From 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 15 Jul 2011 09:10:30 +0200 Subject: s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b) --- source4/heimdal/kdc/pkinit.c | 115 ++++++++++++++++++++++--------------------- 1 file changed, 58 insertions(+), 57 deletions(-) (limited to 'source4/heimdal/kdc/pkinit.c') diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 9c0be23b14..a02cb816ab 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -116,7 +116,7 @@ pk_check_pkauthenticator(krb5_context context, u_char *buf = NULL; size_t buf_size; krb5_error_code ret; - size_t len; + size_t len = 0; krb5_timestamp now; Checksum checksum; @@ -148,7 +148,7 @@ pk_check_pkauthenticator(krb5_context context, krb5_clear_error_message(context); return ret; } - + if (a->paChecksum == NULL) { krb5_clear_error_message(context); ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; @@ -222,7 +222,7 @@ generate_dh_keyblock(krb5_context context, if (!DH_generate_key(client_params->u.dh.key)) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Can't generate Diffie-Hellman keys"); goto out; } @@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context, } dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); - if (dh_gen_keylen == -1) { + if (dh_gen_keylen == (size_t)-1) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key"); @@ -281,14 +281,14 @@ generate_dh_keyblock(krb5_context context, goto out; } - dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, + dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, EC_KEY_get0_public_key(client_params->u.ecdh.public_key), client_params->u.ecdh.key, NULL); #endif /* HAVE_OPENSSL */ } else { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Diffie-Hellman not selected keys"); goto out; } @@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context, goto out; } - ret = hx509_certs_merge(context->hx509ctx, trust_anchors, + ret = hx509_certs_merge(context->hx509ctx, trust_anchors, kdc_identity->anchors); if (ret) { hx509_certs_free(&trust_anchors); @@ -538,7 +538,7 @@ _kdc_pk_rd_padata(krb5_context context, if (ret == 0 && pc != NULL) { hx509_cert cert; unsigned int i; - + for (i = 0; i < pc->len; i++) { ret = hx509_cert_init_data(context->hx509ctx, pc->val[i].cert.data, @@ -572,7 +572,7 @@ _kdc_pk_rd_padata(krb5_context context, if (req->req_body.kdc_options.request_anonymous) { ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Anon not supported in RSA mode"); goto out; } @@ -586,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context, "PK-AS-REQ-Win2k: %d", ret); goto out; } - + ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack, &contentInfoOid, &signed_content, @@ -612,7 +612,7 @@ _kdc_pk_rd_padata(krb5_context context, "Can't decode PK-AS-REQ: %d", ret); goto out; } - + /* XXX look at r.kdcPkId */ if (r.trustedCertifiers) { ExternalPrincipalIdentifiers *edi = r.trustedCertifiers; @@ -624,12 +624,12 @@ _kdc_pk_rd_padata(krb5_context context, &cp->client_anchors); if (ret) { krb5_set_error_message(context, ret, - "Can't allocate client anchors: %d", + "Can't allocate client anchors: %d", ret); goto out; } - /* + /* * If the client sent more then 10 EDI, don't bother * looking more then 10 of performance reasons. */ @@ -651,7 +651,7 @@ _kdc_pk_rd_padata(krb5_context context, "Failed to allocate hx509_query"); goto out; } - + ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data, edi->val[i].issuerAndSerialNumber->length, &iasn, @@ -704,7 +704,7 @@ _kdc_pk_rd_padata(krb5_context context, "PK-AS-REQ-Win2k invalid content type oid"); goto out; } - + if (!have_data) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, @@ -805,7 +805,7 @@ _kdc_pk_rd_padata(krb5_context context, ap.clientPublicValue == NULL) { free_AuthPack(&ap); ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED; - krb5_set_error_message(context, ret, + krb5_set_error_message(context, ret, "Anon not supported in RSA mode"); goto out; } @@ -849,7 +849,7 @@ _kdc_pk_rd_padata(krb5_context context, free_AuthPack(&ap); goto out; } - + if (ap.supportedCMSTypes) { ret = hx509_peer_info_set_cms_algs(context->hx509ctx, cp->peer, @@ -885,7 +885,7 @@ out: der_free_oid(&contentInfoOid); if (ret) { _kdc_pk_free_client_param(context, cp); - } else + } else *ret_params = cp; return ret; } @@ -921,7 +921,7 @@ pk_mk_pa_reply_enckey(krb5_context context, const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL; krb5_error_code ret; krb5_data buf, signed_data; - size_t size; + size_t size = 0; int do_win2k = 0; krb5_data_zero(&buf); @@ -954,7 +954,7 @@ pk_mk_pa_reply_enckey(krb5_context context, break; default: krb5_abortx(context, "internal pkinit error"); - } + } if (do_win2k) { ReplyKeyPack_Win2k kp; @@ -966,7 +966,7 @@ pk_mk_pa_reply_enckey(krb5_context context, goto out; } kp.nonce = cp->nonce; - + ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, buf.data, buf.length, &kp, &size,ret); @@ -995,7 +995,7 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_clear_error_message(context); goto out; } - + ret = krb5_crypto_destroy(context, ascrypto); if (ret) { krb5_clear_error_message(context); @@ -1015,15 +1015,15 @@ pk_mk_pa_reply_enckey(krb5_context context, { hx509_query *q; hx509_cert cert; - + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, @@ -1031,7 +1031,7 @@ pk_mk_pa_reply_enckey(krb5_context context, hx509_query_free(context->hx509ctx, q); if (ret) goto out; - + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, sdAlg, @@ -1078,7 +1078,7 @@ out: hx509_cert_free(*kdc_cert); *kdc_cert = NULL; } - + krb5_data_free(&buf); krb5_data_free(&signed_data); return ret; @@ -1101,7 +1101,7 @@ pk_mk_pa_reply_dh(krb5_context context, krb5_error_code ret; hx509_cert cert; hx509_query *q; - size_t size; + size_t size = 0; memset(&contentinfo, 0, sizeof(contentinfo)); memset(&dh_info, 0, sizeof(dh_info)); @@ -1117,7 +1117,7 @@ pk_mk_pa_reply_dh(krb5_context context, ret = BN_to_integer(context, kdc_dh->pub_key, &i); if (ret) return ret; - + ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret); der_free_heim_integer(&i); if (ret) { @@ -1127,7 +1127,7 @@ pk_mk_pa_reply_dh(krb5_context context, } if (buf.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - + dh_info.subjectPublicKey.length = buf.length * 8; dh_info.subjectPublicKey.data = buf.data; krb5_data_zero(&buf); @@ -1154,7 +1154,7 @@ pk_mk_pa_reply_dh(krb5_context context, } else krb5_abortx(context, "no keyex selected ?"); - + dh_info.nonce = cp->nonce; ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, @@ -1175,11 +1175,11 @@ pk_mk_pa_reply_dh(krb5_context context, ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) goto out; - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, @@ -1187,7 +1187,7 @@ pk_mk_pa_reply_dh(krb5_context context, hx509_query_free(context->hx509ctx, q); if (ret) goto out; - + ret = hx509_cms_create_signed_1(context->hx509ctx, 0, &asn1_oid_id_pkdhkeydata, @@ -1242,12 +1242,12 @@ _kdc_pk_mk_pa_reply(krb5_context context, METHOD_DATA *md) { krb5_error_code ret; - void *buf; - size_t len, size; + void *buf = NULL; + size_t len = 0, size = 0; krb5_enctype enctype; int pa_type; hx509_cert kdc_cert = NULL; - int i; + size_t i; if (!config->enable_pkinit) { krb5_clear_error_message(context); @@ -1263,7 +1263,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_set_error_message(context, ret, "No valid enctype available from client"); goto out; - } + } enctype = req->req_body.etype.val[i]; } else enctype = ETYPE_DES3_CBC_SHA1; @@ -1314,7 +1314,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (rep.u.encKeyPack.length != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1368,7 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_abortx(context, "Internal ASN.1 encoder error"); /* XXX KRB-FX-CF2 */ - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free_PA_PK_AS_REP(&rep); @@ -1463,7 +1463,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, if (len != size) krb5_abortx(context, "Internal ASN.1 encoder error"); - ret = krb5_generate_random_keyblock(context, sessionetype, + ret = krb5_generate_random_keyblock(context, sessionetype, sessionkey); if (ret) { free(buf); @@ -1507,7 +1507,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, "PK-INIT failed to stat ocsp data %d", ret); goto out_ocsp; } - + ret = krb5_data_alloc(&ocsp.data, sb.st_size); if (ret) { close(fd); @@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context, krb5_const_principal match) { hx509_octet_string_list list; - int ret, i, found = 0; + int ret, found = 0; + size_t i; memset(&list, 0 , sizeof(list)); @@ -1679,12 +1680,12 @@ match_ms_upn_san(krb5_context context, if (clientdb->hdb_check_pkinit_ms_upn_match) { ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal); } else { - + /* * This is very wrong, but will do for a fallback */ strupr(principal->realm); - + if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE) ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; } @@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context, const HDB_Ext_PKINIT_cert *pc; krb5_error_code ret; hx509_name name; - int i; + size_t i; if (cp->cert == NULL) { @@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context, ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); if (ret == 0 && pc) { hx509_cert cert; - unsigned int i; - - for (i = 0; i < pc->len; i++) { + size_t j; + + for (j = 0; j < pc->len; j++) { ret = hx509_cert_init_data(context->hx509ctx, - pc->val[i].cert.data, - pc->val[i].cert.length, + pc->val[j].cert.data, + pc->val[j].cert.length, &cert); if (ret) continue; @@ -1770,7 +1771,7 @@ _kdc_pk_check_client(krb5_context context, ret = match_ms_upn_san(context, config, context->hx509ctx, cp->cert, - clientdb, + clientdb, client); if (ret == 0) { kdc_log(context, config, 5, @@ -1871,7 +1872,7 @@ _kdc_add_inital_verified_cas(krb5_context context, AD_INITIAL_VERIFIED_CAS cas; krb5_error_code ret; krb5_data data; - size_t size; + size_t size = 0; memset(&cas, 0, sizeof(cas)); @@ -1937,7 +1938,7 @@ load_mappings(krb5_context context, const char *fn) fclose(f); } - + /* * */ @@ -1982,17 +1983,17 @@ krb5_kdc_pk_initialize(krb5_context context, { hx509_query *q; hx509_cert cert; - + ret = hx509_query_alloc(context->hx509ctx, &q); if (ret) { krb5_warnx(context, "PKINIT: out of memory"); return ENOMEM; } - + hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY); if (config->pkinit_kdc_friendly_name) hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); - + ret = hx509_certs_find(context->hx509ctx, kdc_identity->certs, q, -- cgit