From c44efdaa2242f50d75dd5b800e372dd5586c6deb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 21 Sep 2005 12:24:41 +0000
Subject: r10386: Merge current lorikeet-heimdal into Samba4.

Andrew Bartlett
(This used to be commit 4d2a9a9bc497eae269c24cbf156b43b8588e2f73)
---
 source4/heimdal/kdc/kerberos5.c |  24 ++++++++-
 source4/heimdal/kdc/pkinit.c    | 110 +++++++++++++++++++++++-----------------
 2 files changed, 86 insertions(+), 48 deletions(-)

(limited to 'source4/heimdal/kdc')

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 2cbb5831d4..3191ab19b7 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -483,8 +483,8 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
     ent->s2kparams = NULL;
 
     switch (key->key.keytype) {
-    case KEYTYPE_AES128:
-    case KEYTYPE_AES256:
+    case ETYPE_AES128_CTS_HMAC_SHA1_96:
+    case ETYPE_AES256_CTS_HMAC_SHA1_96:
 	ALLOC(ent->s2kparams);
 	if (ent->s2kparams == NULL)
 	    return ENOMEM;
@@ -499,6 +499,26 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
 		      _krb5_AES_string_to_default_iterator, 
 		      ent->s2kparams->length);
 	break;
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+	/* Check if this was a AFS3 salted key */
+	if(key->salt && key->salt->type == hdb_afs3_salt){
+	    ALLOC(ent->s2kparams);
+	    if (ent->s2kparams == NULL)
+		return ENOMEM;
+	    ent->s2kparams->length = 1;
+	    ent->s2kparams->data = malloc(ent->s2kparams->length);
+	    if (ent->s2kparams->data == NULL) {
+		free(ent->s2kparams);
+		ent->s2kparams = NULL;
+		return ENOMEM;
+	    }
+	    _krb5_put_int(ent->s2kparams->data, 
+			  1,
+			  ent->s2kparams->length);
+	}
+	break;
     default:
 	break;
     }
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index fdeaf27ac4..985c7c15e4 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c,v 1.41 2005/08/12 09:21:40 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.43 2005/09/21 00:40:32 lha Exp $");
 
 #ifdef PKINIT
 
@@ -333,16 +333,11 @@ generate_dh_keyblock(krb5_context context, pk_client_params *client_params,
 	goto out;
     }
 
-    ret = krb5_random_to_key(context, enctype, 
-			     dh_gen_key, dh_gen_keylen, &key);
-
-    if (ret) {
-	krb5_set_error_string(context, 
-			      "pkinit - can't create key from DH key");
-	ret = KRB5KRB_ERR_GENERIC;
-	goto out;
-    }
-    ret = krb5_copy_keyblock_contents(context, &key, reply_key);
+    ret = _krb5_pk_octetstring2key(context,
+				   enctype,
+				   dh_gen_key, dh_gen_keylen,
+				   NULL, NULL,
+				   reply_key);
 
  out:
     if (dh_gen_key)
@@ -768,11 +763,10 @@ _kdc_pk_rd_padata(krb5_context context,
 	client_params->nonce = ap.pkAuthenticator.nonce;
 
 	if (ap.clientPublicValue) {
-	    ret = get_dh_param(context, ap.clientPublicValue, client_params);
-	    if (ret) {
-		free_AuthPack_19(&ap);
-		goto out;
-	    }
+	    krb5_set_error_string(context, "PK-INIT, no support for DH");
+	    ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+	    free_AuthPack_19(&ap);
+	    goto out;
 	}
 	free_AuthPack_19(&ap);
     } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
@@ -800,10 +794,11 @@ _kdc_pk_rd_padata(krb5_context context,
 	client_params->nonce = ap.pkAuthenticator.nonce;
 
 	if (ap.clientPublicValue) {
-	    krb5_set_error_string(context, "PK-INIT, no support for DH");
-	    ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-	    free_AuthPack(&ap);
-	    goto out;
+	    ret = get_dh_param(context, ap.clientPublicValue, client_params);
+	    if (ret) {
+		free_AuthPack(&ap);
+		goto out;
+	    }
 	}
 	free_AuthPack(&ap);
     } else
@@ -1139,16 +1134,18 @@ pk_mk_pa_reply_dh(krb5_context context,
 		  ContentInfo *content_info)
 {
     ASN1_INTEGER *dh_pub_key = NULL;
+    ContentInfo contentinfo;
     KDCDHKeyInfo dh_info;
     krb5_error_code ret;
     SignedData sd;
-    krb5_data buf, sd_buf;
+    krb5_data buf, signed_data;
     size_t size;
 
+    memset(&contentinfo, 0, sizeof(contentinfo));
     memset(&dh_info, 0, sizeof(dh_info));
     memset(&sd, 0, sizeof(sd));
     krb5_data_zero(&buf);
-    krb5_data_zero(&sd_buf);
+    krb5_data_zero(&signed_data);
 
     dh_pub_key = BN_to_ASN1_INTEGER(kdc_dh->pub_key, NULL);
     if (dh_pub_key == NULL) {
@@ -1190,17 +1187,21 @@ pk_mk_pa_reply_dh(krb5_context context,
     ret = _krb5_pk_create_sign(context, 
 			       oid_id_pkdhkeydata(),
 			       &buf,
-			       kdc_identity, 
-			       &sd_buf);
+			       kdc_identity,
+			       &signed_data);
     krb5_data_free(&buf);
     if (ret)
 	goto out;
 
-    ret = _krb5_pk_mk_ContentInfo(context, &sd_buf, oid_id_pkcs7_signedData(),
+    ret = _krb5_pk_mk_ContentInfo(context,
+				  &signed_data,
+				  oid_id_pkcs7_signedData(),
 				  content_info);
-    krb5_data_free(&sd_buf);
+    if (ret)
+	goto out;
 
  out:
+    krb5_data_free(&signed_data);
     free_KDCDHKeyInfo(&dh_info);
 
     return ret;
@@ -1249,14 +1250,15 @@ _kdc_pk_mk_pa_reply(krb5_context context,
     if (client_params->type == PKINIT_COMPAT_27) {
 	PA_PK_AS_REP rep;
 
-	pa_type = KRB5_PADATA_PK_AS_REP;
-
 	memset(&rep, 0, sizeof(rep));
 
+	pa_type = KRB5_PADATA_PK_AS_REP;
+
 	if (client_params->dh == NULL) {
-	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
 	    ContentInfo info;
 
+	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
+
 	    krb5_generate_random_keyblock(context, enctype, 
 					  &client_params->reply_key);
 	    ret = pk_mk_pa_reply_enckey(context,
@@ -1283,8 +1285,37 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 		krb5_abortx(context, "Internal ASN.1 encoder error");
 
 	} else {
-	    krb5_set_error_string(context, "DH -27 not implemented");
-	    ret = KRB5KRB_ERR_GENERIC;
+	    ContentInfo info;
+
+	    rep.element = choice_PA_PK_AS_REP_dhInfo;
+
+	    ret = check_dh_params(client_params->dh);
+	    if (ret)
+		return ret;
+
+	    ret = generate_dh_keyblock(context, client_params, enctype,
+				       &client_params->reply_key);
+	    if (ret)
+		return ret;
+
+	    ret = pk_mk_pa_reply_dh(context, client_params->dh,
+				    client_params, 
+				    &client_params->reply_key,
+				    &info);
+
+	    ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
+			       rep.u.dhInfo.dhSignedData.length, &info, &size,
+			       ret);
+	    free_ContentInfo(&info);
+	    if (ret) {
+		krb5_set_error_string(context, "encoding of Key ContentInfo "
+				      "failed %d", ret);
+		free_PA_PK_AS_REP(&rep);
+		goto out;
+	    }
+	    if (rep.u.encKeyPack.length != size)
+		krb5_abortx(context, "Internal ASN.1 encoder error");
+
 	}
 	if (ret) {
 	    free_PA_PK_AS_REP(&rep);
@@ -1319,21 +1350,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 					&client_params->reply_key,
 					&rep.u.encKeyPack);
 	} else {
-	    rep.element = choice_PA_PK_AS_REP_19_dhSignedData;
-
-	    ret = check_dh_params(client_params->dh);
-	    if (ret)
-		return ret;
-
-	    ret = generate_dh_keyblock(context, client_params, enctype,
-				       &client_params->reply_key);
-	    if (ret)
-		return ret;
-
-	    ret = pk_mk_pa_reply_dh(context, client_params->dh,
-				    client_params, 
-				    &client_params->reply_key,
-				    &rep.u.dhSignedData);
+	    krb5_set_error_string(context, "DH -19 not implemented");
+	    ret = KRB5KRB_ERR_GENERIC;
 	}
 	if (ret) {
 	    free_PA_PK_AS_REP_19(&rep);
-- 
cgit