]));
 	if (es->val == NULL) {
 	    ret = ENOMEM;
 	    goto out;
 	}
+	es->len = 1;
 	ret = der_copy_oid(&asn1_oid_id_pkix_ocsp_nonce, &es->val[0].extnID);
 	if (ret) {
 	    free_OCSPRequest(&req);
 	    return ret;
 	}
-	es->len = 1;
 
 	es->val[0].extnValue.data = malloc(10);
 	if (es->val[0].extnValue.data == NULL) {
@@ -1153,7 +1153,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
 
     fprintf(out, "appended certs:\n");
     if (ocsp.certs)
-	ret = hx509_certs_iter(context, ocsp.certs, hx509_ci_print_names, out);
+	ret = hx509_certs_iter_f(context, ocsp.certs, hx509_ci_print_names, out);
 
     free_ocsp(&ocsp);
     return ret;
@@ -1486,7 +1486,7 @@ hx509_crl_sign(hx509_context context,
     }
     c.tbsCertList.crlExtensions = NULL;
 
-    ret = hx509_certs_iter(context, crl->revoked, add_revoked, &c.tbsCertList);
+    ret = hx509_certs_iter_f(context, crl->revoked, add_revoked, &c.tbsCertList);
     if (ret)
 	goto out;
author	Andrew Bartlett <abartlet@samba.org>	2010-01-12 18:16:45 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2010-03-27 11:51:27 +1100
commit	89eaef025376339ef25d07cdc4748920fceaa968 (patch)
tree	f514f4632c9d54a372a7f1f0ca845a0c3a488fbf /source4/heimdal/lib/hx509
parent	fac8ca52ade6e490eea3cf3d0fc98287da321c13 (diff)
download	samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.gz samba-89eaef025376339ef25d07cdc4748920fceaa968.tar.bz2 samba-89eaef025376339ef25d07cdc4748920fceaa968.zip