diff options
author | Stefan Metzmacher <metze@samba.org> | 2011-07-15 09:10:30 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-07-15 11:15:05 +0200 |
commit | 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 (patch) | |
tree | a2933c88f38e8dd7fe612be8dd458d05918b1f15 /source4/heimdal/lib/krb5/pkinit.c | |
parent | 70da27838bb3f6ed9c36add06ce0ccdf467ab1c3 (diff) | |
download | samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.tar.gz samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.tar.bz2 samba-255e3e18e00f717d99f3bc57c8a8895ff624f3c3.zip |
s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b)
Diffstat (limited to 'source4/heimdal/lib/krb5/pkinit.c')
-rw-r--r-- | source4/heimdal/lib/krb5/pkinit.c | 128 |
1 files changed, 64 insertions, 64 deletions
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 7a8502727e..1103a17807 100644 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, { "MS EKU" }, { "any (or no)" } }; - int i, ret, start = 1; + int ret = HX509_CERT_NOT_FOUND; + size_t i, start = 1; unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; @@ -298,8 +299,8 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) { IssuerAndSerialNumber iasn; hx509_name issuer; - size_t size; - + size_t size = 0; + memset(&iasn, 0, sizeof(iasn)); ret = hx509_cert_get_issuer(c, &issuer); @@ -314,7 +315,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ret; } - + ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber); if (ret) { free_IssuerAndSerialNumber(&iasn); @@ -364,7 +365,7 @@ build_auth_pack(krb5_context context, const KDC_REQ_BODY *body, AuthPack *a) { - size_t buf_size, len; + size_t buf_size, len = 0; krb5_error_code ret; void *buf; krb5_timestamp sec; @@ -413,7 +414,7 @@ build_auth_pack(krb5_context context, const char *moduli_file; unsigned long dh_min_bits; krb5_data dhbuf; - size_t size; + size_t size = 0; krb5_data_zero(&dhbuf); @@ -433,7 +434,7 @@ build_auth_pack(krb5_context context, ret = _krb5_parse_moduli(context, moduli_file, &ctx->m); if (ret) return ret; - + ctx->u.dh = DH_new(); if (ctx->u.dh == NULL) { krb5_set_error_message(context, ENOMEM, @@ -483,9 +484,9 @@ build_auth_pack(krb5_context context, &a->clientPublicValue->algorithm.algorithm); if (ret) return ret; - + memset(&dp, 0, sizeof(dp)); - + ret = BN_to_integer(context, dh->p, &dp.p); if (ret) { free_DomainParameters(&dp); @@ -503,14 +504,14 @@ build_auth_pack(krb5_context context, } dp.j = NULL; dp.validationParms = NULL; - + a->clientPublicValue->algorithm.parameters = malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); if (a->clientPublicValue->algorithm.parameters == NULL) { free_DomainParameters(&dp); return ret; } - + ASN1_MALLOC_ENCODE(DomainParameters, a->clientPublicValue->algorithm.parameters->data, a->clientPublicValue->algorithm.parameters->length, @@ -520,11 +521,11 @@ build_auth_pack(krb5_context context, return ret; if (size != a->clientPublicValue->algorithm.parameters->length) krb5_abortx(context, "Internal ASN1 encoder error"); - + ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); if (ret) return ret; - + ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, &dh_pub_key, &size, ret); der_free_heim_integer(&dh_pub_key); @@ -536,7 +537,7 @@ build_auth_pack(krb5_context context, #ifdef HAVE_OPENSSL ECParameters ecp; unsigned char *p; - int len; + int xlen; /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */ @@ -551,13 +552,13 @@ build_auth_pack(krb5_context context, free_ECParameters(&ecp); return ENOMEM; } - ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret); + ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret); free_ECParameters(&ecp); if (ret) return ret; - if (size != len) + if ((int)size != xlen) krb5_abortx(context, "asn1 internal error"); - + a->clientPublicValue->algorithm.parameters->data = p; a->clientPublicValue->algorithm.parameters->length = size; @@ -578,18 +579,18 @@ build_auth_pack(krb5_context context, /* encode onto dhkey */ - len = i2o_ECPublicKey(ctx->u.eckey, NULL); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, NULL); + if (xlen <= 0) abort(); - dhbuf.data = malloc(len); + dhbuf.data = malloc(xlen); if (dhbuf.data == NULL) abort(); - dhbuf.length = len; + dhbuf.length = xlen; p = dhbuf.data; - len = i2o_ECPublicKey(ctx->u.eckey, &p); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, &p); + if (xlen <= 0) abort(); /* XXX verify that this is right with RFC3279 */ @@ -601,13 +602,14 @@ build_auth_pack(krb5_context context, a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8; a->clientPublicValue->subjectPublicKey.data = dhbuf.data; } - + { a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes)); if (a->supportedCMSTypes == NULL) return ENOMEM; - ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL, + ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, + ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) @@ -648,10 +650,10 @@ pk_mk_padata(krb5_context context, { struct ContentInfo content_info; krb5_error_code ret; - const heim_oid *oid; - size_t size; + const heim_oid *oid = NULL; + size_t size = 0; krb5_data buf, sd_buf; - int pa_type; + int pa_type = -1; krb5_data_zero(&buf); krb5_data_zero(&sd_buf); @@ -698,7 +700,7 @@ pk_mk_padata(krb5_context context, oid = &asn1_oid_id_pkcs7_data; } else if (ctx->type == PKINIT_27) { AuthPack ap; - + memset(&ap, 0, sizeof(ap)); ret = build_auth_pack(context, nonce, ctx, req_body, &ap); @@ -755,7 +757,7 @@ pk_mk_padata(krb5_context context, pa_type = KRB5_PADATA_PK_AS_REQ; memset(&req, 0, sizeof(req)); - req.signedAuthPack = buf; + req.signedAuthPack = buf; if (ctx->trustedCertifiers) { @@ -926,7 +928,7 @@ pk_verify_sign(krb5_context context, ret = ENOMEM; goto out; } - + ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert); if (ret) { pk_copy_error(context, context->hx509ctx, ret, @@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context, return ret; } - if (key_pack.nonce != nonce) { + if ((unsigned)key_pack.nonce != nonce) { krb5_set_error_message(context, ret, N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); @@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context, } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - int i; + size_t i; ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, @@ -1203,9 +1205,9 @@ pk_rd_pa_reply_enckey(krb5_context context, size_t ph = 1 + der_length_len(content.length); unsigned char *ptr = malloc(content.length + ph); size_t l; - + memcpy(ptr + ph, content.data, content.length); - + ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length, ASN1_C_UNIV, CONS, UT_Sequence, &l); if (ret) @@ -1424,7 +1426,7 @@ pk_rd_pa_reply_dh(krb5_context context, krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } - + dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; @@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context, N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } - if (dh_gen_keylen < size) { + if (dh_gen_keylen < (int)size) { size -= dh_gen_keylen; memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); memset(dh_gen_key, 0, size); @@ -1488,7 +1490,7 @@ pk_rd_pa_reply_dh(krb5_context context, ret = EINVAL; #endif } - + if (dh_gen_keylen <= 0) { ret = EINVAL; krb5_set_error_message(context, ret, @@ -1555,7 +1557,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP rep; heim_octet_string os, data; heim_oid oid; - + if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { krb5_set_error_message(context, EINVAL, N_("PKINIT: wrong padata recv", "")); @@ -1585,7 +1587,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, PA_PK_AS_REP_BTMM btmm; free_PA_PK_AS_REP(&rep); memset(&rep, 0, sizeof(rep)); - + _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key"); ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data, @@ -1661,7 +1663,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, #endif memset(&w2krep, 0, sizeof(w2krep)); - + ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, pa->padata_value.length, &w2krep, @@ -1674,12 +1676,12 @@ _krb5_pk_rd_pa_reply(krb5_context context, } krb5_clear_error_message(context); - + switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; - + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); @@ -1744,7 +1746,7 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) default: prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; - } + } ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { @@ -1780,10 +1782,10 @@ _krb5_pk_set_user_id(krb5_context context, "Allocate query to find signing certificate"); return ret; } - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - + if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) { ctx->id->flags |= PKINIT_BTMM; } @@ -1799,7 +1801,7 @@ _krb5_pk_set_user_id(krb5_context context, ret = hx509_cert_get_subject(ctx->id->cert, &name); if (ret) goto out; - + ret = hx509_name_to_string(name, &str); hx509_name_free(&name); if (ret) @@ -1857,7 +1859,7 @@ _krb5_pk_load_id(krb5_context context, krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", "")); return ENOMEM; - } + } if (user_id) { hx509_lock lock; @@ -1867,15 +1869,15 @@ _krb5_pk_load_id(krb5_context context, pk_copy_error(context, context->hx509ctx, ret, "Failed init lock"); goto out; } - + if (password && password[0]) hx509_lock_add_password(lock, password); - + if (prompter) { p.context = context; p.prompter = prompter; p.prompter_data = prompter_data; - + ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p); if (ret) { hx509_lock_free(lock); @@ -2083,7 +2085,7 @@ _krb5_parse_moduli_line(krb5_context context, "bits on line %d", ""), file, lineno); goto out; } - + ret = parse_integer(context, &p, file, lineno, "p", &m1->p); if (ret) goto out; @@ -2249,7 +2251,7 @@ _krb5_parse_moduli(krb5_context context, const char *file, return ENOMEM; } m = m2; - + m[n] = NULL; ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element); @@ -2321,7 +2323,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) break; case USE_RSA: break; - case USE_ECDH: + case USE_ECDH: #ifdef HAVE_OPENSSL if (ctx->u.eckey) EC_KEY_free(ctx->u.eckey); @@ -2457,7 +2459,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_set_error_message(context, EINVAL, N_("No anonymous pkinit support in RSA mode", "")); return EINVAL; - } + } } return 0; @@ -2484,7 +2486,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context, N_("PKINIT: on pkinit context", "")); return EINVAL; } - + _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs); return 0; @@ -2517,7 +2519,7 @@ get_ms_san(hx509_context context, hx509_cert cert, char **upn) upn, NULL); else ret = 1; - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); return ret; } @@ -2552,14 +2554,14 @@ krb5_pk_enterprise_cert(krb5_context context, #ifdef PKINIT krb5_error_code ret; hx509_certs certs, result; - hx509_cert cert; + hx509_cert cert = NULL; hx509_query *q; char *name; *principal = NULL; if (res) *res = NULL; - + if (user_id == NULL) { krb5_set_error_message(context, ENOENT, "no user id"); return ENOENT; @@ -2592,7 +2594,7 @@ krb5_pk_enterprise_cert(krb5_context context, "Failed to find PKINIT certificate"); return ret; } - + ret = hx509_get_one_cert(context->hx509ctx, result, &cert); hx509_certs_free(&result); if (ret) { @@ -2617,11 +2619,9 @@ krb5_pk_enterprise_cert(krb5_context context, if (res) { ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res); - if (ret) { - hx509_cert_free(cert); + if (ret) goto out; - } - + ret = hx509_certs_add(context->hx509ctx, *res, cert); if (ret) { hx509_certs_free(res); |