summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-03-11 04:03:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:56:58 -0500
commitb7afac2b834674e20f303c3a03b4ac7bb283695e (patch)
tree4828afb0cf5bc89f0063d3225d0f15cc01cd2012 /source4/heimdal/lib/krb5
parent64b619cefe99c833297f2a635db06bd186843481 (diff)
downloadsamba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.gz
samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.bz2
samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.zip
r14198: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/crypto.c146
-rw-r--r--source4/heimdal/lib/krb5/error_string.c25
-rw-r--r--source4/heimdal/lib/krb5/get_cred.c5
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c25
-rw-r--r--source4/heimdal/lib/krb5/init_creds.c5
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h16
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h14
-rw-r--r--source4/heimdal/lib/krb5/krb5_err.et37
-rw-r--r--source4/heimdal/lib/krb5/krb5_locl.h28
-rw-r--r--source4/heimdal/lib/krb5/mk_priv.c8
-rwxr-xr-xsource4/heimdal/lib/krb5/pkinit.c109
11 files changed, 168 insertions, 250 deletions
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index de40b059b8..3cfc780eb4 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.130 2005/12/02 14:47:44 lha Exp $");
+RCSID("$Id: crypto.c,v 1.132 2006/02/28 14:52:57 lha Exp $");
#undef CRYPTO_DEBUG
#ifdef CRYPTO_DEBUG
@@ -591,114 +591,6 @@ ARCFOUR_string_to_key(krb5_context context,
* AES
*/
-/* iter is really 1 based, so iter == 0 will be 1 iteration */
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype,
- krb5_data password, krb5_salt salt, u_int32_t iter,
- krb5_keytype type, krb5_keyblock *key)
-{
- struct checksum_type *c = _find_checksum(cktype);
- struct key_type *kt;
- size_t datalen, leftofkey;
- krb5_error_code ret;
- u_int32_t keypart;
- struct key_data ksign;
- krb5_keyblock kb;
- Checksum result;
- char *data, *tmpcksum;
- int i, j;
- char *p;
-
- if (c == NULL) {
- krb5_set_error_string(context, "checksum %d not supported", cktype);
- return KRB5_PROG_KEYTYPE_NOSUPP;
- }
-
- kt = _find_keytype(type);
- if (kt == NULL) {
- krb5_set_error_string(context, "key type %d not supported", type);
- return KRB5_PROG_KEYTYPE_NOSUPP;
- }
-
- key->keytype = type;
- ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8);
- if (ret) {
- krb5_set_error_string(context, "malloc: out of memory");
- return ret;
- }
-
- ret = krb5_data_alloc (&result.checksum, c->checksumsize);
- if (ret) {
- krb5_set_error_string(context, "malloc: out of memory");
- krb5_data_free (&key->keyvalue);
- return ret;
- }
-
- tmpcksum = malloc(c->checksumsize);
- if (tmpcksum == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- krb5_data_free (&key->keyvalue);
- krb5_data_free (&result.checksum);
- return ENOMEM;
- }
-
- datalen = salt.saltvalue.length + 4;
- data = malloc(datalen);
- if (data == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- free(tmpcksum);
- krb5_data_free (&key->keyvalue);
- krb5_data_free (&result.checksum);
- return ENOMEM;
- }
-
- kb.keyvalue = password;
- ksign.key = &kb;
-
- memcpy(data, salt.saltvalue.data, salt.saltvalue.length);
-
- keypart = 1;
- leftofkey = key->keyvalue.length;
- p = key->keyvalue.data;
-
- while (leftofkey) {
- int len;
-
- if (leftofkey > c->checksumsize)
- len = c->checksumsize;
- else
- len = leftofkey;
-
- _krb5_put_int(data + datalen - 4, keypart, 4);
-
- ret = hmac(context, c, data, datalen, 0, &ksign, &result);
- if (ret)
- krb5_abortx(context, "hmac failed");
- memcpy(p, result.checksum.data, len);
- memcpy(tmpcksum, result.checksum.data, result.checksum.length);
- for (i = 0; i < iter; i++) {
- ret = hmac(context, c, tmpcksum, result.checksum.length,
- 0, &ksign, &result);
- if (ret)
- krb5_abortx(context, "hmac failed");
- memcpy(tmpcksum, result.checksum.data, result.checksum.length);
- for (j = 0; j < len; j++)
- p[j] ^= tmpcksum[j];
- }
-
- p += len;
- leftofkey -= len;
- keypart++;
- }
-
- free(data);
- free(tmpcksum);
- krb5_data_free (&result.checksum);
-
- return 0;
-}
-
int _krb5_AES_string_to_default_iterator = 4096;
static krb5_error_code
@@ -715,33 +607,44 @@ AES_string_to_key(krb5_context context,
struct key_data kd;
if (opaque.length == 0)
- iter = _krb5_AES_string_to_default_iterator - 1;
+ iter = _krb5_AES_string_to_default_iterator;
else if (opaque.length == 4) {
unsigned long v;
_krb5_get_int(opaque.data, &v, 4);
- iter = ((u_int32_t)v) - 1;
+ iter = ((u_int32_t)v);
} else
return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
-
et = _find_enctype(enctype);
if (et == NULL)
return KRB5_PROG_KEYTYPE_NOSUPP;
- ret = _krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt,
- iter, enctype, key);
- if (ret)
+ key->keytype = enctype;
+ ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
+ if (ret) {
+ krb5_set_error_string(context, "Failed to allocate pkcs5 key");
return ret;
-
+ }
ret = krb5_copy_keyblock(context, key, &kd.key);
+ if (ret) {
+ krb5_free_keyblock(context, key);
+ return ret;
+ }
+
+ ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length,
+ salt.saltvalue.data, salt.saltvalue.length,
+ iter,
+ et->keytype->size, kd.key->keyvalue.data);
kd.schedule = NULL;
+ if (ret != 1) {
+ krb5_set_error_string(context, "Error calculating s2k");
+ return KRB5_PROG_KEYTYPE_NOSUPP;
+ }
ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos"));
- krb5_free_keyblock_contents(context, key);
- if (ret == 0) {
+ if (ret == 0)
ret = krb5_copy_keyblock_contents(context, kd.key, key);
- free_key_data(context, &kd);
- }
+ free_key_data(context, &kd);
return ret;
}
@@ -3789,7 +3692,8 @@ krb5_generate_random_block(void *buf, size_t len)
rng_initialized = 1;
}
HEIMDAL_MUTEX_unlock(&crypto_mutex);
- RAND_bytes(buf, len);
+ if (RAND_bytes(buf, len) != 1)
+ krb5_abortx(NULL, "Failed to generate random block");
}
#else
diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c
index 649bdd20fd..b672fe74f9 100644
--- a/source4/heimdal/lib/krb5/error_string.c
+++ b/source4/heimdal/lib/krb5/error_string.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: error_string.c,v 1.3 2004/05/25 21:23:55 lha Exp $");
+RCSID("$Id: error_string.c,v 1.7 2006/02/16 07:49:23 lha Exp $");
#undef __attribute__
#define __attribute__(X)
@@ -107,3 +107,24 @@ krb5_have_error_string(krb5_context context)
HEIMDAL_MUTEX_unlock(context->mutex);
return str != NULL;
}
+
+char * KRB5_LIB_FUNCTION
+krb5_get_error_message(krb5_context context, krb5_error_code code)
+{
+ const char *cstr;
+ char *str;
+
+ str = krb5_get_error_string(context);
+ if (str)
+ return str;
+
+ cstr = krb5_get_err_text(context, code);
+ if (cstr)
+ return strdup(cstr);
+
+ if (asprintf(&str, "<unknown error: %d>", code) == -1)
+ return NULL;
+
+ return str;
+}
+
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 7043b8ae51..1fa3f9143e 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_cred.c,v 1.108 2005/07/13 07:38:02 lha Exp $");
+RCSID("$Id: get_cred.c,v 1.109 2006/02/03 11:41:02 lha Exp $");
/*
* Take the `body' and encode it into `padata' using the credentials
@@ -772,7 +772,8 @@ get_cred_from_kdc_flags(krb5_context context,
krb5_boolean noaddr;
krb5_appdefault_boolean(context, NULL, tgt->server->realm,
- "no-addresses", FALSE, &noaddr);
+ "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
+ &noaddr);
if (noaddr)
ret = get_cred_kdc (context, ccache, flags, NULL,
in_creds, tgt, *out_creds);
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index be5c1db47d..aa7c62befc 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_for_creds.c,v 1.46 2005/11/28 20:43:02 lha Exp $");
+RCSID("$Id: get_for_creds.c,v 1.47 2006/02/03 11:37:29 lha Exp $");
static krb5_error_code
add_addrs(krb5_context context,
@@ -284,21 +284,14 @@ krb5_get_forwarded_creds (krb5_context context,
enc_krb_cred_part.usec = NULL;
}
- if (auth_context->local_address && auth_context->local_port) {
- krb5_boolean noaddr;
- krb5_const_realm srealm;
-
- srealm = krb5_principal_get_realm(context, out_creds->server);
- krb5_appdefault_boolean(context, NULL, srealm, "no-addresses",
- paddrs == NULL, &noaddr);
- if (!noaddr) {
- ret = krb5_make_addrport (context,
- &enc_krb_cred_part.s_address,
- auth_context->local_address,
- auth_context->local_port);
- if (ret)
- goto out4;
- }
+ if (auth_context->local_address && auth_context->local_port && paddrs) {
+
+ ret = krb5_make_addrport (context,
+ &enc_krb_cred_part.s_address,
+ auth_context->local_address,
+ auth_context->local_port);
+ if (ret)
+ goto out4;
}
if (auth_context->remote_address) {
diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index 51b8ebc392..316c2f02eb 100644
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: init_creds.c,v 1.21 2005/10/12 12:45:27 lha Exp $");
+RCSID("$Id: init_creds.c,v 1.22 2006/02/03 11:42:31 lha Exp $");
void KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
@@ -191,7 +191,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
if(t != 0)
krb5_get_init_creds_opt_set_renew_life(opt, t);
- krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b);
+ krb5_appdefault_boolean(context, appname, realm, "no-addresses",
+ KRB5_ADDRESSLESS_DEFAULT, &b);
if (b)
krb5_get_init_creds_opt_set_address_list (opt, &no_addrs);
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index c308287a36..8d9b3c62ac 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -12,19 +12,6 @@
#endif
#endif
-struct krb5_dh_moduli;
-struct _krb5_krb_auth_data;
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_PKCS5_PBKDF2 (
- krb5_context /*context*/,
- krb5_cksumtype /*cktype*/,
- krb5_data /*password*/,
- krb5_salt /*salt*/,
- u_int32_t /*iter*/,
- krb5_keytype /*type*/,
- krb5_keyblock */*key*/);
-
void KRB5_LIB_FUNCTION
_krb5_aes_cts_encrypt (
const unsigned char */*in*/,
@@ -92,6 +79,9 @@ _krb5_find_type_in_ad (
void
_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
+void
+_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/);
+
krb5_error_code
_krb5_get_default_principal_local (
krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index c08d8058a4..d7e74621ef 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -20,15 +20,6 @@ extern "C" {
#endif
#endif
-void
-initialize_heim_error_table_r (struct et_list **/*list*/);
-
-void
-initialize_k524_error_table_r (struct et_list **/*list*/);
-
-void
-initialize_krb5_error_table_r (struct et_list **/*list*/);
-
krb5_error_code KRB5_LIB_FUNCTION
krb524_convert_creds_kdc (
krb5_context /*context*/,
@@ -1689,6 +1680,11 @@ krb5_get_err_text (
krb5_error_code /*code*/);
char * KRB5_LIB_FUNCTION
+krb5_get_error_message (
+ krb5_context /*context*/,
+ krb5_error_code /*code*/);
+
+char * KRB5_LIB_FUNCTION
krb5_get_error_string (krb5_context /*context*/);
krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/krb5_err.et b/source4/heimdal/lib/krb5/krb5_err.et
index 1257b074fb..e7bada1808 100644
--- a/source4/heimdal/lib/krb5/krb5_err.et
+++ b/source4/heimdal/lib/krb5/krb5_err.et
@@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
-id "$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $"
+id "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $"
error_table krb5
@@ -74,35 +74,36 @@ prefix KRB5_KDC_ERR
error_code CLIENT_NOT_TRUSTED, "Client not trusted"
error_code KDC_NOT_TRUSTED, "KDC not trusted"
error_code INVALID_SIG, "Invalid signature"
-error_code KEY_SIZE, "Key size too small/key too weak"
-error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
+error_code DH_KEY_PARAMETERS_NOT_ACCEPTED, "DH parameters not accepted"
+index 69
prefix KRB5_AP_ERR
error_code USER_TO_USER_REQUIRED, "User to user required"
index 70
-prefix KRB5_KDC_ERROR
+prefix KRB5_KDC_ERR
error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
-error_code INVALID_CERTIFICATE, "Invalid certificate"
-error_code REVOKED_CERTIFICATE, "Revoked certificate"
+error_code INVALID_CERTIFICATE, "Certificate invalid"
+error_code REVOKED_CERTIFICATE, "Certificate revoked"
error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown"
-error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unknown"
-error_code CLIENT_NAME_MISMATCH, "Client name mismatch"
-index 75
-error_code KDC_NAME_MISMATCH, "KDC name mismatch"
-
-# 76-79 are reserved
-
-index 80
-prefix KRB5_IAKERB
-error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
-error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
+error_code CLIENT_NAME_MISMATCH, "Revocation status unknown"
+error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose"
+error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted"
+error_code PA_CHECKSUM_MUST_BE_INCLUDED, "paChecksum must be included"
+error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepted"
+error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported"
+
+## these are never used
+#index 80
+#prefix KRB5_IAKERB
+#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
+#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
# 82-127 are reserved
index 128
prefix
-error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $"
+error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $"
error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode"
error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password"
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 60d72c8f80..92dd3271f5 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5_locl.h,v 1.84 2005/12/13 15:40:50 lha Exp $ */
+/* $Id: krb5_locl.h,v 1.87 2006/02/09 11:36:27 lha Exp $ */
#ifndef __KRB5_LOCL_H__
#define __KRB5_LOCL_H__
@@ -170,14 +170,6 @@ struct _krb5_krb_auth_data;
#define KRB5_BUFSIZ 1024
-#ifndef KRB5_DEFAULT_CCNAME
-#ifdef __APPLE__
-#define KRB5_DEFAULT_CCNAME "API:"
-#else
-#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}"
-#endif
-#endif
-
typedef enum {
KRB5_PA_PAC_DONT_CARE = 0,
KRB5_PA_PAC_REQ_TRUE,
@@ -196,4 +188,20 @@ struct _krb5_get_init_creds_opt_private {
int canonicalize;
};
+/*
+ * Configurable options
+ */
+
+#ifndef KRB5_DEFAULT_CCNAME
+#ifdef __APPLE__
+#define KRB5_DEFAULT_CCNAME "API:"
+#else
+#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}"
+#endif
+#endif
+
+#ifndef KRB5_ADDRESSLESS_DEFAULT
+#define KRB5_ADDRESSLESS_DEFAULT FALSE
+#endif
+
#endif /* __KRB5_LOCL_H__ */
diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c
index 56112eea8c..b5a1aadfea 100644
--- a/source4/heimdal/lib/krb5/mk_priv.c
+++ b/source4/heimdal/lib/krb5/mk_priv.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: mk_priv.c,v 1.34 2004/05/25 21:33:32 lha Exp $");
+RCSID("$Id: mk_priv.c,v 1.35 2006/02/01 12:39:26 lha Exp $");
krb5_error_code KRB5_LIB_FUNCTION
@@ -129,9 +129,11 @@ krb5_mk_priv(krb5_context context,
ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret);
-
- if(ret)
+ if (ret)
goto fail;
+ if (buf_size != len)
+ krb5_abortx(context, "internal error in ASN.1 encoder");
+
krb5_data_free (&s.enc_part.cipher);
ret = krb5_data_copy(outbuf, buf + buf_size - len, len);
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 0c5dfc44e9..1247bb22ca 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,15 @@
#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.75 2005/10/21 17:18:38 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.77 2006/02/14 10:08:29 lha Exp $");
+
+struct krb5_dh_moduli {
+ char *name;
+ unsigned long bits;
+ heim_integer p;
+ heim_integer g;
+ heim_integer q;
+};
#ifdef PKINIT
@@ -104,14 +112,6 @@ struct krb5_pk_cert {
X509 *cert;
};
-struct krb5_dh_moduli {
- char *name;
- unsigned long bits;
- heim_integer p;
- heim_integer g;
- heim_integer q;
-};
-
struct krb5_pk_init_ctx_data {
struct krb5_pk_identity *id;
DH *dh;
@@ -505,7 +505,13 @@ build_auth_pack(krb5_context context,
if (ret)
return ret;
- ret = krb5_data_copy(&a->pkAuthenticator.paChecksum,
+ ALLOC(a->pkAuthenticator.paChecksum, 1);
+ if (a->pkAuthenticator.paChecksum == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+
+ ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
checksum.checksum.data, checksum.checksum.length);
free_Checksum(&checksum);
if (ret)
@@ -984,11 +990,9 @@ pk_verify_chain_standard(krb5_context context,
* Since X509_verify_cert() doesn't do CRL checking at all, we have to
* perform own verification against CRLs
*/
-#if 0
- ret = pk_verify_crl(context, store_ctx, id->crls);
- if (ret)
- goto end;
-#endif
+ /*
+ * XXX add crl checking
+ */
if (client_cert && cert)
*client_cert = X509_dup(cert);
@@ -2429,6 +2433,31 @@ _krb5_pk_load_openssl_id(krb5_context context,
return ret;
}
+static krb5_error_code
+select_dh_group(krb5_context context, DH *dh, unsigned long bits,
+ struct krb5_dh_moduli **moduli)
+{
+ const struct krb5_dh_moduli *m;
+
+ m = moduli[1]; /* XXX */
+ if (m == NULL)
+ m = moduli[0]; /* XXX */
+
+ dh->p = integer_to_BN(context, "p", &m->p);
+ if (dh->p == NULL)
+ return ENOMEM;
+ dh->g = integer_to_BN(context, "g", &m->g);
+ if (dh->g == NULL)
+ return ENOMEM;
+ dh->q = integer_to_BN(context, "q", &m->q);
+ if (dh->q == NULL)
+ return ENOMEM;
+
+ return 0;
+}
+
+#endif /* PKINIT */
+
static int
parse_integer(krb5_context context, char **p, const char *file, int lineno,
const char *name, heim_integer *integer)
@@ -2526,7 +2555,7 @@ out:
return ret;
}
-static void
+void
_krb5_free_moduli(struct krb5_dh_moduli **moduli)
{
int i;
@@ -2541,8 +2570,9 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
}
static const char *default_moduli =
- /* bits */
+ /* name */
"RFC2412-MODP-group2 "
+ /* bits */
"1024 "
/* p */
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
@@ -2566,7 +2596,7 @@ krb5_error_code
_krb5_parse_moduli(krb5_context context, const char *file,
struct krb5_dh_moduli ***moduli)
{
- /* comment bits P G Q */
+ /* name bits P G Q */
krb5_error_code ret;
struct krb5_dh_moduli **m = NULL, **m2;
char buf[4096];
@@ -2589,10 +2619,8 @@ _krb5_parse_moduli(krb5_context context, const char *file,
}
n = 1;
- if (file == NULL) {
- *moduli = m;
- return 0;
- }
+ if (file == NULL)
+ file = MODULI_FILE;
f = fopen(file, "r");
if (f == NULL) {
@@ -2646,7 +2674,7 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
for (i = 0; moduli[i] != NULL; i++) {
if (heim_integer_cmp(&moduli[i]->g, g) == 0 &&
heim_integer_cmp(&moduli[i]->p, p) == 0 &&
- heim_integer_cmp(&moduli[i]->q, q) == 0)
+ (q == NULL || heim_integer_cmp(&moduli[i]->q, q) == 0))
{
if (bits && bits > moduli[i]->bits) {
krb5_set_error_string(context, "PKINIT: DH group parameter %s "
@@ -2663,32 +2691,6 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
-static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits,
- struct krb5_dh_moduli **moduli)
-{
- const struct krb5_dh_moduli *m;
-
- m = moduli[1]; /* XXX */
- if (m == NULL)
- m = moduli[0]; /* XXX */
-
- dh->p = integer_to_BN(context, "p", &m->p);
- if (dh->p == NULL)
- return ENOMEM;
- dh->g = integer_to_BN(context, "g", &m->g);
- if (dh->g == NULL)
- return ENOMEM;
- dh->q = integer_to_BN(context, "q", &m->q);
- if (dh->q == NULL)
- return ENOMEM;
-
- return 0;
-}
-
-
-#endif /* PKINIT */
-
void KRB5_LIB_FUNCTION
_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
{
@@ -2772,11 +2774,10 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
if ((flags & 2) == 0) {
const char *moduli_file;
- moduli_file = krb5_config_get_string_default(context, NULL,
- MODULI_FILE,
- "libdefaults",
- "moduli",
- NULL);
+ moduli_file = krb5_config_get_string(context, NULL,
+ "libdefaults",
+ "moduli",
+ NULL);
ret = _krb5_parse_moduli(context, moduli_file,
&opt->opt_private->pk_init_ctx->m);