summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/pkinit.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/kdc/pkinit.c')
-rwxr-xr-xsource4/heimdal/kdc/pkinit.c146
1 files changed, 69 insertions, 77 deletions
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index bf248af588..9f6d57f588 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
+RCSID("$Id: pkinit.c 23316 2008-06-23 04:32:32Z lha $");
#ifdef PKINIT
@@ -45,23 +45,8 @@ RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
#include <hx509.h>
#include "crypto-headers.h"
-/* XXX copied from lib/krb5/pkinit.c */
-struct krb5_pk_identity {
- hx509_context hx509ctx;
- hx509_verify_ctx verify_ctx;
- hx509_certs certs;
- hx509_certs anchors;
- hx509_certs certpool;
- hx509_revoke_ctx revoke;
-};
-
-enum pkinit_type {
- PKINIT_COMPAT_WIN2K = 1,
- PKINIT_COMPAT_27 = 3
-};
-
struct pk_client_params {
- enum pkinit_type type;
+ enum krb5_pk_type type;
BIGNUM *dh_public_key;
hx509_cert cert;
unsigned nonce;
@@ -202,13 +187,13 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
memset(&key, 0, sizeof(key));
if (!DH_generate_key(client_params->dh)) {
- krb5_set_error_string(context, "Can't generate Diffie-Hellman keys");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys");
goto out;
}
if (client_params->dh_public_key == NULL) {
- krb5_set_error_string(context, "dh_public_key");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret, "dh_public_key");
goto out;
}
@@ -219,8 +204,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
+ krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
memset(dh_gen_key, 0, size - dh_gen_keylen);
@@ -229,8 +214,8 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
client_params->dh_public_key,
client_params->dh);
if (dh_gen_keylen == -1) {
- krb5_set_error_string(context, "Can't compute Diffie-Hellman key");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key");
goto out;
}
@@ -256,7 +241,8 @@ integer_to_BN(krb5_context context, const char *field, heim_integer *f)
bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
if (bn == NULL) {
- krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
+ krb5_set_error_message(context, KRB5_BADMSGTYPE,
+ "PKINIT: parsing BN failed %s", field);
return NULL;
}
BN_set_negative(bn, f->negative);
@@ -276,13 +262,14 @@ get_dh_param(krb5_context context,
memset(&dhparam, 0, sizeof(dhparam));
if (der_heim_oid_cmp(&dh_key_info->algorithm.algorithm, oid_id_dhpublicnumber())) {
- krb5_set_error_string(context,
- "PKINIT invalid oid in clientPublicValue");
+ krb5_set_error_message(context, KRB5_BADMSGTYPE,
+ "PKINIT invalid oid in clientPublicValue");
return KRB5_BADMSGTYPE;
}
if (dh_key_info->algorithm.parameters == NULL) {
- krb5_set_error_string(context, "PKINIT missing algorithm parameter "
+ krb5_set_error_message(context, KRB5_BADMSGTYPE,
+ "PKINIT missing algorithm parameter "
"in clientPublicValue");
return KRB5_BADMSGTYPE;
}
@@ -292,15 +279,16 @@ get_dh_param(krb5_context context,
&dhparam,
NULL);
if (ret) {
- krb5_set_error_string(context, "Can't decode algorithm "
- "parameters in clientPublicValue");
+ krb5_set_error_message(context, ret, "Can't decode algorithm "
+ "parameters in clientPublicValue");
goto out;
}
if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
ret = KRB5_BADMSGTYPE;
- krb5_set_error_string(context, "PKINIT: subjectPublicKey not aligned "
- "to 8 bit boundary");
+ krb5_set_error_message(context, ret,
+ "PKINIT: subjectPublicKey not aligned "
+ "to 8 bit boundary");
goto out;
}
@@ -315,8 +303,8 @@ get_dh_param(krb5_context context,
dh = DH_new();
if (dh == NULL) {
- krb5_set_error_string(context, "Cannot create DH structure");
ret = ENOMEM;
+ krb5_set_error_message(context, ret, "Cannot create DH structure");
goto out;
}
ret = KRB5_BADMSGTYPE;
@@ -347,8 +335,10 @@ get_dh_param(krb5_context context,
"subjectPublicKey",
&glue);
der_free_heim_integer(&glue);
- if (client_params->dh_public_key == NULL)
+ if (client_params->dh_public_key == NULL) {
+ ret = KRB5_BADMSGTYPE;
goto out;
+ }
}
client_params->dh = dh;
@@ -385,7 +375,7 @@ _kdc_pk_rd_padata(krb5_context context,
return 0;
}
- hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
+ hx509_verify_set_time(kdc_identity->verify_ctx, kdc_time);
client_params = calloc(1, sizeof(*client_params));
if (client_params == NULL) {
@@ -404,8 +394,8 @@ _kdc_pk_rd_padata(krb5_context context,
&r,
NULL);
if (ret) {
- krb5_set_error_string(context, "Can't decode "
- "PK-AS-REQ-Win2k: %d", ret);
+ krb5_set_error_message(context, ret, "Can't decode "
+ "PK-AS-REQ-Win2k: %d", ret);
goto out;
}
@@ -415,7 +405,8 @@ _kdc_pk_rd_padata(krb5_context context,
&have_data);
free_PA_PK_AS_REQ_Win2k(&r);
if (ret) {
- krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+ krb5_set_error_message(context, ret,
+ "Can't decode PK-AS-REQ: %d", ret);
goto out;
}
@@ -429,7 +420,7 @@ _kdc_pk_rd_padata(krb5_context context,
&r,
NULL);
if (ret) {
- krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
+ krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret);
goto out;
}
@@ -443,7 +434,7 @@ _kdc_pk_rd_padata(krb5_context context,
0, NULL,
&client_params->client_anchors);
if (ret) {
- krb5_set_error_string(context, "Can't allocate client anchors: %d", ret);
+ krb5_set_error_message(context, ret, "Can't allocate client anchors: %d", ret);
goto out;
}
@@ -458,7 +449,7 @@ _kdc_pk_rd_padata(krb5_context context,
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret) {
- krb5_set_error_string(context,
+ krb5_set_error_message(context, ret,
"Failed to allocate hx509_query");
goto out;
}
@@ -495,7 +486,8 @@ _kdc_pk_rd_padata(krb5_context context,
&have_data);
free_PA_PK_AS_REQ(&r);
if (ret) {
- krb5_set_error_string(context, "Can't unwrap ContentInfo: %d", ret);
+ krb5_set_error_message(context, ret,
+ "Can't unwrap ContentInfo: %d", ret);
goto out;
}
@@ -507,16 +499,16 @@ _kdc_pk_rd_padata(krb5_context context,
ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
if (ret != 0) {
- krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
- "type oid");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret,
+ "PK-AS-REQ-Win2k invalid content type oid");
goto out;
}
if (!have_data) {
- krb5_set_error_string(context,
- "PK-AS-REQ-Win2k no signed auth pack");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret,
+ "PK-AS-REQ-Win2k no signed auth pack");
goto out;
}
@@ -551,8 +543,8 @@ _kdc_pk_rd_padata(krb5_context context,
if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
{
- krb5_set_error_string(context, "got wrong oid for pkauthdata");
ret = KRB5_BADMSGTYPE;
+ krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
goto out;
}
@@ -564,7 +556,7 @@ _kdc_pk_rd_padata(krb5_context context,
&ap,
NULL);
if (ret) {
- krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+ krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
goto out;
}
@@ -576,12 +568,12 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- client_params->type = PKINIT_COMPAT_WIN2K;
+ client_params->type = PKINIT_WIN2K;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
- krb5_set_error_string(context, "DH not supported for windows");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret, "DH not supported for windows");
goto out;
}
free_AuthPack_Win2k(&ap);
@@ -594,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context,
&ap,
NULL);
if (ret) {
- krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
+ krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
free_AuthPack(&ap);
goto out;
}
@@ -607,7 +599,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- client_params->type = PKINIT_COMPAT_27;
+ client_params->type = PKINIT_27;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
@@ -700,7 +692,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
*/
switch (client_params->type) {
- case PKINIT_COMPAT_WIN2K: {
+ case PKINIT_WIN2K: {
int i = 0;
if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
&& config->pkinit_require_binding == 0)
@@ -709,7 +701,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
}
break;
}
- case PKINIT_COMPAT_27:
+ case PKINIT_27:
break;
default:
krb5_abortx(context, "internal pkinit error");
@@ -769,8 +761,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
free_ReplyKeyPack(&kp);
}
if (ret) {
- krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
- "failed (%d)", ret);
+ krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
+ "failed (%d)", ret);
goto out;
}
if (buf.length != size)
@@ -813,7 +805,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (ret)
goto out;
- if (client_params->type == PKINIT_COMPAT_WIN2K) {
+ if (client_params->type == PKINIT_WIN2K) {
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
&signed_data,
&buf);
@@ -874,9 +866,8 @@ pk_mk_pa_reply_dh(krb5_context context,
ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
if (ret) {
- krb5_set_error_string(context, "ASN.1 encoding of "
- "DHPublicKey failed (%d)", ret);
- krb5_clear_error_string(context);
+ krb5_set_error_message(context, ret, "ASN.1 encoding of "
+ "DHPublicKey failed (%d)", ret);
return ret;
}
if (buf.length != size)
@@ -890,8 +881,8 @@ pk_mk_pa_reply_dh(krb5_context context,
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
ret);
if (ret) {
- krb5_set_error_string(context, "ASN.1 encoding of "
- "KdcDHKeyInfo failed (%d)", ret);
+ krb5_set_error_message(context, ret, "ASN.1 encoding of "
+ "KdcDHKeyInfo failed (%d)", ret);
goto out;
}
if (buf.length != size)
@@ -990,15 +981,15 @@ _kdc_pk_mk_pa_reply(krb5_context context,
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_string(context,
- "No valid enctype available from client");
+ krb5_set_error_message(context, ret,
+ "No valid enctype available from client");
goto out;
}
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
- if (client_params->type == PKINIT_COMPAT_27) {
+ if (client_params->type == PKINIT_27) {
PA_PK_AS_REP rep;
const char *type, *other = "";
@@ -1035,8 +1026,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
- krb5_set_error_string(context, "encoding of Key ContentInfo "
- "failed %d", ret);
+ krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
+ "failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
@@ -1068,8 +1059,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
- krb5_set_error_string(context, "encoding of Key ContentInfo "
- "failed %d", ret);
+ krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
+ "failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
@@ -1085,8 +1076,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP(&rep);
if (ret) {
- krb5_set_error_string(context, "encode PA-PK-AS-REP failed %d",
- ret);
+ krb5_set_error_message(context, ret, "encode PA-PK-AS-REP failed %d",
+ ret);
goto out;
}
if (len != size)
@@ -1094,13 +1085,13 @@ _kdc_pk_mk_pa_reply(krb5_context context,
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
- } else if (client_params->type == PKINIT_COMPAT_WIN2K) {
+ } else if (client_params->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
ContentInfo info;
if (client_params->dh) {
- krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
ret = KRB5KRB_ERR_GENERIC;
+ krb5_set_error_message(context, ret, "Windows PK-INIT doesn't support DH");
goto out;
}
@@ -1131,7 +1122,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret);
free_ContentInfo(&info);
if (ret) {
- krb5_set_error_string(context, "encoding of Key ContentInfo "
+ krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
@@ -1142,7 +1133,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
- krb5_set_error_string(context,
+ krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
@@ -1155,7 +1146,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
- krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
+ krb5_set_error_message(context, ret, "failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
}
@@ -1229,8 +1220,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
- krb5_set_error_string(context,
- "Failed adding OCSP response %d", ret);
+ krb5_set_error_message(context, ret,
+ "Failed adding OCSP response %d", ret);
goto out;
}
}
@@ -1453,7 +1444,8 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
- krb5_set_error_string(context,
+ ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ krb5_set_error_message(context, ret,
"PKINIT no matching principals for %s",
*subject_name);
@@ -1464,7 +1456,7 @@ _kdc_pk_check_client(krb5_context context,
free(*subject_name);
*subject_name = NULL;
- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ return ret;
}
static krb5_error_code