oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(_kdc_pk_rd_padata): use hx509_cms_unwrap_ContentInfo.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17117 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-20 19:55:09 +00:00
parent cb1f6e5345
commit 1b73708904
1 changed files with 34 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
kdc/pkinit.c
View File

@@ -424,11 +424,12 @@ _kdc_pk_rd_padata(krb5_context context,
{ {
pk_client_params *client_params; pk_client_params *client_params;
krb5_error_code ret; krb5_error_code ret;
heim_oid eContentType = { 0, NULL }; heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
krb5_data eContent = { 0, NULL }; krb5_data eContent = { 0, NULL };
krb5_data signed_content = { 0, NULL }; krb5_data signed_content = { 0, NULL };
const char *type = "unknown type"; const char *type = "unknown type";
const heim_oid *pa_contentType; const heim_oid *pa_contentType;
int have_data;
*ret_params = NULL; *ret_params = NULL;
@@ -446,7 +447,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) { if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
PA_PK_AS_REQ_Win2k r; PA_PK_AS_REQ_Win2k r;
ContentInfo info; int have_data;
type = "PK-INIT-Win2k"; type = "PK-INIT-Win2k";
pa_contentType = oid_id_pkcs7_data(); pa_contentType = oid_id_pkcs7_data();
@@ -461,47 +462,20 @@ _kdc_pk_rd_padata(krb5_context context,
goto out; goto out;
} }
ret = decode_ContentInfo(r.signed_auth_pack.data, ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
r.signed_auth_pack.length, &info, NULL); &contentInfoOid,
&signed_content,
&have_data);
free_PA_PK_AS_REQ_Win2k(&r); free_PA_PK_AS_REQ_Win2k(&r);
if (ret) { if (ret) {
krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret); krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret);
goto out; goto out;
} }
if (heim_oid_cmp(&info.contentType, oid_id_pkcs7_signedData())) {
krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
"type oid");
free_ContentInfo(&info);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
if (info.content == NULL) {
krb5_set_error_string(context,
"PK-AS-REQ-Win2k no signed auth pack");
free_ContentInfo(&info);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
signed_content.data = malloc(info.content->length);
if (signed_content.data == NULL) {
ret = ENOMEM;
free_ContentInfo(&info);
krb5_set_error_string(context, "PK-AS-REQ-Win2k out of memory");
goto out;
}
signed_content.length = info.content->length;
memcpy(signed_content.data, info.content->data, signed_content.length);
free_ContentInfo(&info);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) { } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
PA_PK_AS_REQ r; PA_PK_AS_REQ r;
ContentInfo info;
type = "PK-INIT-27"; type = "PK-INIT-IETF";
pa_contentType = oid_id_pkauthdata(); pa_contentType = oid_id_pkauthdata();
ret = decode_PA_PK_AS_REQ(pa->padata_value.data, ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
@@ -513,50 +487,39 @@ _kdc_pk_rd_padata(krb5_context context,
goto out; goto out;
} }
ret = decode_ContentInfo(r.signedAuthPack.data, /* XXX look at r.trustedCertifiers and r.kdcPkId */
r.signedAuthPack.length, &info, NULL);
ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
&contentInfoOid,
&signed_content,
&have_data);
free_PA_PK_AS_REQ(&r);
if (ret) { if (ret) {
krb5_set_error_string(context, "Can't decode PK-AS-REQ: %d", ret); krb5_set_error_string(context, "Can't unwrap ContentInfo: %d", ret);
goto out; goto out;
} }
if (heim_oid_cmp(&info.contentType, oid_id_pkcs7_signedData())) {
krb5_set_error_string(context, "PK-AS-REQ invalid content "
"type oid");
free_ContentInfo(&info);
free_PA_PK_AS_REQ(&r);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
if (info.content == NULL) {
krb5_set_error_string(context, "PK-AS-REQ no signed auth pack");
free_PA_PK_AS_REQ(&r);
free_ContentInfo(&info);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
signed_content.data = malloc(info.content->length);
if (signed_content.data == NULL) {
ret = ENOMEM;
free_ContentInfo(&info);
free_PA_PK_AS_REQ(&r);
krb5_set_error_string(context, "PK-AS-REQ out of memory");
goto out;
}
signed_content.length = info.content->length;
memcpy(signed_content.data, info.content->data, signed_content.length);
free_ContentInfo(&info);
free_PA_PK_AS_REQ(&r);
} else { } else {
krb5_clear_error_string(context); krb5_clear_error_string(context);
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
goto out; goto out;
} }
ret = heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
if (ret != 0) {
krb5_set_error_string(context, "PK-AS-REQ-Win2k invalid content "
"type oid");
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
if (!have_data) {
krb5_set_error_string(context,
"PK-AS-REQ-Win2k no signed auth pack");
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
{ {
hx509_certs signer_certs; hx509_certs signer_certs;
@@ -654,19 +617,15 @@ _kdc_pk_rd_padata(krb5_context context,
} else } else
krb5_abortx(context, "internal pkinit error"); krb5_abortx(context, "internal pkinit error");
/*
* Remaining fields (ie kdcCert and encryptionCert) in the request
* are ignored for now.
*/
kdc_log(context, config, 0, "PK-INIT request of type %s", type); kdc_log(context, config, 0, "PK-INIT request of type %s", type);
out: out:
if (signed_content.data) if (signed_content.data)
free(signed_content.data); free(signed_content.data);
krb5_data_free(&eContent); krb5_data_free(&eContent);
free_oid(&eContentType); free_oid(&eContentType);
free_oid(&contentInfoOid);
if (ret) if (ret)
_kdc_pk_free_client_param(context, client_params); _kdc_pk_free_client_param(context, client_params);
else else