From 2b29b7186459d945ec448694164bfe4239b30d72 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 Oct 2008 11:35:07 +0100 Subject: s4: import lorikeet-heimdal-200810271034 metze --- source4/heimdal/lib/krb5/pkinit.c | 399 ++++++++++++++++++++++---------------- 1 file changed, 228 insertions(+), 171 deletions(-) (limited to 'source4/heimdal/lib/krb5/pkinit.c') diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 634ef26c7f..de5e90a68e 100644 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -1,34 +1,34 @@ /* - * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" @@ -99,7 +99,7 @@ BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) integer->length = BN_num_bytes(bn); integer->data = malloc(integer->length); if (integer->data == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } BN_bn2bin(bn, integer->data); @@ -114,7 +114,8 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f) bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL); if (bn == NULL) { - krb5_set_error_message(context, ENOMEM, "PKINIT: parsing BN failed %s", field); + krb5_set_error_message(context, ENOMEM, + N_("PKINIT: parsing BN failed %s", ""), field); return NULL; } BN_set_negative(bn, f->negative); @@ -132,10 +133,10 @@ struct certfind { */ static krb5_error_code -find_cert(krb5_context context, struct krb5_pk_identity *id, +find_cert(krb5_context context, struct krb5_pk_identity *id, hx509_query *q, hx509_cert *cert) { - struct certfind cf[3] = { + struct certfind cf[3] = { { "PKINIT EKU" }, { "MS EKU" }, { "no" } @@ -149,7 +150,7 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) { ret = hx509_query_match_eku(q, cf[i].oid); if (ret) { - pk_copy_error(context, id->hx509ctx, ret, + pk_copy_error(context, id->hx509ctx, ret, "Failed setting %s OID", cf[i].type); return ret; } @@ -157,7 +158,7 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert); if (ret == 0) break; - pk_copy_error(context, id->hx509ctx, ret, + pk_copy_error(context, id->hx509ctx, ret, "Failed cert for finding %s OID", cf[i].type); } return ret; @@ -178,7 +179,7 @@ create_signature(krb5_context context, ret = hx509_query_alloc(id->hx509ctx, &q); if (ret) { - pk_copy_error(context, id->hx509ctx, ret, + pk_copy_error(context, id->hx509ctx, ret, "Allocate query to find signing certificate"); return ret; } @@ -235,7 +236,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) free_ExternalPrincipalIdentifier(&id); return ENOMEM; } - + ret = hx509_name_binary(subject, id.subjectName); if (ret) { hx509_name_free(&subject); @@ -280,7 +281,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) } ASN1_MALLOC_ENCODE(IssuerAndSerialNumber, - id.issuerAndSerialNumber->data, + id.issuerAndSerialNumber->data, id.issuerAndSerialNumber->length, &iasn, &size, ret); free_IssuerAndSerialNumber(&iasn); @@ -292,7 +293,7 @@ cert2epi(hx509_context context, void *ctx, hx509_cert c) id.subjectKeyIdentifier = NULL; - p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); + p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); if (p == NULL) { free_ExternalPrincipalIdentifier(&id); return ENOMEM; @@ -329,7 +330,7 @@ build_auth_pack(krb5_context context, int32_t usec; Checksum checksum; - krb5_clear_error_string(context); + krb5_clear_error_message(context); memset(&checksum, 0, sizeof(checksum)); @@ -351,12 +352,13 @@ build_auth_pack(krb5_context context, len, &checksum); free(buf); - if (ret) + if (ret) return ret; ALLOC(a->pkAuthenticator.paChecksum, 1); if (a->pkAuthenticator.paChecksum == NULL) { - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -375,16 +377,16 @@ build_auth_pack(krb5_context context, if (1 /* support_cached_dh */) { ALLOC(a->clientDHNonce, 1); if (a->clientDHNonce == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ENOMEM; } ret = krb5_data_alloc(a->clientDHNonce, 40); if (a->clientDHNonce == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return ret; } memset(a->clientDHNonce->data, 0, a->clientDHNonce->length); - ret = krb5_copy_data(context, a->clientDHNonce, + ret = krb5_copy_data(context, a->clientDHNonce, &ctx->clientDHNonce); if (ret) return ret; @@ -418,7 +420,7 @@ build_auth_pack(krb5_context context, dp.j = NULL; dp.validationParms = NULL; - a->clientPublicValue->algorithm.parameters = + a->clientPublicValue->algorithm.parameters = malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); if (a->clientPublicValue->algorithm.parameters == NULL) { free_DomainParameters(&dp); @@ -468,7 +470,7 @@ build_auth_pack(krb5_context context, krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_mk_ContentInfo(krb5_context context, - const krb5_data *buf, + const krb5_data *buf, const heim_oid *oid, struct ContentInfo *content_info) { @@ -517,13 +519,13 @@ pk_mk_padata(krb5_context context, ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName); if (ret) { free_AuthPack_Win2k(&ap); - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm); if (ret) { free_AuthPack_Win2k(&ap); - krb5_clear_error_string(context); + krb5_clear_error_message(context); goto out; } @@ -536,7 +538,8 @@ pk_mk_padata(krb5_context context, &ap, &size, ret); free_AuthPack_Win2k(&ap); if (ret) { - krb5_set_error_message(context, ret, "AuthPack_Win2k: %d", + krb5_set_error_message(context, ret, + N_("Failed encoding AuthPackWin: %d", ""), (int)ret); goto out; } @@ -558,7 +561,9 @@ pk_mk_padata(krb5_context context, ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret); free_AuthPack(&ap); if (ret) { - krb5_set_error_message(context, ret, "AuthPack: %d", (int)ret); + krb5_set_error_message(context, ret, + N_("Failed encoding AuthPack: %d", ""), + (int)ret); goto out; } if (buf.length != size) @@ -578,7 +583,7 @@ pk_mk_padata(krb5_context context, krb5_data_free(&sd_buf); if (ret) { krb5_set_error_message(context, ret, - "ContentInfo wrapping of signedData failed"); + N_("ContentInfo wrapping of signedData failed","")); goto out; } @@ -608,14 +613,17 @@ pk_mk_padata(krb5_context context, req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers)); if (req.trustedCertifiers == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); free_PA_PK_AS_REQ(&req); goto out; } - ret = build_edi(context, ctx->id->hx509ctx, + ret = build_edi(context, ctx->id->hx509ctx, ctx->id->anchors, req.trustedCertifiers); if (ret) { - krb5_set_error_message(context, ret, "pk-init: failed to build trustedCertifiers"); + krb5_set_error_message(context, ret, + N_("pk-init: failed to build " + "trustedCertifiers", "")); free_PA_PK_AS_REQ(&req); goto out; } @@ -650,7 +658,7 @@ pk_mk_padata(krb5_context context, } -krb5_error_code KRB5_LIB_FUNCTION +krb5_error_code KRB5_LIB_FUNCTION _krb5_pk_mk_padata(krb5_context context, void *c, const KDC_REQ_BODY *req_body, @@ -668,7 +676,7 @@ _krb5_pk_mk_padata(krb5_context context, NULL); if (win2k_compat) { - ctx->require_binding = + ctx->require_binding = krb5_config_get_bool_default(context, NULL, FALSE, "realms", @@ -679,14 +687,14 @@ _krb5_pk_mk_padata(krb5_context context, } else ctx->type = PKINIT_27; - ctx->require_eku = + ctx->require_eku = krb5_config_get_bool_default(context, NULL, TRUE, "realms", req_body->realm, "pkinit_require_eku", NULL); - ctx->require_krbtgt_otherName = + ctx->require_krbtgt_otherName = krb5_config_get_bool_default(context, NULL, TRUE, "realms", @@ -694,7 +702,7 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_krbtgt_otherName", NULL); - ctx->require_hostname_match = + ctx->require_hostname_match = krb5_config_get_bool_default(context, NULL, FALSE, "realms", @@ -702,7 +710,7 @@ _krb5_pk_mk_padata(krb5_context context, "pkinit_require_hostname_match", NULL); - ctx->trustedCertifiers = + ctx->trustedCertifiers = krb5_config_get_bool_default(context, NULL, TRUE, "realms", @@ -744,7 +752,7 @@ _krb5_pk_verify_sign(krb5_context context, *signer = calloc(1, sizeof(**signer)); if (*signer == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); ret = ENOMEM; goto out; } @@ -784,13 +792,15 @@ get_reply_key_win(krb5_context context, &key_pack, &size); if (ret) { - krb5_set_error_message(context, ret, "PKINIT decoding reply key failed"); + krb5_set_error_message(context, ret, + N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack_Win2k(&key_pack); return ret; } - + if (key_pack.nonce != nonce) { - krb5_set_error_message(context, ret, "PKINIT enckey nonce is wrong"); + krb5_set_error_message(context, ret, + N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); return KRB5KRB_AP_ERR_MODIFIED; } @@ -798,14 +808,16 @@ get_reply_key_win(krb5_context context, *key = malloc (sizeof (**key)); if (*key == NULL) { free_ReplyKeyPack_Win2k(&key_pack); - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack_Win2k(&key_pack); if (ret) { - krb5_set_error_message(context, ret, "PKINIT failed copying reply key"); + krb5_set_error_message(context, ret, + N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } @@ -828,15 +840,16 @@ get_reply_key(krb5_context context, &key_pack, &size); if (ret) { - krb5_set_error_message(context, ret, "PKINIT decoding reply key failed"); + krb5_set_error_message(context, ret, + N_("PKINIT decoding reply key failed", "")); free_ReplyKeyPack(&key_pack); return ret; } - + { krb5_crypto crypto; - /* + /* * XXX Verify kp.replyKey is a allowed enctype in the * configuration file */ @@ -860,14 +873,16 @@ get_reply_key(krb5_context context, *key = malloc (sizeof (**key)); if (*key == NULL) { free_ReplyKeyPack(&key_pack); - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = copy_EncryptionKey(&key_pack.replyKey, *key); free_ReplyKeyPack(&key_pack); if (ret) { - krb5_set_error_message(context, ret, "PKINIT failed copying reply key"); + krb5_set_error_message(context, ret, + N_("PKINIT failed copying reply key", "")); free(*key); *key = NULL; } @@ -889,7 +904,8 @@ pk_verify_host(krb5_context context, ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, oid_id_pkkdcekuoid(), 0); if (ret) { - krb5_set_error_message(context, ret, "No PK-INIT KDC EKU in kdc certificate"); + krb5_set_error_message(context, ret, + N_("No PK-INIT KDC EKU in kdc certificate", "")); return ret; } } @@ -902,8 +918,10 @@ pk_verify_host(krb5_context context, oid_id_pkinit_san(), &list); if (ret) { - krb5_set_error_message(context, ret, "Failed to find the PK-INIT " - "subjectAltName in the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Failed to find the PK-INIT " + "subjectAltName in the KDC " + "certificate", "")); return ret; } @@ -916,8 +934,10 @@ pk_verify_host(krb5_context context, &r, NULL); if (ret) { - krb5_set_error_message(context, ret, "Failed to decode the PK-INIT " - "subjectAltName in the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Failed to decode the PK-INIT " + "subjectAltName in the " + "KDC certificate", "")); break; } @@ -928,8 +948,9 @@ pk_verify_host(krb5_context context, strcmp(r.realm, realm) != 0) { ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; - krb5_set_error_message(context, ret, "KDC have wrong realm name in " - "the certificate"); + krb5_set_error_message(context, ret, + N_("KDC have wrong realm name in " + "the certificate", "")); } free_KRB5PrincipalName(&r); @@ -940,17 +961,18 @@ pk_verify_host(krb5_context context, } if (ret) return ret; - + if (hi) { - ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, + ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, ctx->require_hostname_match, HX509_HN_HOSTNAME, hi->hostname, hi->ai->ai_addr, hi->ai->ai_addrlen); if (ret) - krb5_set_error_message(context, ret, "Address mismatch in " - "the KDC certificate"); + krb5_set_error_message(context, ret, + N_("Address mismatch in " + "the KDC certificate", "")); } return ret; } @@ -967,7 +989,7 @@ pk_rd_pa_reply_enckey(krb5_context context, unsigned nonce, const krb5_data *req_buffer, PA_DATA *pa, - krb5_keyblock **key) + krb5_keyblock **key) { krb5_error_code ret; struct krb5_pk_cert *host = NULL; @@ -975,7 +997,8 @@ pk_rd_pa_reply_enckey(krb5_context context, heim_oid contentType = { 0, NULL }; if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) { - krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: Invalid content type", "")); return EINVAL; } @@ -1021,7 +1044,8 @@ pk_rd_pa_reply_enckey(krb5_context context, ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL); if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) { ret = EINVAL; /* XXX */ - krb5_set_error_message(context, ret, "PKINIT: Invalid content type"); + krb5_set_error_message(context, ret, + N_("PKINIT: Invalid content type", "")); der_free_oid(&type); der_free_octet_string(&out); goto out; @@ -1031,12 +1055,13 @@ pk_rd_pa_reply_enckey(krb5_context context, ret = krb5_data_copy(&content, out.data, out.length); der_free_octet_string(&out); if (ret) { - krb5_set_error_message(context, ret, "PKINIT: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } } - ret = _krb5_pk_verify_sign(context, + ret = _krb5_pk_verify_sign(context, content.data, content.length, ctx->id, @@ -1120,11 +1145,12 @@ pk_rd_pa_reply_dh(krb5_context context, memset(&kdc_dh_info, 0, sizeof(kdc_dh_info)); if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) { - krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: Invalid content type", "")); return EINVAL; } - ret = _krb5_pk_verify_sign(context, + ret = _krb5_pk_verify_sign(context, indata->data, indata->length, ctx->id, @@ -1141,7 +1167,8 @@ pk_rd_pa_reply_dh(krb5_context context, if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) { ret = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_set_error_message(context, ret, "pkinit - dh reply contains wrong oid"); + krb5_set_error_message(context, ret, + N_("pkinit - dh reply contains wrong oid", "")); goto out; } @@ -1151,35 +1178,40 @@ pk_rd_pa_reply_dh(krb5_context context, &size); if (ret) { - krb5_set_error_message(context, ret, "pkinit - " - "failed to decode KDC DH Key Info"); + krb5_set_error_message(context, ret, + N_("pkinit - failed to decode " + "KDC DH Key Info", "")); goto out; } if (kdc_dh_info.nonce != nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_set_error_message(context, ret, "PKINIT: DH nonce is wrong"); + krb5_set_error_message(context, ret, + N_("PKINIT: DH nonce is wrong", "")); goto out; } if (kdc_dh_info.dhKeyExpiration) { if (k_n == NULL) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, "pkinit; got key expiration " - "without server nonce"); + krb5_set_error_message(context, ret, + N_("pkinit; got key expiration " + "without server nonce", "")); goto out; } if (c_n == NULL) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, "pkinit; got DH reuse but no " - "client nonce"); + krb5_set_error_message(context, ret, + N_("pkinit; got DH reuse but no " + "client nonce", "")); goto out; } } else { if (k_n) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, "pkinit: got server nonce " - "without key expiration"); + krb5_set_error_message(context, ret, + N_("pkinit: got server nonce " + "without key expiration", "")); goto out; } c_n = NULL; @@ -1193,8 +1225,9 @@ pk_rd_pa_reply_dh(krb5_context context, DHPublicKey k; ret = decode_DHPublicKey(p, size, &k, NULL); if (ret) { - krb5_set_error_message(context, ret, "pkinit: can't decode " - "without key expiration"); + krb5_set_error_message(context, ret, + N_("pkinit: can't decode " + "without key expiration", "")); goto out; } @@ -1205,7 +1238,7 @@ pk_rd_pa_reply_dh(krb5_context context, goto out; } } - + dh_gen_keylen = DH_size(ctx->dh); size = BN_num_bytes(ctx->dh->p); if (size < dh_gen_keylen) @@ -1214,7 +1247,7 @@ pk_rd_pa_reply_dh(krb5_context context, dh_gen_key = malloc(size); if (dh_gen_key == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); + krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; } memset(dh_gen_key, 0, size - dh_gen_keylen); @@ -1223,15 +1256,16 @@ pk_rd_pa_reply_dh(krb5_context context, kdc_dh_pubkey, ctx->dh); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; - krb5_set_error_message(context, ret, - "PKINIT: Can't compute Diffie-Hellman key"); + krb5_set_error_message(context, ret, + N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } *key = malloc (sizeof (**key)); if (*key == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc: out of memory"); + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); goto out; } @@ -1242,7 +1276,7 @@ pk_rd_pa_reply_dh(krb5_context context, *key); if (ret) { krb5_set_error_message(context, ret, - "PKINIT: can't create key from DH key"); + N_("PKINIT: can't create key from DH key", "")); free(*key); *key = NULL; goto out; @@ -1287,7 +1321,8 @@ _krb5_pk_rd_pa_reply(krb5_context context, heim_oid oid; if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { - krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: wrong padata recv", "")); return EINVAL; } @@ -1296,7 +1331,8 @@ _krb5_pk_rd_pa_reply(krb5_context context, &rep, &size); if (ret) { - krb5_set_error_message(context, ret, "Failed to decode pkinit AS rep"); + krb5_set_error_message(context, ret, + N_("Failed to decode pkinit AS rep", "")); return ret; } @@ -1309,15 +1345,17 @@ _krb5_pk_rd_pa_reply(krb5_context context, break; default: free_PA_PK_AS_REP(&rep); - krb5_set_error_message(context, EINVAL, "PKINIT: -27 reply " - "invalid content type"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: -27 reply " + "invalid content type", "")); return EINVAL; } ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL); if (ret) { free_PA_PK_AS_REP(&rep); - krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI"); + krb5_set_error_message(context, ret, + N_("PKINIT: failed to unwrap CI", "")); return ret; } @@ -1329,7 +1367,7 @@ _krb5_pk_rd_pa_reply(krb5_context context, nonce, pa, key); break; case choice_PA_PK_AS_REP_encKeyPack: - ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm, + ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm, ctx, etype, hi, nonce, req_buffer, pa, key); break; default: @@ -1342,11 +1380,12 @@ _krb5_pk_rd_pa_reply(krb5_context context, } else if (ctx->type == PKINIT_WIN2K) { PA_PK_AS_REP_Win2k w2krep; - /* Check for Windows encoding of the AS-REP pa data */ + /* Check for Windows encoding of the AS-REP pa data */ #if 0 /* should this be ? */ if (pa->padata_type != KRB5_PADATA_PK_AS_REP) { - krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv"); + krb5_set_error_message(context, EINVAL, + "PKINIT: wrong padata recv"); return EINVAL; } #endif @@ -1358,23 +1397,25 @@ _krb5_pk_rd_pa_reply(krb5_context context, &w2krep, &size); if (ret) { - krb5_set_error_message(context, ret, "PKINIT: Failed decoding windows " - "pkinit reply %d", (int)ret); + krb5_set_error_message(context, ret, + N_("PKINIT: Failed decoding windows " + "pkinit reply %d", ""), (int)ret); return ret; } - krb5_clear_error_string(context); + krb5_clear_error_message(context); switch (w2krep.element) { case choice_PA_PK_AS_REP_Win2k_encKeyPack: { heim_octet_string data; heim_oid oid; - - ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, + + ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack, &oid, &data, NULL); free_PA_PK_AS_REP_Win2k(&w2krep); if (ret) { - krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI"); + krb5_set_error_message(context, ret, + N_("PKINIT: failed to unwrap CI", "")); return ret; } @@ -1388,14 +1429,16 @@ _krb5_pk_rd_pa_reply(krb5_context context, default: free_PA_PK_AS_REP_Win2k(&w2krep); ret = EINVAL; - krb5_set_error_message(context, ret, "PKINIT: win2k reply invalid " - "content type"); + krb5_set_error_message(context, ret, + N_("PKINIT: win2k reply invalid " + "content type", "")); break; } - + } else { ret = EINVAL; - krb5_set_error_message(context, ret, "PKINIT: unknown reply type"); + krb5_set_error_message(context, ret, + N_("PKINIT: unknown reply type", "")); } return ret; @@ -1407,14 +1450,14 @@ struct prompter { void *prompter_data; }; -static int +static int hx_pass_prompter(void *data, const hx509_prompt *prompter) { krb5_error_code ret; krb5_prompt prompt; krb5_data password_data; struct prompter *p = data; - + password_data.data = prompter->reply.data; password_data.length = prompter->reply.length; @@ -1432,7 +1475,7 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter) prompt.type = KRB5_PROMPT_TYPE_PASSWORD; break; } - + ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt); if (ret) { memset (prompter->reply.data, 0, prompter->reply.length); @@ -1470,13 +1513,13 @@ _krb5_pk_load_id(krb5_context context, if (anchor_id == NULL) { krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA, - "PKINIT: No anchor given"); + N_("PKINIT: No anchor given", "")); return HEIM_PKINIT_NO_VALID_CA; } if (user_id == NULL) { krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY, - "PKINIT: No user certificate given"); + N_("PKINIT: No user certificate given", "")); return HEIM_PKINIT_NO_PRIVATE_KEY; } @@ -1484,7 +1527,8 @@ _krb5_pk_load_id(krb5_context context, id = calloc(1, sizeof(*id)); if (id == NULL) { - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -1520,7 +1564,7 @@ _krb5_pk_load_id(krb5_context context, goto out; } - ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", + ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain", 0, NULL, &id->certpool); if (ret) { pk_copy_error(context, id->hx509ctx, ret, @@ -1549,11 +1593,11 @@ _krb5_pk_load_id(krb5_context context, } while (*revoke_list) { - ret = hx509_revoke_add_crl(id->hx509ctx, + ret = hx509_revoke_add_crl(id->hx509ctx, id->revokectx, *revoke_list); if (ret) { - pk_copy_error(context, id->hx509ctx, ret, + pk_copy_error(context, id->hx509ctx, ret, "Failed load revoke list"); goto out; } @@ -1564,7 +1608,7 @@ _krb5_pk_load_id(krb5_context context, ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx); if (ret) { - pk_copy_error(context, id->hx509ctx, ret, + pk_copy_error(context, id->hx509ctx, ret, "Failed init verify context"); goto out; } @@ -1590,7 +1634,7 @@ _krb5_pk_load_id(krb5_context context, } static krb5_error_code -select_dh_group(krb5_context context, DH *dh, unsigned long bits, +select_dh_group(krb5_context context, DH *dh, unsigned long bits, struct krb5_dh_moduli **moduli) { const struct krb5_dh_moduli *m; @@ -1607,8 +1651,8 @@ select_dh_group(krb5_context context, DH *dh, unsigned long bits, } if (moduli[i] == NULL) { krb5_set_error_message(context, EINVAL, - "Did not find a DH group parameter " - "matching requirement of %lu bits", + N_("Did not find a DH group parameter " + "matching requirement of %lu bits", ""), bits); return EINVAL; } @@ -1646,13 +1690,13 @@ pk_copy_error(krb5_context context, vasprintf(&f, fmt, va); va_end(va); if (f == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); return; } s = hx509_get_error_string(hx509ctx, hxret); if (s == NULL) { - krb5_clear_error_string(context); + krb5_clear_error_message(context); free(f); return; } @@ -1661,24 +1705,24 @@ pk_copy_error(krb5_context context, free(f); } -#endif /* PKINIT */ - static int -parse_integer(krb5_context context, char **p, const char *file, int lineno, +parse_integer(krb5_context context, char **p, const char *file, int lineno, const char *name, heim_integer *integer) { int ret; char *p1; p1 = strsep(p, " \t"); if (p1 == NULL) { - krb5_set_error_message(context, EINVAL, "moduli file %s missing %s on line %d", + krb5_set_error_message(context, EINVAL, + N_("moduli file %s missing %s on line %d", ""), file, name, lineno); return EINVAL; } ret = der_parse_hex_heim_integer(p1, integer); if (ret) { - krb5_set_error_message(context, ret, "moduli file %s failed parsing %s " - "on line %d", + krb5_set_error_message(context, ret, + N_("moduli file %s failed parsing %s " + "on line %d", ""), file, name, lineno); return ret; } @@ -1687,7 +1731,7 @@ parse_integer(krb5_context context, char **p, const char *file, int lineno, } krb5_error_code -_krb5_parse_moduli_line(krb5_context context, +_krb5_parse_moduli_line(krb5_context context, const char *file, int lineno, char *p, @@ -1701,7 +1745,8 @@ _krb5_parse_moduli_line(krb5_context context, m1 = calloc(1, sizeof(*m1)); if (m1 == NULL) { - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -1713,28 +1758,31 @@ _krb5_parse_moduli_line(krb5_context context, p1 = strsep(&p, " \t"); if (p1 == NULL) { - krb5_set_error_message(context, ret, "moduli file %s missing name " - "on line %d", file, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s missing name on line %d", ""), + file, lineno); goto out; } m1->name = strdup(p1); if (p1 == NULL) { ret = ENOMEM; - krb5_set_error_message(context, ret, "malloc - out of memeory"); + krb5_set_error_message(context, ret, N_("malloc: out of memeory", "")); goto out; } p1 = strsep(&p, " \t"); if (p1 == NULL) { - krb5_set_error_message(context, ret, "moduli file %s missing bits on line %d", + krb5_set_error_message(context, ret, + N_("moduli file %s missing bits on line %d", ""), file, lineno); goto out; } m1->bits = atoi(p1); if (m1->bits == 0) { - krb5_set_error_message(context, ret, "moduli file %s have un-parsable " - "bits on line %d", file, lineno); + krb5_set_error_message(context, ret, + N_("moduli file %s have un-parsable " + "bits on line %d", ""), file, lineno); goto out; } @@ -1843,7 +1891,8 @@ _krb5_parse_moduli(krb5_context context, const char *file, m = calloc(1, sizeof(m[0]) * 3); if (m == NULL) { - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } @@ -1883,7 +1932,8 @@ _krb5_parse_moduli(krb5_context context, const char *file, m2 = realloc(m, (n + 2) * sizeof(m[0])); if (m2 == NULL) { _krb5_free_moduli(m); - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } m = m2; @@ -1923,10 +1973,11 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0)) { if (bits && bits > moduli[i]->bits) { - krb5_set_error_message(context, + krb5_set_error_message(context, KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, - "PKINIT: DH group parameter %s " - "no accepted, not enough bits generated", + N_("PKINIT: DH group parameter %s " + "no accepted, not enough bits " + "generated", ""), moduli[i]->name); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } @@ -1937,9 +1988,10 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits, } krb5_set_error_message(context, KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, - "PKINIT: DH group parameter no ok"); + N_("PKINIT: DH group parameter no ok", "")); return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; } +#endif /* PKINIT */ void KRB5_LIB_FUNCTION _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) @@ -1973,7 +2025,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt) opt->opt_private->pk_init_ctx = NULL; #endif } - + krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_get_init_creds_opt *opt, @@ -1992,14 +2044,16 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, char *anchors = NULL; if (opt->opt_private == NULL) { - krb5_set_error_message(context, EINVAL, "PKINIT: on non extendable opt"); + krb5_set_error_message(context, EINVAL, + N_("PKINIT: on non extendable opt", "")); return EINVAL; } - opt->opt_private->pk_init_ctx = + opt->opt_private->pk_init_ctx = calloc(1, sizeof(*opt->opt_private->pk_init_ctx)); if (opt->opt_private->pk_init_ctx == NULL) { - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } opt->opt_private->pk_init_ctx->dh = NULL; @@ -2013,19 +2067,19 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, /* XXX implement krb5_appdefault_strings */ if (pool == NULL) pool = krb5_config_get_strings(context, NULL, - "appdefaults", - "pkinit_pool", + "appdefaults", + "pkinit_pool", NULL); if (pki_revoke == NULL) pki_revoke = krb5_config_get_strings(context, NULL, - "appdefaults", - "pkinit_revoke", + "appdefaults", + "pkinit_revoke", NULL); if (x509_anchors == NULL) { krb5_appdefault_string(context, "kinit", - krb5_principal_get_realm(context, principal), + krb5_principal_get_realm(context, principal), "pkinit_anchors", NULL, &anchors); x509_anchors = anchors; } @@ -2060,7 +2114,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, "pkinit_dh_min_bits", NULL); - ret = _krb5_parse_moduli(context, moduli_file, + ret = _krb5_parse_moduli(context, moduli_file, &opt->opt_private->pk_init_ctx->m); if (ret) { _krb5_get_init_creds_opt_free_pkinit(opt); @@ -2070,12 +2124,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, opt->opt_private->pk_init_ctx->dh = DH_new(); if (opt->opt_private->pk_init_ctx->dh == NULL) { _krb5_get_init_creds_opt_free_pkinit(opt); - krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); + krb5_set_error_message(context, ENOMEM, + N_("malloc: out of memory", "")); return ENOMEM; } ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh, - dh_min_bits, + dh_min_bits, opt->opt_private->pk_init_ctx->m); if (ret) { _krb5_get_init_creds_opt_free_pkinit(opt); @@ -2084,14 +2139,16 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) { _krb5_get_init_creds_opt_free_pkinit(opt); - krb5_set_error_message(context, ENOMEM, "pkinit: failed to generate DH key"); + krb5_set_error_message(context, ENOMEM, + N_("pkinit: failed to generate DH key", "")); return ENOMEM; } } return 0; #else - krb5_set_error_message(context, EINVAL, "no support for PKINIT compiled in"); + krb5_set_error_message(context, EINVAL, + N_("no support for PKINIT compiled in", "")); return EINVAL; #endif } -- cgit