diff options
Diffstat (limited to 'source4/heimdal/kdc/pkinit.c')
-rw-r--r-- | source4/heimdal/kdc/pkinit.c | 218 |
1 files changed, 109 insertions, 109 deletions
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 57767c4f48..82358682d8 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 - 2008 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "kdc_locl.h" @@ -90,7 +90,7 @@ pk_check_pkauthenticator_win2k(krb5_context context, /* XXX cusec */ if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5KRB_AP_ERR_SKEW; } return 0; @@ -112,13 +112,13 @@ pk_check_pkauthenticator(krb5_context context, /* XXX cusec */ if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return KRB5KRB_AP_ERR_SKEW; } ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (buf_size != len) @@ -133,18 +133,18 @@ pk_check_pkauthenticator(krb5_context context, &checksum); free(buf); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } if (a->paChecksum == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; goto out; } if (der_heim_octet_string_cmp(a->paChecksum, &checksum.checksum) != 0) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = KRB5KRB_ERR_GENERIC; } @@ -155,7 +155,7 @@ out: } void -_kdc_pk_free_client_param(krb5_context context, +_kdc_pk_free_client_param(krb5_context context, pk_client_params *client_params) { if (client_params->cert) @@ -293,7 +293,7 @@ get_dh_param(krb5_context context, } - ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, + ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, &dhparam.p, &dhparam.g, &dhparam.q, moduli, &client_params->dh_group_name); if (ret) { @@ -327,7 +327,7 @@ get_dh_param(krb5_context context, &glue, &size); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } @@ -344,7 +344,7 @@ get_dh_param(krb5_context context, client_params->dh = dh; dh = NULL; ret = 0; - + out: if (dh) DH_free(dh); @@ -368,10 +368,10 @@ _kdc_pk_rd_padata(krb5_context context, int have_data = 0; *ret_params = NULL; - + if (!config->enable_pkinit) { kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled"); - krb5_clear_error_string(context); + krb5_clear_error_message(context); return 0; } @@ -379,7 +379,7 @@ _kdc_pk_rd_padata(krb5_context context, client_params = calloc(1, sizeof(*client_params)); if (client_params == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -405,7 +405,7 @@ _kdc_pk_rd_padata(krb5_context context, &have_data); free_PA_PK_AS_REQ_Win2k(&r); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret); goto out; } @@ -474,7 +474,7 @@ _kdc_pk_rd_padata(krb5_context context, hx509_query_free(kdc_identity->hx509ctx, q); if (ret) continue; - hx509_certs_add(kdc_identity->hx509ctx, + hx509_certs_add(kdc_identity->hx509ctx, client_params->client_anchors, cert); hx509_cert_free(cert); } @@ -486,13 +486,13 @@ _kdc_pk_rd_padata(krb5_context context, &have_data); free_PA_PK_AS_REQ(&r); if (ret) { - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't unwrap ContentInfo: %d", ret); goto out; } - } else { - krb5_clear_error_string(context); + } else { + krb5_clear_error_message(context); ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; goto out; } @@ -500,7 +500,7 @@ _kdc_pk_rd_padata(krb5_context context, ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData()); if (ret != 0) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "PK-AS-REQ-Win2k invalid content type oid"); goto out; } @@ -559,8 +559,8 @@ _kdc_pk_rd_padata(krb5_context context, krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret); goto out; } - - ret = pk_check_pkauthenticator_win2k(context, + + ret = pk_check_pkauthenticator_win2k(context, &ap.pkAuthenticator, req); if (ret) { @@ -590,8 +590,8 @@ _kdc_pk_rd_padata(krb5_context context, free_AuthPack(&ap); goto out; } - - ret = pk_check_pkauthenticator(context, + + ret = pk_check_pkauthenticator(context, &ap.pkAuthenticator, req); if (ret) { @@ -603,7 +603,7 @@ _kdc_pk_rd_padata(krb5_context context, client_params->nonce = ap.pkAuthenticator.nonce; if (ap.clientPublicValue) { - ret = get_dh_param(context, config, + ret = get_dh_param(context, config, ap.clientPublicValue, client_params); if (ret) { free_AuthPack(&ap); @@ -659,7 +659,7 @@ BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) integer->length = BN_num_bytes(bn); integer->data = malloc(integer->length); if (integer->data == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } BN_bn2bin(bn, integer->data); @@ -676,7 +676,7 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_keyblock *reply_key, ContentInfo *content_info) { - const heim_oid *envelopedAlg = NULL, *sdAlg = NULL; + const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL; krb5_error_code ret; krb5_data buf, signed_data; size_t size; @@ -699,29 +699,31 @@ pk_mk_pa_reply_enckey(krb5_context context, { do_win2k = 1; } + sdAlg = oid_id_pkcs7_data(); + evAlg = oid_id_pkcs7_data(); + envelopedAlg = oid_id_rsadsi_des_ede3_cbc(); break; } case PKINIT_27: + sdAlg = oid_id_pkrkeydata(); + evAlg = oid_id_pkcs7_signedData(); break; default: krb5_abortx(context, "internal pkinit error"); - } + } if (do_win2k) { ReplyKeyPack_Win2k kp; memset(&kp, 0, sizeof(kp)); - envelopedAlg = oid_id_rsadsi_des_ede3_cbc(); - sdAlg = oid_id_pkcs7_data(); - ret = copy_EncryptionKey(reply_key, &kp.replyKey); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } kp.nonce = client_params->nonce; - ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, + ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, buf.data, buf.length, &kp, &size,ret); free_ReplyKeyPack_Win2k(&kp); @@ -730,17 +732,15 @@ pk_mk_pa_reply_enckey(krb5_context context, ReplyKeyPack kp; memset(&kp, 0, sizeof(kp)); - sdAlg = oid_id_pkrkeydata(); - ret = copy_EncryptionKey(reply_key, &kp.replyKey); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = krb5_crypto_init(context, reply_key, 0, &ascrypto); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -748,13 +748,13 @@ pk_mk_pa_reply_enckey(krb5_context context, req_buffer->data, req_buffer->length, &kp.asChecksum); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } - + ret = krb5_crypto_destroy(context, ascrypto); if (ret) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret); @@ -779,9 +779,9 @@ pk_mk_pa_reply_enckey(krb5_context context, hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - ret = hx509_certs_find(kdc_identity->hx509ctx, - kdc_identity->certs, - q, + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, &cert); hx509_query_free(kdc_identity->hx509ctx, q); if (ret) @@ -802,7 +802,7 @@ pk_mk_pa_reply_enckey(krb5_context context, } krb5_data_free(&buf); - if (ret) + if (ret) goto out; if (client_params->type == PKINIT_WIN2K) { @@ -818,12 +818,12 @@ pk_mk_pa_reply_enckey(krb5_context context, ret = hx509_cms_envelope_1(kdc_identity->hx509ctx, 0, client_params->cert, - signed_data.data, signed_data.length, + signed_data.data, signed_data.length, envelopedAlg, - oid_id_pkcs7_signedData(), &buf); + evAlg, &buf); if (ret) goto out; - + ret = _krb5_pk_mk_ContentInfo(context, &buf, oid_id_pkcs7_envelopedData(), @@ -875,10 +875,10 @@ pk_mk_pa_reply_dh(krb5_context context, dh_info.subjectPublicKey.length = buf.length * 8; dh_info.subjectPublicKey.data = buf.data; - + dh_info.nonce = client_params->nonce; - ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, + ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, ret); if (ret) { krb5_set_error_message(context, ret, "ASN.1 encoding of " @@ -888,7 +888,7 @@ pk_mk_pa_reply_dh(krb5_context context, if (buf.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - /* + /* * Create the SignedData structure and sign the KdcDHKeyInfo * filled in above */ @@ -904,9 +904,9 @@ pk_mk_pa_reply_dh(krb5_context context, hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE); - ret = hx509_certs_find(kdc_identity->hx509ctx, - kdc_identity->certs, - q, + ret = hx509_certs_find(kdc_identity->hx509ctx, + kdc_identity->certs, + q, &cert); hx509_query_free(kdc_identity->hx509ctx, q); if (ret) @@ -971,7 +971,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, int i; if (!config->enable_pkinit) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return 0; } @@ -1004,7 +1004,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, rep.element = choice_PA_PK_AS_REP_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(context, enctype, &client_params->reply_key); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1021,8 +1021,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, free_PA_PK_AS_REP(&rep); goto out; } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, ret); free_ContentInfo(&info); if (ret) { @@ -1049,7 +1049,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, return ret; ret = pk_mk_pa_reply_dh(context, client_params->dh, - client_params, + client_params, &client_params->reply_key, &info, &kdc_cert); @@ -1100,7 +1100,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, pa_type = KRB5_PADATA_PK_AS_REP_19; rep.element = choice_PA_PK_AS_REP_encKeyPack; - ret = krb5_generate_random_keyblock(context, enctype, + ret = krb5_generate_random_keyblock(context, enctype, &client_params->reply_key); if (ret) { free_PA_PK_AS_REP_Win2k(&rep); @@ -1117,8 +1117,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, free_PA_PK_AS_REP_Win2k(&rep); goto out; } - ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, - rep.u.encKeyPack.length, &info, &size, + ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, + rep.u.encKeyPack.length, &info, &size, ret); free_ContentInfo(&info); if (ret) { @@ -1164,7 +1164,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY); if (fd < 0) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to open ocsp data file %d", errno); goto out_ocsp; } @@ -1172,15 +1172,15 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (ret) { ret = errno; close(fd); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } - + ret = krb5_data_alloc(&ocsp.data, sb.st_size); if (ret) { close(fd); - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } @@ -1188,7 +1188,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ret = read(fd, ocsp.data.data, sb.st_size); close(fd); if (ret != sb.st_size) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to read ocsp data %d", errno); goto out_ocsp; } @@ -1200,7 +1200,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, ocsp.data.data, ocsp.data.length, &ocsp.expire); if (ret) { - kdc_log(context, config, 0, + kdc_log(context, config, 0, "PK-INIT failed to verify ocsp data %d", ret); krb5_data_free(&ocsp.data); ocsp.expire = 0; @@ -1216,7 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (ocsp.expire != 0 && ocsp.expire > kdc_time) { - ret = krb5_padata_add(context, md, + ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PK_OCSP_RESPONSE, ocsp.data.data, ocsp.data.length); if (ret) { @@ -1237,10 +1237,10 @@ out: } static int -match_rfc_san(krb5_context context, +match_rfc_san(krb5_context context, krb5_kdc_configuration *config, hx509_context hx509ctx, - hx509_cert client_cert, + hx509_cert client_cert, krb5_const_principal match) { hx509_octet_string_list list; @@ -1260,7 +1260,7 @@ match_rfc_san(krb5_context context, KRB5PrincipalName kn; size_t size; - ret = decode_KRB5PrincipalName(list.val[i].data, + ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &kn, &size); if (ret) { @@ -1284,7 +1284,7 @@ match_rfc_san(krb5_context context, } out: - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); if (ret) return ret; @@ -1295,10 +1295,10 @@ out: } static int -match_ms_upn_san(krb5_context context, +match_ms_upn_san(krb5_context context, krb5_kdc_configuration *config, hx509_context hx509ctx, - hx509_cert client_cert, + hx509_cert client_cert, krb5_const_principal match) { hx509_octet_string_list list; @@ -1337,7 +1337,7 @@ match_ms_upn_san(krb5_context context, goto out; } - /* + /* * This is very wrong, but will do for now, should really and a * plugin to the windc layer to very this ACL. */ @@ -1349,7 +1349,7 @@ match_ms_upn_san(krb5_context context, out: if (principal) krb5_free_principal(context, principal); - hx509_free_octet_string_list(&list); + hx509_free_octet_string_list(&list); if (ret) return ret; @@ -1383,7 +1383,7 @@ _kdc_pk_check_client(krb5_context context, return ret; kdc_log(context, config, 0, - "Trying to authorize PK-INIT subject DN %s", + "Trying to authorize PK-INIT subject DN %s", *subject_name); if (config->pkinit_princ_in_cert) { @@ -1460,7 +1460,7 @@ _kdc_pk_check_client(krb5_context context, } static krb5_error_code -add_principal_mapping(krb5_context context, +add_principal_mapping(krb5_context context, const char *principal_name, const char * subject) { @@ -1502,7 +1502,7 @@ _kdc_add_inital_verified_cas(krb5_context context, size_t size; memset(&cas, 0, sizeof(cas)); - + /* XXX add CAs to cas here */ ASN1_MALLOC_ENCODE(AD_INITIAL_VERIFIED_CAS, data.data, data.length, @@ -1512,7 +1512,7 @@ _kdc_add_inital_verified_cas(krb5_context context, if (data.length != size) krb5_abortx(context, "internal asn.1 encoder error"); - ret = _kdc_tkt_add_if_relevant_ad(context, tkt, + ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_INITIAL_VERIFIED_CAS, &data); krb5_data_free(&data); @@ -1537,7 +1537,7 @@ load_mappings(krb5_context context, const char *fn) while (fgets(buf, sizeof(buf), f) != NULL) { char *subject_name, *p; - + buf[strcspn(buf, "\n")] = '\0'; lineno++; @@ -1561,11 +1561,11 @@ load_mappings(krb5_context context, const char *fn) lineno, buf); continue; } - } + } fclose(f); } - + /* * */ @@ -1637,7 +1637,7 @@ _kdc_pk_initialize(krb5_context context, "certifiate with a public key"); } - ret = krb5_config_get_bool_default(context, + ret = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", @@ -1645,7 +1645,7 @@ _kdc_pk_initialize(krb5_context context, NULL); _krb5_pk_allow_proxy_certificate(kdc_identity, ret); - file = krb5_config_get_string(context, + file = krb5_config_get_string(context, NULL, "kdc", "pkinit_mappings_file", |