summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/krb5/pkinit.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/krb5/pkinit.c')
-rw-r--r--crypto/heimdal/lib/krb5/pkinit.c2070
1 files changed, 0 insertions, 2070 deletions
diff --git a/crypto/heimdal/lib/krb5/pkinit.c b/crypto/heimdal/lib/krb5/pkinit.c
deleted file mode 100644
index a0b6a4e..0000000
--- a/crypto/heimdal/lib/krb5/pkinit.c
+++ /dev/null
@@ -1,2070 +0,0 @@
-/*
- * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "krb5_locl.h"
-
-RCSID("$Id: pkinit.c 22433 2008-01-13 14:11:46Z lha $");
-
-struct krb5_dh_moduli {
- char *name;
- unsigned long bits;
- heim_integer p;
- heim_integer g;
- heim_integer q;
-};
-
-#ifdef PKINIT
-
-#include <heim_asn1.h>
-#include <rfc2459_asn1.h>
-#include <cms_asn1.h>
-#include <pkcs8_asn1.h>
-#include <pkcs9_asn1.h>
-#include <pkcs12_asn1.h>
-#include <pkinit_asn1.h>
-#include <asn1_err.h>
-
-#include <der.h>
-
-#include <hx509.h>
-
-enum {
- COMPAT_WIN2K = 1,
- COMPAT_IETF = 2
-};
-
-struct krb5_pk_identity {
- hx509_context hx509ctx;
- hx509_verify_ctx verify_ctx;
- hx509_certs certs;
- hx509_certs anchors;
- hx509_certs certpool;
- hx509_revoke_ctx revokectx;
-};
-
-struct krb5_pk_cert {
- hx509_cert cert;
-};
-
-struct krb5_pk_init_ctx_data {
- struct krb5_pk_identity *id;
- DH *dh;
- krb5_data *clientDHNonce;
- struct krb5_dh_moduli **m;
- hx509_peer_info peer;
- int type;
- unsigned int require_binding:1;
- unsigned int require_eku:1;
- unsigned int require_krbtgt_otherName:1;
- unsigned int require_hostname_match:1;
- unsigned int trustedCertifiers:1;
-};
-
-static void
-_krb5_pk_copy_error(krb5_context context,
- hx509_context hx509ctx,
- int hxret,
- const char *fmt,
- ...)
- __attribute__ ((format (printf, 4, 5)));
-
-/*
- *
- */
-
-void KRB5_LIB_FUNCTION
-_krb5_pk_cert_free(struct krb5_pk_cert *cert)
-{
- if (cert->cert) {
- hx509_cert_free(cert->cert);
- }
- free(cert);
-}
-
-static krb5_error_code
-BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
-{
- integer->length = BN_num_bytes(bn);
- integer->data = malloc(integer->length);
- if (integer->data == NULL) {
- krb5_clear_error_string(context);
- return ENOMEM;
- }
- BN_bn2bin(bn, integer->data);
- integer->negative = BN_is_negative(bn);
- return 0;
-}
-
-static BIGNUM *
-integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
-{
- BIGNUM *bn;
-
- bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
- if (bn == NULL) {
- krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
- return NULL;
- }
- BN_set_negative(bn, f->negative);
- return bn;
-}
-
-
-static krb5_error_code
-_krb5_pk_create_sign(krb5_context context,
- const heim_oid *eContentType,
- krb5_data *eContent,
- struct krb5_pk_identity *id,
- hx509_peer_info peer,
- krb5_data *sd_data)
-{
- hx509_cert cert;
- hx509_query *q;
- int ret;
-
- ret = hx509_query_alloc(id->hx509ctx, &q);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Allocate query to find signing certificate");
- return ret;
- }
-
- hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
- hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
-
- ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert);
- hx509_query_free(id->hx509ctx, q);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Find certificate to signed CMS data");
- return ret;
- }
-
- ret = hx509_cms_create_signed_1(id->hx509ctx,
- 0,
- eContentType,
- eContent->data,
- eContent->length,
- NULL,
- cert,
- peer,
- NULL,
- id->certs,
- sd_data);
- if (ret)
- _krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData");
- hx509_cert_free(cert);
-
- return ret;
-}
-
-static int
-cert2epi(hx509_context context, void *ctx, hx509_cert c)
-{
- ExternalPrincipalIdentifiers *ids = ctx;
- ExternalPrincipalIdentifier id;
- hx509_name subject = NULL;
- void *p;
- int ret;
-
- memset(&id, 0, sizeof(id));
-
- ret = hx509_cert_get_subject(c, &subject);
- if (ret)
- return ret;
-
- if (hx509_name_is_null_p(subject) != 0) {
-
- id.subjectName = calloc(1, sizeof(*id.subjectName));
- if (id.subjectName == NULL) {
- hx509_name_free(&subject);
- free_ExternalPrincipalIdentifier(&id);
- return ENOMEM;
- }
-
- ret = hx509_name_binary(subject, id.subjectName);
- if (ret) {
- hx509_name_free(&subject);
- free_ExternalPrincipalIdentifier(&id);
- return ret;
- }
- }
- hx509_name_free(&subject);
-
-
- id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
- if (id.issuerAndSerialNumber == NULL) {
- free_ExternalPrincipalIdentifier(&id);
- return ENOMEM;
- }
-
- {
- IssuerAndSerialNumber iasn;
- hx509_name issuer;
- size_t size;
-
- memset(&iasn, 0, sizeof(iasn));
-
- ret = hx509_cert_get_issuer(c, &issuer);
- if (ret) {
- free_ExternalPrincipalIdentifier(&id);
- return ret;
- }
-
- ret = hx509_name_to_Name(issuer, &iasn.issuer);
- hx509_name_free(&issuer);
- if (ret) {
- free_ExternalPrincipalIdentifier(&id);
- return ret;
- }
-
- ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
- if (ret) {
- free_IssuerAndSerialNumber(&iasn);
- free_ExternalPrincipalIdentifier(&id);
- return ret;
- }
-
- ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
- id.issuerAndSerialNumber->data,
- id.issuerAndSerialNumber->length,
- &iasn, &size, ret);
- free_IssuerAndSerialNumber(&iasn);
- if (ret)
- return ret;
- if (id.issuerAndSerialNumber->length != size)
- abort();
- }
-
- id.subjectKeyIdentifier = NULL;
-
- p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
- if (p == NULL) {
- free_ExternalPrincipalIdentifier(&id);
- return ENOMEM;
- }
-
- ids->val = p;
- ids->val[ids->len] = id;
- ids->len++;
-
- return 0;
-}
-
-static krb5_error_code
-build_edi(krb5_context context,
- hx509_context hx509ctx,
- hx509_certs certs,
- ExternalPrincipalIdentifiers *ids)
-{
- return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
-}
-
-static krb5_error_code
-build_auth_pack(krb5_context context,
- unsigned nonce,
- krb5_pk_init_ctx ctx,
- DH *dh,
- const KDC_REQ_BODY *body,
- AuthPack *a)
-{
- size_t buf_size, len;
- krb5_error_code ret;
- void *buf;
- krb5_timestamp sec;
- int32_t usec;
- Checksum checksum;
-
- krb5_clear_error_string(context);
-
- memset(&checksum, 0, sizeof(checksum));
-
- krb5_us_timeofday(context, &sec, &usec);
- a->pkAuthenticator.ctime = sec;
- a->pkAuthenticator.nonce = nonce;
-
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
- if (ret)
- return ret;
- if (buf_size != len)
- krb5_abortx(context, "internal error in ASN.1 encoder");
-
- ret = krb5_create_checksum(context,
- NULL,
- 0,
- CKSUMTYPE_SHA1,
- buf,
- len,
- &checksum);
- free(buf);
- if (ret)
- return ret;
-
- ALLOC(a->pkAuthenticator.paChecksum, 1);
- if (a->pkAuthenticator.paChecksum == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
-
- ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
- checksum.checksum.data, checksum.checksum.length);
- free_Checksum(&checksum);
- if (ret)
- return ret;
-
- if (dh) {
- DomainParameters dp;
- heim_integer dh_pub_key;
- krb5_data dhbuf;
- size_t size;
-
- if (1 /* support_cached_dh */) {
- ALLOC(a->clientDHNonce, 1);
- if (a->clientDHNonce == NULL) {
- krb5_clear_error_string(context);
- return ENOMEM;
- }
- ret = krb5_data_alloc(a->clientDHNonce, 40);
- if (a->clientDHNonce == NULL) {
- krb5_clear_error_string(context);
- return ENOMEM;
- }
- memset(a->clientDHNonce->data, 0, a->clientDHNonce->length);
- ret = krb5_copy_data(context, a->clientDHNonce,
- &ctx->clientDHNonce);
- if (ret)
- return ret;
- }
-
- ALLOC(a->clientPublicValue, 1);
- if (a->clientPublicValue == NULL)
- return ENOMEM;
- ret = der_copy_oid(oid_id_dhpublicnumber(),
- &a->clientPublicValue->algorithm.algorithm);
- if (ret)
- return ret;
-
- memset(&dp, 0, sizeof(dp));
-
- ret = BN_to_integer(context, dh->p, &dp.p);
- if (ret) {
- free_DomainParameters(&dp);
- return ret;
- }
- ret = BN_to_integer(context, dh->g, &dp.g);
- if (ret) {
- free_DomainParameters(&dp);
- return ret;
- }
- ret = BN_to_integer(context, dh->q, &dp.q);
- if (ret) {
- free_DomainParameters(&dp);
- return ret;
- }
- dp.j = NULL;
- dp.validationParms = NULL;
-
- a->clientPublicValue->algorithm.parameters =
- malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
- if (a->clientPublicValue->algorithm.parameters == NULL) {
- free_DomainParameters(&dp);
- return ret;
- }
-
- ASN1_MALLOC_ENCODE(DomainParameters,
- a->clientPublicValue->algorithm.parameters->data,
- a->clientPublicValue->algorithm.parameters->length,
- &dp, &size, ret);
- free_DomainParameters(&dp);
- if (ret)
- return ret;
- if (size != a->clientPublicValue->algorithm.parameters->length)
- krb5_abortx(context, "Internal ASN1 encoder error");
-
- ret = BN_to_integer(context, dh->pub_key, &dh_pub_key);
- if (ret)
- return ret;
-
- ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length,
- &dh_pub_key, &size, ret);
- der_free_heim_integer(&dh_pub_key);
- if (ret)
- return ret;
- if (size != dhbuf.length)
- krb5_abortx(context, "asn1 internal error");
-
- a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
- a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
- }
-
- {
- a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
- if (a->supportedCMSTypes == NULL)
- return ENOMEM;
-
- ret = hx509_crypto_available(ctx->id->hx509ctx, HX509_SELECT_ALL, NULL,
- &a->supportedCMSTypes->val,
- &a->supportedCMSTypes->len);
- if (ret)
- return ret;
- }
-
- return ret;
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_pk_mk_ContentInfo(krb5_context context,
- const krb5_data *buf,
- const heim_oid *oid,
- struct ContentInfo *content_info)
-{
- krb5_error_code ret;
-
- ret = der_copy_oid(oid, &content_info->contentType);
- if (ret)
- return ret;
- ALLOC(content_info->content, 1);
- if (content_info->content == NULL)
- return ENOMEM;
- content_info->content->data = malloc(buf->length);
- if (content_info->content->data == NULL)
- return ENOMEM;
- memcpy(content_info->content->data, buf->data, buf->length);
- content_info->content->length = buf->length;
- return 0;
-}
-
-static krb5_error_code
-pk_mk_padata(krb5_context context,
- krb5_pk_init_ctx ctx,
- const KDC_REQ_BODY *req_body,
- unsigned nonce,
- METHOD_DATA *md)
-{
- struct ContentInfo content_info;
- krb5_error_code ret;
- const heim_oid *oid;
- size_t size;
- krb5_data buf, sd_buf;
- int pa_type;
-
- krb5_data_zero(&buf);
- krb5_data_zero(&sd_buf);
- memset(&content_info, 0, sizeof(content_info));
-
- if (ctx->type == COMPAT_WIN2K) {
- AuthPack_Win2k ap;
- krb5_timestamp sec;
- int32_t usec;
-
- memset(&ap, 0, sizeof(ap));
-
- /* fill in PKAuthenticator */
- ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName);
- if (ret) {
- free_AuthPack_Win2k(&ap);
- krb5_clear_error_string(context);
- goto out;
- }
- ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm);
- if (ret) {
- free_AuthPack_Win2k(&ap);
- krb5_clear_error_string(context);
- goto out;
- }
-
- krb5_us_timeofday(context, &sec, &usec);
- ap.pkAuthenticator.ctime = sec;
- ap.pkAuthenticator.cusec = usec;
- ap.pkAuthenticator.nonce = nonce;
-
- ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length,
- &ap, &size, ret);
- free_AuthPack_Win2k(&ap);
- if (ret) {
- krb5_set_error_string(context, "AuthPack_Win2k: %d", ret);
- goto out;
- }
- if (buf.length != size)
- krb5_abortx(context, "internal ASN1 encoder error");
-
- oid = oid_id_pkcs7_data();
- } else if (ctx->type == COMPAT_IETF) {
- AuthPack ap;
-
- memset(&ap, 0, sizeof(ap));
-
- ret = build_auth_pack(context, nonce, ctx, ctx->dh, req_body, &ap);
- if (ret) {
- free_AuthPack(&ap);
- goto out;
- }
-
- ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
- free_AuthPack(&ap);
- if (ret) {
- krb5_set_error_string(context, "AuthPack: %d", ret);
- goto out;
- }
- if (buf.length != size)
- krb5_abortx(context, "internal ASN1 encoder error");
-
- oid = oid_id_pkauthdata();
- } else
- krb5_abortx(context, "internal pkinit error");
-
- ret = _krb5_pk_create_sign(context,
- oid,
- &buf,
- ctx->id,
- ctx->peer,
- &sd_buf);
- krb5_data_free(&buf);
- if (ret)
- goto out;
-
- ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &sd_buf, &buf);
- krb5_data_free(&sd_buf);
- if (ret) {
- krb5_set_error_string(context,
- "ContentInfo wrapping of signedData failed");
- goto out;
- }
-
- if (ctx->type == COMPAT_WIN2K) {
- PA_PK_AS_REQ_Win2k winreq;
-
- pa_type = KRB5_PADATA_PK_AS_REQ_WIN;
-
- memset(&winreq, 0, sizeof(winreq));
-
- winreq.signed_auth_pack = buf;
-
- ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length,
- &winreq, &size, ret);
- free_PA_PK_AS_REQ_Win2k(&winreq);
-
- } else if (ctx->type == COMPAT_IETF) {
- PA_PK_AS_REQ req;
-
- pa_type = KRB5_PADATA_PK_AS_REQ;
-
- memset(&req, 0, sizeof(req));
- req.signedAuthPack = buf;
-
- if (ctx->trustedCertifiers) {
-
- req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
- if (req.trustedCertifiers == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- free_PA_PK_AS_REQ(&req);
- goto out;
- }
- ret = build_edi(context, ctx->id->hx509ctx,
- ctx->id->anchors, req.trustedCertifiers);
- if (ret) {
- krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
- free_PA_PK_AS_REQ(&req);
- goto out;
- }
- }
- req.kdcPkId = NULL;
-
- ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
- &req, &size, ret);
-
- free_PA_PK_AS_REQ(&req);
-
- } else
- krb5_abortx(context, "internal pkinit error");
- if (ret) {
- krb5_set_error_string(context, "PA-PK-AS-REQ %d", ret);
- goto out;
- }
- if (buf.length != size)
- krb5_abortx(context, "Internal ASN1 encoder error");
-
- ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length);
- if (ret)
- free(buf.data);
-
- if (ret == 0 && ctx->type == COMPAT_WIN2K)
- krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
-
-out:
- free_ContentInfo(&content_info);
-
- return ret;
-}
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_pk_mk_padata(krb5_context context,
- void *c,
- const KDC_REQ_BODY *req_body,
- unsigned nonce,
- METHOD_DATA *md)
-{
- krb5_pk_init_ctx ctx = c;
- int win2k_compat;
-
- win2k_compat = krb5_config_get_bool_default(context, NULL,
- FALSE,
- "realms",
- req_body->realm,
- "pkinit_win2k",
- NULL);
-
- if (win2k_compat) {
- ctx->require_binding =
- krb5_config_get_bool_default(context, NULL,
- FALSE,
- "realms",
- req_body->realm,
- "pkinit_win2k_require_binding",
- NULL);
- ctx->type = COMPAT_WIN2K;
- } else
- ctx->type = COMPAT_IETF;
-
- ctx->require_eku =
- krb5_config_get_bool_default(context, NULL,
- TRUE,
- "realms",
- req_body->realm,
- "pkinit_require_eku",
- NULL);
- ctx->require_krbtgt_otherName =
- krb5_config_get_bool_default(context, NULL,
- TRUE,
- "realms",
- req_body->realm,
- "pkinit_require_krbtgt_otherName",
- NULL);
-
- ctx->require_hostname_match =
- krb5_config_get_bool_default(context, NULL,
- FALSE,
- "realms",
- req_body->realm,
- "pkinit_require_hostname_match",
- NULL);
-
- ctx->trustedCertifiers =
- krb5_config_get_bool_default(context, NULL,
- TRUE,
- "realms",
- req_body->realm,
- "pkinit_trustedCertifiers",
- NULL);
-
- return pk_mk_padata(context, ctx, req_body, nonce, md);
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_pk_verify_sign(krb5_context context,
- const void *data,
- size_t length,
- struct krb5_pk_identity *id,
- heim_oid *contentType,
- krb5_data *content,
- struct krb5_pk_cert **signer)
-{
- hx509_certs signer_certs;
- int ret;
-
- *signer = NULL;
-
- ret = hx509_cms_verify_signed(id->hx509ctx,
- id->verify_ctx,
- data,
- length,
- NULL,
- id->certpool,
- contentType,
- content,
- &signer_certs);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "CMS verify signed failed");
- return ret;
- }
-
- *signer = calloc(1, sizeof(**signer));
- if (*signer == NULL) {
- krb5_clear_error_string(context);
- ret = ENOMEM;
- goto out;
- }
-
- ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed to get on of the signer certs");
- goto out;
- }
-
-out:
- hx509_certs_free(&signer_certs);
- if (ret) {
- if (*signer) {
- hx509_cert_free((*signer)->cert);
- free(*signer);
- *signer = NULL;
- }
- }
-
- return ret;
-}
-
-static krb5_error_code
-get_reply_key_win(krb5_context context,
- const krb5_data *content,
- unsigned nonce,
- krb5_keyblock **key)
-{
- ReplyKeyPack_Win2k key_pack;
- krb5_error_code ret;
- size_t size;
-
- ret = decode_ReplyKeyPack_Win2k(content->data,
- content->length,
- &key_pack,
- &size);
- if (ret) {
- krb5_set_error_string(context, "PKINIT decoding reply key failed");
- free_ReplyKeyPack_Win2k(&key_pack);
- return ret;
- }
-
- if (key_pack.nonce != nonce) {
- krb5_set_error_string(context, "PKINIT enckey nonce is wrong");
- free_ReplyKeyPack_Win2k(&key_pack);
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
- *key = malloc (sizeof (**key));
- if (*key == NULL) {
- krb5_set_error_string(context, "PKINIT failed allocating reply key");
- free_ReplyKeyPack_Win2k(&key_pack);
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
-
- ret = copy_EncryptionKey(&key_pack.replyKey, *key);
- free_ReplyKeyPack_Win2k(&key_pack);
- if (ret) {
- krb5_set_error_string(context, "PKINIT failed copying reply key");
- free(*key);
- *key = NULL;
- }
-
- return ret;
-}
-
-static krb5_error_code
-get_reply_key(krb5_context context,
- const krb5_data *content,
- const krb5_data *req_buffer,
- krb5_keyblock **key)
-{
- ReplyKeyPack key_pack;
- krb5_error_code ret;
- size_t size;
-
- ret = decode_ReplyKeyPack(content->data,
- content->length,
- &key_pack,
- &size);
- if (ret) {
- krb5_set_error_string(context, "PKINIT decoding reply key failed");
- free_ReplyKeyPack(&key_pack);
- return ret;
- }
-
- {
- krb5_crypto crypto;
-
- /*
- * XXX Verify kp.replyKey is a allowed enctype in the
- * configuration file
- */
-
- ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto);
- if (ret) {
- free_ReplyKeyPack(&key_pack);
- return ret;
- }
-
- ret = krb5_verify_checksum(context, crypto, 6,
- req_buffer->data, req_buffer->length,
- &key_pack.asChecksum);
- krb5_crypto_destroy(context, crypto);
- if (ret) {
- free_ReplyKeyPack(&key_pack);
- return ret;
- }
- }
-
- *key = malloc (sizeof (**key));
- if (*key == NULL) {
- krb5_set_error_string(context, "PKINIT failed allocating reply key");
- free_ReplyKeyPack(&key_pack);
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
-
- ret = copy_EncryptionKey(&key_pack.replyKey, *key);
- free_ReplyKeyPack(&key_pack);
- if (ret) {
- krb5_set_error_string(context, "PKINIT failed copying reply key");
- free(*key);
- *key = NULL;
- }
-
- return ret;
-}
-
-
-static krb5_error_code
-pk_verify_host(krb5_context context,
- const char *realm,
- const krb5_krbhst_info *hi,
- struct krb5_pk_init_ctx_data *ctx,
- struct krb5_pk_cert *host)
-{
- krb5_error_code ret = 0;
-
- if (ctx->require_eku) {
- ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
- oid_id_pkkdcekuoid(), 0);
- if (ret) {
- krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
- return ret;
- }
- }
- if (ctx->require_krbtgt_otherName) {
- hx509_octet_string_list list;
- int i;
-
- ret = hx509_cert_find_subjectAltName_otherName(ctx->id->hx509ctx,
- host->cert,
- oid_id_pkinit_san(),
- &list);
- if (ret) {
- krb5_set_error_string(context, "Failed to find the PK-INIT "
- "subjectAltName in the KDC certificate");
-
- return ret;
- }
-
- for (i = 0; i < list.len; i++) {
- KRB5PrincipalName r;
-
- ret = decode_KRB5PrincipalName(list.val[i].data,
- list.val[i].length,
- &r,
- NULL);
- if (ret) {
- krb5_set_error_string(context, "Failed to decode the PK-INIT "
- "subjectAltName in the KDC certificate");
-
- break;
- }
-
- if (r.principalName.name_string.len != 2 ||
- strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
- strcmp(r.principalName.name_string.val[1], realm) != 0 ||
- strcmp(r.realm, realm) != 0)
- {
- krb5_set_error_string(context, "KDC have wrong realm name in "
- "the certificate");
- ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
- }
-
- free_KRB5PrincipalName(&r);
- if (ret)
- break;
- }
- hx509_free_octet_string_list(&list);
- }
- if (ret)
- return ret;
-
- if (hi) {
- ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
- ctx->require_hostname_match,
- HX509_HN_HOSTNAME,
- hi->hostname,
- hi->ai->ai_addr, hi->ai->ai_addrlen);
-
- if (ret)
- krb5_set_error_string(context, "Address mismatch in "
- "the KDC certificate");
- }
- return ret;
-}
-
-static krb5_error_code
-pk_rd_pa_reply_enckey(krb5_context context,
- int type,
- const heim_octet_string *indata,
- const heim_oid *dataType,
- const char *realm,
- krb5_pk_init_ctx ctx,
- krb5_enctype etype,
- const krb5_krbhst_info *hi,
- unsigned nonce,
- const krb5_data *req_buffer,
- PA_DATA *pa,
- krb5_keyblock **key)
-{
- krb5_error_code ret;
- struct krb5_pk_cert *host = NULL;
- krb5_data content;
- heim_oid contentType = { 0, NULL };
-
- if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) {
- krb5_set_error_string(context, "PKINIT: Invalid content type");
- return EINVAL;
- }
-
- ret = hx509_cms_unenvelope(ctx->id->hx509ctx,
- ctx->id->certs,
- HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT,
- indata->data,
- indata->length,
- NULL,
- &contentType,
- &content);
- if (ret) {
- _krb5_pk_copy_error(context, ctx->id->hx509ctx, ret,
- "Failed to unenvelope CMS data in PK-INIT reply");
- return ret;
- }
- der_free_oid(&contentType);
-
-#if 0 /* windows LH with interesting CMS packets, leaks memory */
- {
- size_t ph = 1 + der_length_len (length);
- unsigned char *ptr = malloc(length + ph);
- size_t l;
-
- memcpy(ptr + ph, p, length);
-
- ret = der_put_length_and_tag (ptr + ph - 1, ph, length,
- ASN1_C_UNIV, CONS, UT_Sequence, &l);
- if (ret)
- return ret;
- ptr += ph - l;
- length += l;
- p = ptr;
- }
-#endif
-
- /* win2k uses ContentInfo */
- if (type == COMPAT_WIN2K) {
- heim_oid type;
- heim_octet_string out;
-
- ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL);
- if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) {
- ret = EINVAL; /* XXX */
- krb5_set_error_string(context, "PKINIT: Invalid content type");
- der_free_oid(&type);
- der_free_octet_string(&out);
- goto out;
- }
- der_free_oid(&type);
- krb5_data_free(&content);
- ret = krb5_data_copy(&content, out.data, out.length);
- der_free_octet_string(&out);
- if (ret) {
- krb5_set_error_string(context, "PKINIT: out of memory");
- goto out;
- }
- }
-
- ret = _krb5_pk_verify_sign(context,
- content.data,
- content.length,
- ctx->id,
- &contentType,
- &content,
- &host);
- if (ret)
- goto out;
-
- /* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, realm, hi, ctx, host);
- if (ret) {
- goto out;
- }
-
-#if 0
- if (type == COMPAT_WIN2K) {
- if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) {
- krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
- ret = KRB5KRB_AP_ERR_MSG_TYPE;
- goto out;
- }
- } else {
- if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) {
- krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
- ret = KRB5KRB_AP_ERR_MSG_TYPE;
- goto out;
- }
- }
-#endif
-
- switch(type) {
- case COMPAT_WIN2K:
- ret = get_reply_key(context, &content, req_buffer, key);
- if (ret != 0 && ctx->require_binding == 0)
- ret = get_reply_key_win(context, &content, nonce, key);
- break;
- case COMPAT_IETF:
- ret = get_reply_key(context, &content, req_buffer, key);
- break;
- }
- if (ret)
- goto out;
-
- /* XXX compare given etype with key->etype */
-
- out:
- if (host)
- _krb5_pk_cert_free(host);
- der_free_oid(&contentType);
- krb5_data_free(&content);
-
- return ret;
-}
-
-static krb5_error_code
-pk_rd_pa_reply_dh(krb5_context context,
- const heim_octet_string *indata,
- const heim_oid *dataType,
- const char *realm,
- krb5_pk_init_ctx ctx,
- krb5_enctype etype,
- const krb5_krbhst_info *hi,
- const DHNonce *c_n,
- const DHNonce *k_n,
- unsigned nonce,
- PA_DATA *pa,
- krb5_keyblock **key)
-{
- unsigned char *p, *dh_gen_key = NULL;
- struct krb5_pk_cert *host = NULL;
- BIGNUM *kdc_dh_pubkey = NULL;
- KDCDHKeyInfo kdc_dh_info;
- heim_oid contentType = { 0, NULL };
- krb5_data content;
- krb5_error_code ret;
- int dh_gen_keylen;
- size_t size;
-
- krb5_data_zero(&content);
- memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
-
- if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) {
- krb5_set_error_string(context, "PKINIT: Invalid content type");
- return EINVAL;
- }
-
- ret = _krb5_pk_verify_sign(context,
- indata->data,
- indata->length,
- ctx->id,
- &contentType,
- &content,
- &host);
- if (ret)
- goto out;
-
- /* make sure that it is the kdc's certificate */
- ret = pk_verify_host(context, realm, hi, ctx, host);
- if (ret)
- goto out;
-
- if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) {
- krb5_set_error_string(context, "pkinit - dh reply contains wrong oid");
- ret = KRB5KRB_AP_ERR_MSG_TYPE;
- goto out;
- }
-
- ret = decode_KDCDHKeyInfo(content.data,
- content.length,
- &kdc_dh_info,
- &size);
-
- if (ret) {
- krb5_set_error_string(context, "pkinit - "
- "failed to decode KDC DH Key Info");
- goto out;
- }
-
- if (kdc_dh_info.nonce != nonce) {
- krb5_set_error_string(context, "PKINIT: DH nonce is wrong");
- ret = KRB5KRB_AP_ERR_MODIFIED;
- goto out;
- }
-
- if (kdc_dh_info.dhKeyExpiration) {
- if (k_n == NULL) {
- krb5_set_error_string(context, "pkinit; got key expiration "
- "without server nonce");
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- if (c_n == NULL) {
- krb5_set_error_string(context, "pkinit; got DH reuse but no "
- "client nonce");
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- } else {
- if (k_n) {
- krb5_set_error_string(context, "pkinit: got server nonce "
- "without key expiration");
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- c_n = NULL;
- }
-
-
- p = kdc_dh_info.subjectPublicKey.data;
- size = (kdc_dh_info.subjectPublicKey.length + 7) / 8;
-
- {
- DHPublicKey k;
- ret = decode_DHPublicKey(p, size, &k, NULL);
- if (ret) {
- krb5_set_error_string(context, "pkinit: can't decode "
- "without key expiration");
- goto out;
- }
-
- kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k);
- free_DHPublicKey(&k);
- if (kdc_dh_pubkey == NULL) {
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- }
-
- dh_gen_keylen = DH_size(ctx->dh);
- size = BN_num_bytes(ctx->dh->p);
- if (size < dh_gen_keylen)
- size = dh_gen_keylen;
-
- dh_gen_key = malloc(size);
- if (dh_gen_key == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- ret = ENOMEM;
- goto out;
- }
- memset(dh_gen_key, 0, size - dh_gen_keylen);
-
- dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
- kdc_dh_pubkey, ctx->dh);
- if (dh_gen_keylen == -1) {
- krb5_set_error_string(context,
- "PKINIT: Can't compute Diffie-Hellman key");
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
-
- *key = malloc (sizeof (**key));
- if (*key == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- ret = ENOMEM;
- goto out;
- }
-
- ret = _krb5_pk_octetstring2key(context,
- etype,
- dh_gen_key, dh_gen_keylen,
- c_n, k_n,
- *key);
- if (ret) {
- krb5_set_error_string(context,
- "PKINIT: can't create key from DH key");
- free(*key);
- *key = NULL;
- goto out;
- }
-
- out:
- if (kdc_dh_pubkey)
- BN_free(kdc_dh_pubkey);
- if (dh_gen_key) {
- memset(dh_gen_key, 0, DH_size(ctx->dh));
- free(dh_gen_key);
- }
- if (host)
- _krb5_pk_cert_free(host);
- if (content.data)
- krb5_data_free(&content);
- der_free_oid(&contentType);
- free_KDCDHKeyInfo(&kdc_dh_info);
-
- return ret;
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_pk_rd_pa_reply(krb5_context context,
- const char *realm,
- void *c,
- krb5_enctype etype,
- const krb5_krbhst_info *hi,
- unsigned nonce,
- const krb5_data *req_buffer,
- PA_DATA *pa,
- krb5_keyblock **key)
-{
- krb5_pk_init_ctx ctx = c;
- krb5_error_code ret;
- size_t size;
-
- /* Check for IETF PK-INIT first */
- if (ctx->type == COMPAT_IETF) {
- PA_PK_AS_REP rep;
- heim_octet_string os, data;
- heim_oid oid;
-
- if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
- krb5_set_error_string(context, "PKINIT: wrong padata recv");
- return EINVAL;
- }
-
- ret = decode_PA_PK_AS_REP(pa->padata_value.data,
- pa->padata_value.length,
- &rep,
- &size);
- if (ret) {
- krb5_set_error_string(context, "Failed to decode pkinit AS rep");
- return ret;
- }
-
- switch (rep.element) {
- case choice_PA_PK_AS_REP_dhInfo:
- os = rep.u.dhInfo.dhSignedData;
- break;
- case choice_PA_PK_AS_REP_encKeyPack:
- os = rep.u.encKeyPack;
- break;
- default:
- free_PA_PK_AS_REP(&rep);
- krb5_set_error_string(context, "PKINIT: -27 reply "
- "invalid content type");
- return EINVAL;
- }
-
- ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
- if (ret) {
- free_PA_PK_AS_REP(&rep);
- krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
- return ret;
- }
-
- switch (rep.element) {
- case choice_PA_PK_AS_REP_dhInfo:
- ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi,
- ctx->clientDHNonce,
- rep.u.dhInfo.serverDHNonce,
- nonce, pa, key);
- break;
- case choice_PA_PK_AS_REP_encKeyPack:
- ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &data, &oid, realm,
- ctx, etype, hi, nonce, req_buffer, pa, key);
- break;
- default:
- krb5_abortx(context, "pk-init as-rep case not possible to happen");
- }
- der_free_octet_string(&data);
- der_free_oid(&oid);
- free_PA_PK_AS_REP(&rep);
-
- } else if (ctx->type == COMPAT_WIN2K) {
- PA_PK_AS_REP_Win2k w2krep;
-
- /* Check for Windows encoding of the AS-REP pa data */
-
-#if 0 /* should this be ? */
- if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
- krb5_set_error_string(context, "PKINIT: wrong padata recv");
- return EINVAL;
- }
-#endif
-
- memset(&w2krep, 0, sizeof(w2krep));
-
- ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
- pa->padata_value.length,
- &w2krep,
- &size);
- if (ret) {
- krb5_set_error_string(context, "PKINIT: Failed decoding windows "
- "pkinit reply %d", ret);
- return ret;
- }
-
- krb5_clear_error_string(context);
-
- switch (w2krep.element) {
- case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
- heim_octet_string data;
- heim_oid oid;
-
- ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
- &oid, &data, NULL);
- free_PA_PK_AS_REP_Win2k(&w2krep);
- if (ret) {
- krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
- return ret;
- }
-
- ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &data, &oid, realm,
- ctx, etype, hi, nonce, req_buffer, pa, key);
- der_free_octet_string(&data);
- der_free_oid(&oid);
-
- break;
- }
- default:
- free_PA_PK_AS_REP_Win2k(&w2krep);
- krb5_set_error_string(context, "PKINIT: win2k reply invalid "
- "content type");
- ret = EINVAL;
- break;
- }
-
- } else {
- krb5_set_error_string(context, "PKINIT: unknown reply type");
- ret = EINVAL;
- }
-
- return ret;
-}
-
-struct prompter {
- krb5_context context;
- krb5_prompter_fct prompter;
- void *prompter_data;
-};
-
-static int
-hx_pass_prompter(void *data, const hx509_prompt *prompter)
-{
- krb5_error_code ret;
- krb5_prompt prompt;
- krb5_data password_data;
- struct prompter *p = data;
-
- password_data.data = prompter->reply.data;
- password_data.length = prompter->reply.length;
-
- prompt.prompt = prompter->prompt;
- prompt.hidden = hx509_prompt_hidden(prompter->type);
- prompt.reply = &password_data;
-
- switch (prompter->type) {
- case HX509_PROMPT_TYPE_INFO:
- prompt.type = KRB5_PROMPT_TYPE_INFO;
- break;
- case HX509_PROMPT_TYPE_PASSWORD:
- case HX509_PROMPT_TYPE_QUESTION:
- default:
- prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
- break;
- }
-
- ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
- if (ret) {
- memset (prompter->reply.data, 0, prompter->reply.length);
- return 1;
- }
- return 0;
-}
-
-
-void KRB5_LIB_FUNCTION
-_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id,
- int boolean)
-{
- hx509_verify_set_proxy_certificate(id->verify_ctx, boolean);
-}
-
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_pk_load_id(krb5_context context,
- struct krb5_pk_identity **ret_id,
- const char *user_id,
- const char *anchor_id,
- char * const *chain_list,
- char * const *revoke_list,
- krb5_prompter_fct prompter,
- void *prompter_data,
- char *password)
-{
- struct krb5_pk_identity *id = NULL;
- hx509_lock lock = NULL;
- struct prompter p;
- int ret;
-
- *ret_id = NULL;
-
- if (anchor_id == NULL) {
- krb5_set_error_string(context, "PKINIT: No anchor given");
- return HEIM_PKINIT_NO_VALID_CA;
- }
-
- if (user_id == NULL) {
- krb5_set_error_string(context,
- "PKINIT: No user certificate given");
- return HEIM_PKINIT_NO_PRIVATE_KEY;
- }
-
- /* load cert */
-
- id = calloc(1, sizeof(*id));
- if (id == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
-
- ret = hx509_context_init(&id->hx509ctx);
- if (ret)
- goto out;
-
- ret = hx509_lock_init(id->hx509ctx, &lock);
- if (password && password[0])
- hx509_lock_add_password(lock, password);
-
- if (prompter) {
- p.context = context;
- p.prompter = prompter;
- p.prompter_data = prompter_data;
-
- ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
- if (ret)
- goto out;
- }
-
- ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed to init cert certs");
- goto out;
- }
-
- ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed to init anchors");
- goto out;
- }
-
- ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
- 0, NULL, &id->certpool);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed to init chain");
- goto out;
- }
-
- while (chain_list && *chain_list) {
- ret = hx509_certs_append(id->hx509ctx, id->certpool,
- NULL, *chain_list);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed to laod chain %s",
- *chain_list);
- goto out;
- }
- chain_list++;
- }
-
- if (revoke_list) {
- ret = hx509_revoke_init(id->hx509ctx, &id->revokectx);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed init revoke list");
- goto out;
- }
-
- while (*revoke_list) {
- ret = hx509_revoke_add_crl(id->hx509ctx,
- id->revokectx,
- *revoke_list);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed load revoke list");
- goto out;
- }
- revoke_list++;
- }
- } else
- hx509_context_set_missing_revoke(id->hx509ctx, 1);
-
- ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
- if (ret) {
- _krb5_pk_copy_error(context, id->hx509ctx, ret,
- "Failed init verify context");
- goto out;
- }
-
- hx509_verify_attach_anchors(id->verify_ctx, id->anchors);
- hx509_verify_attach_revoke(id->verify_ctx, id->revokectx);
-
-out:
- if (ret) {
- hx509_verify_destroy_ctx(id->verify_ctx);
- hx509_certs_free(&id->certs);
- hx509_certs_free(&id->anchors);
- hx509_certs_free(&id->certpool);
- hx509_revoke_free(&id->revokectx);
- hx509_context_free(&id->hx509ctx);
- free(id);
- } else
- *ret_id = id;
-
- hx509_lock_free(lock);
-
- return ret;
-}
-
-static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits,
- struct krb5_dh_moduli **moduli)
-{
- const struct krb5_dh_moduli *m;
-
- if (bits == 0) {
- m = moduli[1]; /* XXX */
- if (m == NULL)
- m = moduli[0]; /* XXX */
- } else {
- int i;
- for (i = 0; moduli[i] != NULL; i++) {
- if (bits < moduli[i]->bits)
- break;
- }
- if (moduli[i] == NULL) {
- krb5_set_error_string(context,
- "Did not find a DH group parameter "
- "matching requirement of %lu bits",
- bits);
- return EINVAL;
- }
- m = moduli[i];
- }
-
- dh->p = integer_to_BN(context, "p", &m->p);
- if (dh->p == NULL)
- return ENOMEM;
- dh->g = integer_to_BN(context, "g", &m->g);
- if (dh->g == NULL)
- return ENOMEM;
- dh->q = integer_to_BN(context, "q", &m->q);
- if (dh->q == NULL)
- return ENOMEM;
-
- return 0;
-}
-
-#endif /* PKINIT */
-
-static int
-parse_integer(krb5_context context, char **p, const char *file, int lineno,
- const char *name, heim_integer *integer)
-{
- int ret;
- char *p1;
- p1 = strsep(p, " \t");
- if (p1 == NULL) {
- krb5_set_error_string(context, "moduli file %s missing %s on line %d",
- file, name, lineno);
- return EINVAL;
- }
- ret = der_parse_hex_heim_integer(p1, integer);
- if (ret) {
- krb5_set_error_string(context, "moduli file %s failed parsing %s "
- "on line %d",
- file, name, lineno);
- return ret;
- }
-
- return 0;
-}
-
-krb5_error_code
-_krb5_parse_moduli_line(krb5_context context,
- const char *file,
- int lineno,
- char *p,
- struct krb5_dh_moduli **m)
-{
- struct krb5_dh_moduli *m1;
- char *p1;
- int ret;
-
- *m = NULL;
-
- m1 = calloc(1, sizeof(*m1));
- if (m1 == NULL) {
- krb5_set_error_string(context, "malloc - out of memory");
- return ENOMEM;
- }
-
- while (isspace((unsigned char)*p))
- p++;
- if (*p == '#')
- return 0;
- ret = EINVAL;
-
- p1 = strsep(&p, " \t");
- if (p1 == NULL) {
- krb5_set_error_string(context, "moduli file %s missing name "
- "on line %d", file, lineno);
- goto out;
- }
- m1->name = strdup(p1);
- if (p1 == NULL) {
- krb5_set_error_string(context, "malloc - out of memeory");
- ret = ENOMEM;
- goto out;
- }
-
- p1 = strsep(&p, " \t");
- if (p1 == NULL) {
- krb5_set_error_string(context, "moduli file %s missing bits on line %d",
- file, lineno);
- goto out;
- }
-
- m1->bits = atoi(p1);
- if (m1->bits == 0) {
- krb5_set_error_string(context, "moduli file %s have un-parsable "
- "bits on line %d", file, lineno);
- goto out;
- }
-
- ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
- if (ret)
- goto out;
- ret = parse_integer(context, &p, file, lineno, "g", &m1->g);
- if (ret)
- goto out;
- ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
- if (ret)
- goto out;
-
- *m = m1;
-
- return 0;
-out:
- free(m1->name);
- der_free_heim_integer(&m1->p);
- der_free_heim_integer(&m1->g);
- der_free_heim_integer(&m1->q);
- free(m1);
- return ret;
-}
-
-void
-_krb5_free_moduli(struct krb5_dh_moduli **moduli)
-{
- int i;
- for (i = 0; moduli[i] != NULL; i++) {
- free(moduli[i]->name);
- der_free_heim_integer(&moduli[i]->p);
- der_free_heim_integer(&moduli[i]->g);
- der_free_heim_integer(&moduli[i]->q);
- free(moduli[i]);
- }
- free(moduli);
-}
-
-static const char *default_moduli_RFC2412_MODP_group2 =
- /* name */
- "RFC2412-MODP-group2 "
- /* bits */
- "1024 "
- /* p */
- "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
- "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
- "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
- "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
- "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
- "FFFFFFFF" "FFFFFFFF "
- /* g */
- "02 "
- /* q */
- "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
- "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
- "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
- "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
- "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
- "FFFFFFFF" "FFFFFFFF";
-
-static const char *default_moduli_rfc3526_MODP_group14 =
- /* name */
- "rfc3526-MODP-group14 "
- /* bits */
- "1760 "
- /* p */
- "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
- "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
- "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
- "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
- "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
- "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
- "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
- "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
- "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
- "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
- "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
- /* g */
- "02 "
- /* q */
- "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
- "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
- "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
- "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
- "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
- "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
- "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
- "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
- "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
- "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
- "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
-
-krb5_error_code
-_krb5_parse_moduli(krb5_context context, const char *file,
- struct krb5_dh_moduli ***moduli)
-{
- /* name bits P G Q */
- krb5_error_code ret;
- struct krb5_dh_moduli **m = NULL, **m2;
- char buf[4096];
- FILE *f;
- int lineno = 0, n = 0;
-
- *moduli = NULL;
-
- m = calloc(1, sizeof(m[0]) * 3);
- if (m == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
-
- strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
- ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]);
- if (ret) {
- _krb5_free_moduli(m);
- return ret;
- }
- n++;
-
- strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
- ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]);
- if (ret) {
- _krb5_free_moduli(m);
- return ret;
- }
- n++;
-
-
- if (file == NULL)
- file = MODULI_FILE;
-
- f = fopen(file, "r");
- if (f == NULL) {
- *moduli = m;
- return 0;
- }
-
- while(fgets(buf, sizeof(buf), f) != NULL) {
- struct krb5_dh_moduli *element;
-
- buf[strcspn(buf, "\n")] = '\0';
- lineno++;
-
- m2 = realloc(m, (n + 2) * sizeof(m[0]));
- if (m2 == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- _krb5_free_moduli(m);
- return ENOMEM;
- }
- m = m2;
-
- m[n] = NULL;
-
- ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
- if (ret) {
- _krb5_free_moduli(m);
- return ret;
- }
- if (element == NULL)
- continue;
-
- m[n] = element;
- m[n + 1] = NULL;
- n++;
- }
- *moduli = m;
- return 0;
-}
-
-krb5_error_code
-_krb5_dh_group_ok(krb5_context context, unsigned long bits,
- heim_integer *p, heim_integer *g, heim_integer *q,
- struct krb5_dh_moduli **moduli,
- char **name)
-{
- int i;
-
- if (name)
- *name = NULL;
-
- for (i = 0; moduli[i] != NULL; i++) {
- if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
- der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
- (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
- {
- if (bits && bits > moduli[i]->bits) {
- krb5_set_error_string(context, "PKINIT: DH group parameter %s "
- "no accepted, not enough bits generated",
- moduli[i]->name);
- return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
- }
- if (name)
- *name = strdup(moduli[i]->name);
- return 0;
- }
- }
- krb5_set_error_string(context, "PKINIT: DH group parameter no ok");
- return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
-}
-
-void KRB5_LIB_FUNCTION
-_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
-{
-#ifdef PKINIT
- krb5_pk_init_ctx ctx;
-
- if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL)
- return;
- ctx = opt->opt_private->pk_init_ctx;
- if (ctx->dh)
- DH_free(ctx->dh);
- ctx->dh = NULL;
- if (ctx->id) {
- hx509_verify_destroy_ctx(ctx->id->verify_ctx);
- hx509_certs_free(&ctx->id->certs);
- hx509_certs_free(&ctx->id->anchors);
- hx509_certs_free(&ctx->id->certpool);
- hx509_context_free(&ctx->id->hx509ctx);
-
- if (ctx->clientDHNonce) {
- krb5_free_data(NULL, ctx->clientDHNonce);
- ctx->clientDHNonce = NULL;
- }
- if (ctx->m)
- _krb5_free_moduli(ctx->m);
- free(ctx->id);
- ctx->id = NULL;
- }
- free(opt->opt_private->pk_init_ctx);
- opt->opt_private->pk_init_ctx = NULL;
-#endif
-}
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_get_init_creds_opt_set_pkinit(krb5_context context,
- krb5_get_init_creds_opt *opt,
- krb5_principal principal,
- const char *user_id,
- const char *x509_anchors,
- char * const * pool,
- char * const * pki_revoke,
- int flags,
- krb5_prompter_fct prompter,
- void *prompter_data,
- char *password)
-{
-#ifdef PKINIT
- krb5_error_code ret;
- char *anchors = NULL;
-
- if (opt->opt_private == NULL) {
- krb5_set_error_string(context, "PKINIT: on non extendable opt");
- return EINVAL;
- }
-
- opt->opt_private->pk_init_ctx =
- calloc(1, sizeof(*opt->opt_private->pk_init_ctx));
- if (opt->opt_private->pk_init_ctx == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
- }
- opt->opt_private->pk_init_ctx->dh = NULL;
- opt->opt_private->pk_init_ctx->id = NULL;
- opt->opt_private->pk_init_ctx->clientDHNonce = NULL;
- opt->opt_private->pk_init_ctx->require_binding = 0;
- opt->opt_private->pk_init_ctx->require_eku = 1;
- opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1;
- opt->opt_private->pk_init_ctx->peer = NULL;
-
- /* XXX implement krb5_appdefault_strings */
- if (pool == NULL)
- pool = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_pool",
- NULL);
-
- if (pki_revoke == NULL)
- pki_revoke = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_revoke",
- NULL);
-
- if (x509_anchors == NULL) {
- krb5_appdefault_string(context, "kinit",
- krb5_principal_get_realm(context, principal),
- "pkinit_anchors", NULL, &anchors);
- x509_anchors = anchors;
- }
-
- ret = _krb5_pk_load_id(context,
- &opt->opt_private->pk_init_ctx->id,
- user_id,
- x509_anchors,
- pool,
- pki_revoke,
- prompter,
- prompter_data,
- password);
- if (ret) {
- free(opt->opt_private->pk_init_ctx);
- opt->opt_private->pk_init_ctx = NULL;
- return ret;
- }
-
- if ((flags & 2) == 0) {
- const char *moduli_file;
- unsigned long dh_min_bits;
-
- moduli_file = krb5_config_get_string(context, NULL,
- "libdefaults",
- "moduli",
- NULL);
-
- dh_min_bits =
- krb5_config_get_int_default(context, NULL, 0,
- "libdefaults",
- "pkinit_dh_min_bits",
- NULL);
-
- ret = _krb5_parse_moduli(context, moduli_file,
- &opt->opt_private->pk_init_ctx->m);
- if (ret) {
- _krb5_get_init_creds_opt_free_pkinit(opt);
- return ret;
- }
-
- opt->opt_private->pk_init_ctx->dh = DH_new();
- if (opt->opt_private->pk_init_ctx->dh == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- _krb5_get_init_creds_opt_free_pkinit(opt);
- return ENOMEM;
- }
-
- ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh,
- dh_min_bits,
- opt->opt_private->pk_init_ctx->m);
- if (ret) {
- _krb5_get_init_creds_opt_free_pkinit(opt);
- return ret;
- }
-
- if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
- krb5_set_error_string(context, "pkinit: failed to generate DH key");
- _krb5_get_init_creds_opt_free_pkinit(opt);
- return ENOMEM;
- }
- }
-
- return 0;
-#else
- krb5_set_error_string(context, "no support for PKINIT compiled in");
- return EINVAL;
-#endif
-}
-
-/*
- *
- */
-
-static void
-_krb5_pk_copy_error(krb5_context context,
- hx509_context hx509ctx,
- int hxret,
- const char *fmt,
- ...)
-{
- va_list va;
- char *s, *f;
-
- va_start(va, fmt);
- vasprintf(&f, fmt, va);
- va_end(va);
- if (f == NULL) {
- krb5_clear_error_string(context);
- return;
- }
-
- s = hx509_get_error_string(hx509ctx, hxret);
- if (s == NULL) {
- krb5_clear_error_string(context);
- free(f);
- return;
- }
- krb5_set_error_string(context, "%s: %s", f, s);
- free(s);
- free(f);
-}
OpenPOWER on IntegriCloud