diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-03-11 04:03:12 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:56:58 -0500 |
commit | b7afac2b834674e20f303c3a03b4ac7bb283695e (patch) | |
tree | 4828afb0cf5bc89f0063d3225d0f15cc01cd2012 /source4/heimdal/lib/krb5 | |
parent | 64b619cefe99c833297f2a635db06bd186843481 (diff) | |
download | samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.gz samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.bz2 samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.zip |
r14198: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r-- | source4/heimdal/lib/krb5/crypto.c | 146 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/error_string.c | 25 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/get_cred.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/get_for_creds.c | 25 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/init_creds.c | 5 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5-private.h | 16 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5-protos.h | 14 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5_err.et | 37 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/krb5_locl.h | 28 | ||||
-rw-r--r-- | source4/heimdal/lib/krb5/mk_priv.c | 8 | ||||
-rwxr-xr-x | source4/heimdal/lib/krb5/pkinit.c | 109 |
11 files changed, 168 insertions, 250 deletions
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index de40b059b8..3cfc780eb4 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$Id: crypto.c,v 1.130 2005/12/02 14:47:44 lha Exp $"); +RCSID("$Id: crypto.c,v 1.132 2006/02/28 14:52:57 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -591,114 +591,6 @@ ARCFOUR_string_to_key(krb5_context context, * AES */ -/* iter is really 1 based, so iter == 0 will be 1 iteration */ - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) -{ - struct checksum_type *c = _find_checksum(cktype); - struct key_type *kt; - size_t datalen, leftofkey; - krb5_error_code ret; - u_int32_t keypart; - struct key_data ksign; - krb5_keyblock kb; - Checksum result; - char *data, *tmpcksum; - int i, j; - char *p; - - if (c == NULL) { - krb5_set_error_string(context, "checksum %d not supported", cktype); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - kt = _find_keytype(type); - if (kt == NULL) { - krb5_set_error_string(context, "key type %d not supported", type); - return KRB5_PROG_KEYTYPE_NOSUPP; - } - - key->keytype = type; - ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - return ret; - } - - ret = krb5_data_alloc (&result.checksum, c->checksumsize); - if (ret) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - return ret; - } - - tmpcksum = malloc(c->checksumsize); - if (tmpcksum == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - datalen = salt.saltvalue.length + 4; - data = malloc(datalen); - if (data == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - free(tmpcksum); - krb5_data_free (&key->keyvalue); - krb5_data_free (&result.checksum); - return ENOMEM; - } - - kb.keyvalue = password; - ksign.key = &kb; - - memcpy(data, salt.saltvalue.data, salt.saltvalue.length); - - keypart = 1; - leftofkey = key->keyvalue.length; - p = key->keyvalue.data; - - while (leftofkey) { - int len; - - if (leftofkey > c->checksumsize) - len = c->checksumsize; - else - len = leftofkey; - - _krb5_put_int(data + datalen - 4, keypart, 4); - - ret = hmac(context, c, data, datalen, 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(p, result.checksum.data, len); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (i = 0; i < iter; i++) { - ret = hmac(context, c, tmpcksum, result.checksum.length, - 0, &ksign, &result); - if (ret) - krb5_abortx(context, "hmac failed"); - memcpy(tmpcksum, result.checksum.data, result.checksum.length); - for (j = 0; j < len; j++) - p[j] ^= tmpcksum[j]; - } - - p += len; - leftofkey -= len; - keypart++; - } - - free(data); - free(tmpcksum); - krb5_data_free (&result.checksum); - - return 0; -} - int _krb5_AES_string_to_default_iterator = 4096; static krb5_error_code @@ -715,33 +607,44 @@ AES_string_to_key(krb5_context context, struct key_data kd; if (opaque.length == 0) - iter = _krb5_AES_string_to_default_iterator - 1; + iter = _krb5_AES_string_to_default_iterator; else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); - iter = ((u_int32_t)v) - 1; + iter = ((u_int32_t)v); } else return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */ - et = _find_enctype(enctype); if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - ret = _krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); - if (ret) + key->keytype = enctype; + ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); + if (ret) { + krb5_set_error_string(context, "Failed to allocate pkcs5 key"); return ret; - + } ret = krb5_copy_keyblock(context, key, &kd.key); + if (ret) { + krb5_free_keyblock(context, key); + return ret; + } + + ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length, + salt.saltvalue.data, salt.saltvalue.length, + iter, + et->keytype->size, kd.key->keyvalue.data); kd.schedule = NULL; + if (ret != 1) { + krb5_set_error_string(context, "Error calculating s2k"); + return KRB5_PROG_KEYTYPE_NOSUPP; + } ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - krb5_free_keyblock_contents(context, key); - if (ret == 0) { + if (ret == 0) ret = krb5_copy_keyblock_contents(context, kd.key, key); - free_key_data(context, &kd); - } + free_key_data(context, &kd); return ret; } @@ -3789,7 +3692,8 @@ krb5_generate_random_block(void *buf, size_t len) rng_initialized = 1; } HEIMDAL_MUTEX_unlock(&crypto_mutex); - RAND_bytes(buf, len); + if (RAND_bytes(buf, len) != 1) + krb5_abortx(NULL, "Failed to generate random block"); } #else diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c index 649bdd20fd..b672fe74f9 100644 --- a/source4/heimdal/lib/krb5/error_string.c +++ b/source4/heimdal/lib/krb5/error_string.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: error_string.c,v 1.3 2004/05/25 21:23:55 lha Exp $"); +RCSID("$Id: error_string.c,v 1.7 2006/02/16 07:49:23 lha Exp $"); #undef __attribute__ #define __attribute__(X) @@ -107,3 +107,24 @@ krb5_have_error_string(krb5_context context) HEIMDAL_MUTEX_unlock(context->mutex); return str != NULL; } + +char * KRB5_LIB_FUNCTION +krb5_get_error_message(krb5_context context, krb5_error_code code) +{ + const char *cstr; + char *str; + + str = krb5_get_error_string(context); + if (str) + return str; + + cstr = krb5_get_err_text(context, code); + if (cstr) + return strdup(cstr); + + if (asprintf(&str, "<unknown error: %d>", code) == -1) + return NULL; + + return str; +} + diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index 7043b8ae51..1fa3f9143e 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_cred.c,v 1.108 2005/07/13 07:38:02 lha Exp $"); +RCSID("$Id: get_cred.c,v 1.109 2006/02/03 11:41:02 lha Exp $"); /* * Take the `body' and encode it into `padata' using the credentials @@ -772,7 +772,8 @@ get_cred_from_kdc_flags(krb5_context context, krb5_boolean noaddr; krb5_appdefault_boolean(context, NULL, tgt->server->realm, - "no-addresses", FALSE, &noaddr); + "no-addresses", KRB5_ADDRESSLESS_DEFAULT, + &noaddr); if (noaddr) ret = get_cred_kdc (context, ccache, flags, NULL, in_creds, tgt, *out_creds); diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index be5c1db47d..aa7c62befc 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: get_for_creds.c,v 1.46 2005/11/28 20:43:02 lha Exp $"); +RCSID("$Id: get_for_creds.c,v 1.47 2006/02/03 11:37:29 lha Exp $"); static krb5_error_code add_addrs(krb5_context context, @@ -284,21 +284,14 @@ krb5_get_forwarded_creds (krb5_context context, enc_krb_cred_part.usec = NULL; } - if (auth_context->local_address && auth_context->local_port) { - krb5_boolean noaddr; - krb5_const_realm srealm; - - srealm = krb5_principal_get_realm(context, out_creds->server); - krb5_appdefault_boolean(context, NULL, srealm, "no-addresses", - paddrs == NULL, &noaddr); - if (!noaddr) { - ret = krb5_make_addrport (context, - &enc_krb_cred_part.s_address, - auth_context->local_address, - auth_context->local_port); - if (ret) - goto out4; - } + if (auth_context->local_address && auth_context->local_port && paddrs) { + + ret = krb5_make_addrport (context, + &enc_krb_cred_part.s_address, + auth_context->local_address, + auth_context->local_port); + if (ret) + goto out4; } if (auth_context->remote_address) { diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c index 51b8ebc392..316c2f02eb 100644 --- a/source4/heimdal/lib/krb5/init_creds.c +++ b/source4/heimdal/lib/krb5/init_creds.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$Id: init_creds.c,v 1.21 2005/10/12 12:45:27 lha Exp $"); +RCSID("$Id: init_creds.c,v 1.22 2006/02/03 11:42:31 lha Exp $"); void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) @@ -191,7 +191,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, if(t != 0) krb5_get_init_creds_opt_set_renew_life(opt, t); - krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b); + krb5_appdefault_boolean(context, appname, realm, "no-addresses", + KRB5_ADDRESSLESS_DEFAULT, &b); if (b) krb5_get_init_creds_opt_set_address_list (opt, &no_addrs); diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h index c308287a36..8d9b3c62ac 100644 --- a/source4/heimdal/lib/krb5/krb5-private.h +++ b/source4/heimdal/lib/krb5/krb5-private.h @@ -12,19 +12,6 @@ #endif #endif -struct krb5_dh_moduli; -struct _krb5_krb_auth_data; - -krb5_error_code KRB5_LIB_FUNCTION -_krb5_PKCS5_PBKDF2 ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - u_int32_t /*iter*/, - krb5_keytype /*type*/, - krb5_keyblock */*key*/); - void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt ( const unsigned char */*in*/, @@ -92,6 +79,9 @@ _krb5_find_type_in_ad ( void _krb5_free_krbhst_info (krb5_krbhst_info */*hi*/); +void +_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/); + krb5_error_code _krb5_get_default_principal_local ( krb5_context /*context*/, diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h index c08d8058a4..d7e74621ef 100644 --- a/source4/heimdal/lib/krb5/krb5-protos.h +++ b/source4/heimdal/lib/krb5/krb5-protos.h @@ -20,15 +20,6 @@ extern "C" { #endif #endif -void -initialize_heim_error_table_r (struct et_list **/*list*/); - -void -initialize_k524_error_table_r (struct et_list **/*list*/); - -void -initialize_krb5_error_table_r (struct et_list **/*list*/); - krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, @@ -1689,6 +1680,11 @@ krb5_get_err_text ( krb5_error_code /*code*/); char * KRB5_LIB_FUNCTION +krb5_get_error_message ( + krb5_context /*context*/, + krb5_error_code /*code*/); + +char * KRB5_LIB_FUNCTION krb5_get_error_string (krb5_context /*context*/); krb5_error_code KRB5_LIB_FUNCTION diff --git a/source4/heimdal/lib/krb5/krb5_err.et b/source4/heimdal/lib/krb5/krb5_err.et index 1257b074fb..e7bada1808 100644 --- a/source4/heimdal/lib/krb5/krb5_err.et +++ b/source4/heimdal/lib/krb5/krb5_err.et @@ -3,7 +3,7 @@ # # This might look like a com_err file, but is not # -id "$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $" +id "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $" error_table krb5 @@ -74,35 +74,36 @@ prefix KRB5_KDC_ERR error_code CLIENT_NOT_TRUSTED, "Client not trusted" error_code KDC_NOT_TRUSTED, "KDC not trusted" error_code INVALID_SIG, "Invalid signature" -error_code KEY_SIZE, "Key size too small/key too weak" -error_code CERTIFICATE_MISMATCH, "Certificate mismatch" +error_code DH_KEY_PARAMETERS_NOT_ACCEPTED, "DH parameters not accepted" +index 69 prefix KRB5_AP_ERR error_code USER_TO_USER_REQUIRED, "User to user required" index 70 -prefix KRB5_KDC_ERROR +prefix KRB5_KDC_ERR error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate" -error_code INVALID_CERTIFICATE, "Invalid certificate" -error_code REVOKED_CERTIFICATE, "Revoked certificate" +error_code INVALID_CERTIFICATE, "Certificate invalid" +error_code REVOKED_CERTIFICATE, "Certificate revoked" error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" -error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unknown" -error_code CLIENT_NAME_MISMATCH, "Client name mismatch" -index 75 -error_code KDC_NAME_MISMATCH, "KDC name mismatch" - -# 76-79 are reserved - -index 80 -prefix KRB5_IAKERB -error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC" -error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC" +error_code CLIENT_NAME_MISMATCH, "Revocation status unknown" +error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose" +error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted" +error_code PA_CHECKSUM_MUST_BE_INCLUDED, "paChecksum must be included" +error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepted" +error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported" + +## these are never used +#index 80 +#prefix KRB5_IAKERB +#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC" +#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC" # 82-127 are reserved index 128 prefix -error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $" +error_code KRB5_ERR_RCSID, "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $" error_code KRB5_LIBOS_BADLOCKFLAG, "Invalid flag for file lock mode" error_code KRB5_LIBOS_CANTREADPWD, "Cannot read password" diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h index 60d72c8f80..92dd3271f5 100644 --- a/source4/heimdal/lib/krb5/krb5_locl.h +++ b/source4/heimdal/lib/krb5/krb5_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: krb5_locl.h,v 1.84 2005/12/13 15:40:50 lha Exp $ */ +/* $Id: krb5_locl.h,v 1.87 2006/02/09 11:36:27 lha Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -170,14 +170,6 @@ struct _krb5_krb_auth_data; #define KRB5_BUFSIZ 1024 -#ifndef KRB5_DEFAULT_CCNAME -#ifdef __APPLE__ -#define KRB5_DEFAULT_CCNAME "API:" -#else -#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}" -#endif -#endif - typedef enum { KRB5_PA_PAC_DONT_CARE = 0, KRB5_PA_PAC_REQ_TRUE, @@ -196,4 +188,20 @@ struct _krb5_get_init_creds_opt_private { int canonicalize; }; +/* + * Configurable options + */ + +#ifndef KRB5_DEFAULT_CCNAME +#ifdef __APPLE__ +#define KRB5_DEFAULT_CCNAME "API:" +#else +#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}" +#endif +#endif + +#ifndef KRB5_ADDRESSLESS_DEFAULT +#define KRB5_ADDRESSLESS_DEFAULT FALSE +#endif + #endif /* __KRB5_LOCL_H__ */ diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c index 56112eea8c..b5a1aadfea 100644 --- a/source4/heimdal/lib/krb5/mk_priv.c +++ b/source4/heimdal/lib/krb5/mk_priv.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$Id: mk_priv.c,v 1.34 2004/05/25 21:33:32 lha Exp $"); +RCSID("$Id: mk_priv.c,v 1.35 2006/02/01 12:39:26 lha Exp $"); krb5_error_code KRB5_LIB_FUNCTION @@ -129,9 +129,11 @@ krb5_mk_priv(krb5_context context, ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret); - - if(ret) + if (ret) goto fail; + if (buf_size != len) + krb5_abortx(context, "internal error in ASN.1 encoder"); + krb5_data_free (&s.enc_part.cipher); ret = krb5_data_copy(outbuf, buf + buf_size - len, len); diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 0c5dfc44e9..1247bb22ca 100755 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -33,7 +33,15 @@ #include "krb5_locl.h" -RCSID("$Id: pkinit.c,v 1.75 2005/10/21 17:18:38 lha Exp $"); +RCSID("$Id: pkinit.c,v 1.77 2006/02/14 10:08:29 lha Exp $"); + +struct krb5_dh_moduli { + char *name; + unsigned long bits; + heim_integer p; + heim_integer g; + heim_integer q; +}; #ifdef PKINIT @@ -104,14 +112,6 @@ struct krb5_pk_cert { X509 *cert; }; -struct krb5_dh_moduli { - char *name; - unsigned long bits; - heim_integer p; - heim_integer g; - heim_integer q; -}; - struct krb5_pk_init_ctx_data { struct krb5_pk_identity *id; DH *dh; @@ -505,7 +505,13 @@ build_auth_pack(krb5_context context, if (ret) return ret; - ret = krb5_data_copy(&a->pkAuthenticator.paChecksum, + ALLOC(a->pkAuthenticator.paChecksum, 1); + if (a->pkAuthenticator.paChecksum == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + return ENOMEM; + } + + ret = krb5_data_copy(a->pkAuthenticator.paChecksum, checksum.checksum.data, checksum.checksum.length); free_Checksum(&checksum); if (ret) @@ -984,11 +990,9 @@ pk_verify_chain_standard(krb5_context context, * Since X509_verify_cert() doesn't do CRL checking at all, we have to * perform own verification against CRLs */ -#if 0 - ret = pk_verify_crl(context, store_ctx, id->crls); - if (ret) - goto end; -#endif + /* + * XXX add crl checking + */ if (client_cert && cert) *client_cert = X509_dup(cert); @@ -2429,6 +2433,31 @@ _krb5_pk_load_openssl_id(krb5_context context, return ret; } +static krb5_error_code +select_dh_group(krb5_context context, DH *dh, unsigned long bits, + struct krb5_dh_moduli **moduli) +{ + const struct krb5_dh_moduli *m; + + m = moduli[1]; /* XXX */ + if (m == NULL) + m = moduli[0]; /* XXX */ + + dh->p = integer_to_BN(context, "p", &m->p); + if (dh->p == NULL) + return ENOMEM; + dh->g = integer_to_BN(context, "g", &m->g); + if (dh->g == NULL) + return ENOMEM; + dh->q = integer_to_BN(context, "q", &m->q); + if (dh->q == NULL) + return ENOMEM; + + return 0; +} + +#endif /* PKINIT */ + static int parse_integer(krb5_context context, char **p, const char *file, int lineno, const char *name, heim_integer *integer) @@ -2526,7 +2555,7 @@ out: return ret; } -static void +void _krb5_free_moduli(struct krb5_dh_moduli **moduli) { int i; @@ -2541,8 +2570,9 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli) } static const char *default_moduli = - /* bits */ + /* name */ "RFC2412-MODP-group2 " + /* bits */ "1024 " /* p */ "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" @@ -2566,7 +2596,7 @@ krb5_error_code _krb5_parse_moduli(krb5_context context, const char *file, struct krb5_dh_moduli ***moduli) { - /* comment bits P G Q */ + /* name bits P G Q */ krb5_error_code ret; struct krb5_dh_moduli **m = NULL, **m2; char buf[4096]; @@ -2589,10 +2619,8 @@ _krb5_parse_moduli(krb5_context context, const char *file, } n = 1; - if (file == NULL) { - *moduli = m; - return 0; - } + if (file == NULL) + file = MODULI_FILE; f = fopen(file, "r"); if (f == NULL) { @@ -2646,7 +2674,7 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, for (i = 0; moduli[i] != NULL; i++) { if (heim_integer_cmp(&moduli[i]->g, g) == 0 && heim_integer_cmp(&moduli[i]->p, p) == 0 && - heim_integer_cmp(&moduli[i]->q, q) == 0) + (q == NULL || heim_integer_cmp(&moduli[i]->q, q) == 0)) { if (bits && bits > moduli[i]->bits) { krb5_set_error_string(context, "PKINIT: DH group parameter %s " @@ -2663,32 +2691,6 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } -static krb5_error_code -select_dh_group(krb5_context context, DH *dh, unsigned long bits, - struct krb5_dh_moduli **moduli) -{ - const struct krb5_dh_moduli *m; - - m = moduli[1]; /* XXX */ - if (m == NULL) - m = moduli[0]; /* XXX */ - - dh->p = integer_to_BN(context, "p", &m->p); - if (dh->p == NULL) - return ENOMEM; - dh->g = integer_to_BN(context, "g", &m->g); - if (dh->g == NULL) - return ENOMEM; - dh->q = integer_to_BN(context, "q", &m->q); - if (dh->q == NULL) - return ENOMEM; - - return 0; -} - - -#endif /* PKINIT */ - void KRB5_LIB_FUNCTION _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) { @@ -2772,11 +2774,10 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, if ((flags & 2) == 0) { const char *moduli_file; - moduli_file = krb5_config_get_string_default(context, NULL, - MODULI_FILE, - "libdefaults", - "moduli", - NULL); + moduli_file = krb5_config_get_string(context, NULL, + "libdefaults", + "moduli", + NULL); ret = _krb5_parse_moduli(context, moduli_file, &opt->opt_private->pk_init_ctx->m); |