Changeset 745 for trunk/server/source4/heimdal/kdc/pkinit.c
- Timestamp:
- Nov 27, 2012, 4:43:17 PM (13 years ago)
- Location:
- trunk/server
- Files:
-
- 2 edited
-
. (modified) (1 prop)
-
source4/heimdal/kdc/pkinit.c (modified) (36 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/server
- Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740
- Property svn:mergeinfo changed
-
trunk/server/source4/heimdal/kdc/pkinit.c
r414 r745 3 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 5 7 * 6 8 * Redistribution and use in source and binary forms, with or without … … 34 36 #include "kdc_locl.h" 35 37 36 RCSID("$Id$");37 38 38 #ifdef PKINIT 39 39 … … 228 228 } 229 229 230 dh_gen_keylen = DH_size(client_params->u.dh.key); 231 size = BN_num_bytes(client_params->u.dh.key->p); 232 if (size < dh_gen_keylen) 233 size = dh_gen_keylen; 230 size = DH_size(client_params->u.dh.key); 234 231 235 232 dh_gen_key = malloc(size); … … 239 236 goto out; 240 237 } 241 memset(dh_gen_key, 0, size - dh_gen_keylen); 242 243 dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), 244 client_params->u.dh.public_key, 245 client_params->u.dh.key); 238 239 dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); 246 240 if (dh_gen_keylen == -1) { 247 241 ret = KRB5KRB_ERR_GENERIC; … … 250 244 goto out; 251 245 } 246 if (dh_gen_keylen < size) { 247 size -= dh_gen_keylen; 248 memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); 249 memset(dh_gen_key, 0, size); 250 } 251 252 252 ret = 0; 253 253 #ifdef HAVE_OPENSSL … … 518 518 } 519 519 520 ret = hx509_certs_init( kdc_identity->hx509ctx,520 ret = hx509_certs_init(context->hx509ctx, 521 521 "MEMORY:trust-anchors", 522 522 0, NULL, &trust_anchors); … … 526 526 } 527 527 528 ret = hx509_certs_merge( kdc_identity->hx509ctx, trust_anchors,528 ret = hx509_certs_merge(context->hx509ctx, trust_anchors, 529 529 kdc_identity->anchors); 530 530 if (ret) { … … 541 541 542 542 for (i = 0; i < pc->len; i++) { 543 ret = hx509_cert_init_data( kdc_identity->hx509ctx,543 ret = hx509_cert_init_data(context->hx509ctx, 544 544 pc->val[i].cert.data, 545 545 pc->val[i].cert.length, … … 547 547 if (ret) 548 548 continue; 549 hx509_certs_add( kdc_identity->hx509ctx, trust_anchors, cert);549 hx509_certs_add(context->hx509ctx, trust_anchors, cert); 550 550 hx509_cert_free(cert); 551 551 } 552 552 } 553 553 554 ret = hx509_verify_init_ctx( kdc_identity->hx509ctx, &cp->verify_ctx);554 ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx); 555 555 if (ret) { 556 556 hx509_certs_free(&trust_anchors); … … 619 619 unsigned int i, maxedi; 620 620 621 ret = hx509_certs_init( kdc_identity->hx509ctx,621 ret = hx509_certs_init(context->hx509ctx, 622 622 "MEMORY:client-anchors", 623 623 0, NULL, … … 646 646 continue; 647 647 648 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);648 ret = hx509_query_alloc(context->hx509ctx, &q); 649 649 if (ret) { 650 650 krb5_set_error_message(context, ret, … … 658 658 &size); 659 659 if (ret) { 660 hx509_query_free( kdc_identity->hx509ctx, q);660 hx509_query_free(context->hx509ctx, q); 661 661 continue; 662 662 } … … 664 664 free_IssuerAndSerialNumber(&iasn); 665 665 if (ret) { 666 hx509_query_free( kdc_identity->hx509ctx, q);666 hx509_query_free(context->hx509ctx, q); 667 667 continue; 668 668 } 669 669 670 ret = hx509_certs_find( kdc_identity->hx509ctx,670 ret = hx509_certs_find(context->hx509ctx, 671 671 kdc_identity->certs, 672 672 q, 673 673 &cert); 674 hx509_query_free( kdc_identity->hx509ctx, q);674 hx509_query_free(context->hx509ctx, q); 675 675 if (ret) 676 676 continue; 677 hx509_certs_add( kdc_identity->hx509ctx,677 hx509_certs_add(context->hx509ctx, 678 678 cp->client_anchors, cert); 679 679 hx509_cert_free(cert); … … 720 720 flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; 721 721 722 ret = hx509_cms_verify_signed( kdc_identity->hx509ctx,722 ret = hx509_cms_verify_signed(context->hx509ctx, 723 723 cp->verify_ctx, 724 724 flags, … … 731 731 &signer_certs); 732 732 if (ret) { 733 char *s = hx509_get_error_string( kdc_identity->hx509ctx, ret);733 char *s = hx509_get_error_string(context->hx509ctx, ret); 734 734 krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d", 735 735 s, ret); … … 739 739 740 740 if (signer_certs) { 741 ret = hx509_get_one_cert( kdc_identity->hx509ctx, signer_certs,741 ret = hx509_get_one_cert(context->hx509ctx, signer_certs, 742 742 &cp->cert); 743 743 hx509_certs_free(&signer_certs); … … 844 844 cp->keyex = USE_RSA; 845 845 846 ret = hx509_peer_info_alloc( kdc_identity->hx509ctx,846 ret = hx509_peer_info_alloc(context->hx509ctx, 847 847 &cp->peer); 848 848 if (ret) { … … 852 852 853 853 if (ap.supportedCMSTypes) { 854 ret = hx509_peer_info_set_cms_algs( kdc_identity->hx509ctx,854 ret = hx509_peer_info_set_cms_algs(context->hx509ctx, 855 855 cp->peer, 856 856 ap.supportedCMSTypes->val, … … 862 862 } else { 863 863 /* assume old client */ 864 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,864 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 865 865 hx509_crypto_des_rsdi_ede3_cbc()); 866 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,866 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 867 867 hx509_signature_rsa_with_sha1()); 868 hx509_peer_info_add_cms_alg( kdc_identity->hx509ctx, cp->peer,868 hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer, 869 869 hx509_signature_sha1()); 870 870 } … … 1017 1017 hx509_cert cert; 1018 1018 1019 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1019 ret = hx509_query_alloc(context->hx509ctx, &q); 1020 1020 if (ret) 1021 1021 goto out; … … 1025 1025 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1026 1026 1027 ret = hx509_certs_find( kdc_identity->hx509ctx,1027 ret = hx509_certs_find(context->hx509ctx, 1028 1028 kdc_identity->certs, 1029 1029 q, 1030 1030 &cert); 1031 hx509_query_free( kdc_identity->hx509ctx, q);1031 hx509_query_free(context->hx509ctx, q); 1032 1032 if (ret) 1033 1033 goto out; 1034 1034 1035 ret = hx509_cms_create_signed_1( kdc_identity->hx509ctx,1035 ret = hx509_cms_create_signed_1(context->hx509ctx, 1036 1036 0, 1037 1037 sdAlg, … … 1061 1061 } 1062 1062 1063 ret = hx509_cms_envelope_1( kdc_identity->hx509ctx,1063 ret = hx509_cms_envelope_1(context->hx509ctx, 1064 1064 HX509_CMS_EV_NO_KU_CHECK, 1065 1065 cp->cert, … … 1173 1173 */ 1174 1174 1175 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1175 ret = hx509_query_alloc(context->hx509ctx, &q); 1176 1176 if (ret) 1177 1177 goto out; … … 1181 1181 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1182 1182 1183 ret = hx509_certs_find( kdc_identity->hx509ctx,1183 ret = hx509_certs_find(context->hx509ctx, 1184 1184 kdc_identity->certs, 1185 1185 q, 1186 1186 &cert); 1187 hx509_query_free( kdc_identity->hx509ctx, q);1187 hx509_query_free(context->hx509ctx, q); 1188 1188 if (ret) 1189 1189 goto out; 1190 1190 1191 ret = hx509_cms_create_signed_1( kdc_identity->hx509ctx,1191 ret = hx509_cms_create_signed_1(context->hx509ctx, 1192 1192 0, 1193 1193 &asn1_oid_id_pkdhkeydata, … … 1380 1380 } 1381 1381 1382 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret); 1382 #define use_btmm_with_enckey 0 1383 if (use_btmm_with_enckey && rep.element == choice_PA_PK_AS_REP_encKeyPack) { 1384 PA_PK_AS_REP_BTMM btmm; 1385 heim_any any; 1386 1387 any.data = rep.u.encKeyPack.data; 1388 any.length = rep.u.encKeyPack.length; 1389 1390 btmm.dhSignedData = NULL; 1391 btmm.encKeyPack = &any; 1392 1393 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret); 1394 } else { 1395 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret); 1396 } 1397 1383 1398 free_PA_PK_AS_REP(&rep); 1384 1399 if (ret) { … … 1510 1525 } 1511 1526 1512 ret = hx509_ocsp_verify( kdc_identity->hx509ctx,1527 ret = hx509_ocsp_verify(context->hx509ctx, 1513 1528 kdc_time, 1514 1529 kdc_cert, … … 1581 1596 &kn, &size); 1582 1597 if (ret) { 1598 const char *msg = krb5_get_error_message(context, ret); 1583 1599 kdc_log(context, config, 0, 1584 "Decoding kerberos name in certificate failed: %s", 1585 krb5_get_err_text(context, ret));1600 "Decoding kerberos name in certificate failed: %s", msg); 1601 krb5_free_error_message(context, msg); 1586 1602 break; 1587 1603 } … … 1645 1661 goto out; 1646 1662 } 1663 if (size != list.val[0].length) { 1664 free_MS_UPN_SAN(&upn); 1665 kdc_log(context, config, 0, "Trailing data in "); 1666 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; 1667 goto out; 1668 } 1647 1669 1648 1670 kdc_log(context, config, 0, "found MS UPN SAN: %s", upn); … … 1698 1720 } 1699 1721 1700 ret = hx509_cert_get_base_subject( kdc_identity->hx509ctx,1722 ret = hx509_cert_get_base_subject(context->hx509ctx, 1701 1723 cp->cert, 1702 1724 &name); … … 1719 1741 1720 1742 for (i = 0; i < pc->len; i++) { 1721 ret = hx509_cert_init_data( kdc_identity->hx509ctx,1743 ret = hx509_cert_init_data(context->hx509ctx, 1722 1744 pc->val[i].cert.data, 1723 1745 pc->val[i].cert.length, … … 1738 1760 if (config->pkinit_princ_in_cert) { 1739 1761 ret = match_rfc_san(context, config, 1740 kdc_identity->hx509ctx,1762 context->hx509ctx, 1741 1763 cp->cert, 1742 1764 client->entry.principal); … … 1747 1769 } 1748 1770 ret = match_ms_upn_san(context, config, 1749 kdc_identity->hx509ctx,1771 context->hx509ctx, 1750 1772 cp->cert, 1751 1773 clientdb, … … 1922 1944 1923 1945 krb5_error_code 1924 _kdc_pk_initialize(krb5_context context,1925 krb5_kdc_configuration *config,1926 const char *user_id,1927 const char *anchors,1928 char **pool,1929 char **revoke_list)1946 krb5_kdc_pk_initialize(krb5_context context, 1947 krb5_kdc_configuration *config, 1948 const char *user_id, 1949 const char *anchors, 1950 char **pool, 1951 char **revoke_list) 1930 1952 { 1931 1953 const char *file; … … 1945 1967 ret = _krb5_pk_load_id(context, 1946 1968 &kdc_identity, 1947 0,1948 1969 user_id, 1949 1970 anchors, … … 1963 1984 hx509_cert cert; 1964 1985 1965 ret = hx509_query_alloc( kdc_identity->hx509ctx, &q);1986 ret = hx509_query_alloc(context->hx509ctx, &q); 1966 1987 if (ret) { 1967 1988 krb5_warnx(context, "PKINIT: out of memory"); … … 1973 1994 hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name); 1974 1995 1975 ret = hx509_certs_find( kdc_identity->hx509ctx,1996 ret = hx509_certs_find(context->hx509ctx, 1976 1997 kdc_identity->certs, 1977 1998 q, 1978 1999 &cert); 1979 hx509_query_free( kdc_identity->hx509ctx, q);2000 hx509_query_free(context->hx509ctx, q); 1980 2001 if (ret == 0) { 1981 if (hx509_cert_check_eku( kdc_identity->hx509ctx, cert,2002 if (hx509_cert_check_eku(context->hx509ctx, cert, 1982 2003 &asn1_oid_id_pkkdcekuoid, 0)) { 1983 2004 hx509_name name;
Note:
See TracChangeset
for help on using the changeset viewer.
