oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Store what PK-INIT type we used to know reply to expect, this avoids

Browse Source 
overwriting the real PK-INIT error from just a failed requeat with a
Windows PK-INIT error (that always failes).


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19191 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-11-29 11:47:29 +00:00
parent b2fcb6539d
commit 247bb1c42b
1 changed files with 29 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
lib/krb5/pkinit.c
View File

@@ -82,6 +82,7 @@ struct krb5_pk_init_ctx_data {
krb5_data *clientDHNonce; krb5_data *clientDHNonce;
struct krb5_dh_moduli **m; struct krb5_dh_moduli **m;
hx509_peer_info peer; hx509_peer_info peer;
int type;
int require_binding; int require_binding;
int require_eku; int require_eku;
int require_krbtgt_otherName; int require_krbtgt_otherName;
@@ -445,7 +446,6 @@ _krb5_pk_mk_ContentInfo(krb5_context context,
static krb5_error_code static krb5_error_code
pk_mk_padata(krb5_context context, pk_mk_padata(krb5_context context,
int compat,
krb5_pk_init_ctx ctx, krb5_pk_init_ctx ctx,
const KDC_REQ_BODY *req_body, const KDC_REQ_BODY *req_body,
unsigned nonce, unsigned nonce,
@@ -462,7 +462,7 @@ pk_mk_padata(krb5_context context,
krb5_data_zero(&sd_buf); krb5_data_zero(&sd_buf);
memset(&content_info, 0, sizeof(content_info)); memset(&content_info, 0, sizeof(content_info));
if (compat == COMPAT_WIN2K) { if (ctx->type == COMPAT_WIN2K) {
AuthPack_Win2k ap; AuthPack_Win2k ap;
krb5_timestamp sec; krb5_timestamp sec;
int32_t usec; int32_t usec;
@@ -499,7 +499,7 @@ pk_mk_padata(krb5_context context,
krb5_abortx(context, "internal ASN1 encoder error"); krb5_abortx(context, "internal ASN1 encoder error");
oid = oid_id_pkcs7_data(); oid = oid_id_pkcs7_data();
} else if (compat == COMPAT_IETF) { } else if (ctx->type == COMPAT_IETF) {
AuthPack ap; AuthPack ap;
memset(&ap, 0, sizeof(ap)); memset(&ap, 0, sizeof(ap));
@@ -546,7 +546,7 @@ pk_mk_padata(krb5_context context,
if (buf.length != size) if (buf.length != size)
krb5_abortx(context, "Internal ASN1 encoder error"); krb5_abortx(context, "Internal ASN1 encoder error");
if (compat == COMPAT_WIN2K) { if (ctx->type == COMPAT_WIN2K) {
PA_PK_AS_REQ_Win2k winreq; PA_PK_AS_REQ_Win2k winreq;
pa_type = KRB5_PADATA_PK_AS_REQ_WIN; pa_type = KRB5_PADATA_PK_AS_REQ_WIN;
@@ -559,7 +559,7 @@ pk_mk_padata(krb5_context context,
&winreq, &size, ret); &winreq, &size, ret);
free_PA_PK_AS_REQ_Win2k(&winreq); free_PA_PK_AS_REQ_Win2k(&winreq);
} else if (compat == COMPAT_IETF) { } else if (ctx->type == COMPAT_IETF) {
PA_PK_AS_REQ req; PA_PK_AS_REQ req;
pa_type = KRB5_PADATA_PK_AS_REQ; pa_type = KRB5_PADATA_PK_AS_REQ;
@@ -600,7 +600,7 @@ pk_mk_padata(krb5_context context,
if (ret) if (ret)
free(buf.data); free(buf.data);
if (ret == 0 && compat == COMPAT_WIN2K) if (ret == 0 && ctx->type == COMPAT_WIN2K)
krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0); krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
out: out:
@@ -618,7 +618,7 @@ _krb5_pk_mk_padata(krb5_context context,
METHOD_DATA *md) METHOD_DATA *md)
{ {
krb5_pk_init_ctx ctx = c; krb5_pk_init_ctx ctx = c;
int win2k_compat, type; int win2k_compat;
win2k_compat = krb5_config_get_bool_default(context, NULL, win2k_compat = krb5_config_get_bool_default(context, NULL,
FALSE, FALSE,
@@ -637,9 +637,9 @@ _krb5_pk_mk_padata(krb5_context context,
req_body->realm, req_body->realm,
"pkinit_win2k_require_binding", "pkinit_win2k_require_binding",
NULL); NULL);
type = COMPAT_WIN2K; ctx->type = COMPAT_WIN2K;
} else } else
type = COMPAT_IETF; ctx->type = COMPAT_IETF;
ctx->require_eku = ctx->require_eku =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,
@@ -664,7 +664,7 @@ _krb5_pk_mk_padata(krb5_context context,
"pkinit_require_hostname_match", "pkinit_require_hostname_match",
NULL); NULL);
return pk_mk_padata(context, type, ctx, req_body, nonce, md); return pk_mk_padata(context, ctx, req_body, nonce, md);
} }
krb5_error_code KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_FUNCTION
@@ -1229,8 +1229,13 @@ _krb5_pk_rd_pa_reply(krb5_context context,
size_t size; size_t size;
/* Check for IETF PK-INIT first */ /* Check for IETF PK-INIT first */
if (pa->padata_type == KRB5_PADATA_PK_AS_REP) { if (ctx->type == COMPAT_IETF) {
PA_PK_AS_REP rep; PA_PK_AS_REP rep;
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_string(context, "PKINIT: wrong padata recv");
return EINVAL;
}
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
@@ -1286,14 +1291,19 @@ _krb5_pk_rd_pa_reply(krb5_context context,
ret = EINVAL; ret = EINVAL;
break; break;
} }
if (ret == 0)
return ret;
}
/* Check for Windows encoding of the AS-REP pa data */ } else if (ctx->type == COMPAT_WIN2K) {
{
PA_PK_AS_REP_Win2k w2krep; PA_PK_AS_REP_Win2k w2krep;
/* Check for Windows encoding of the AS-REP pa data */
#if 0 /* should this be ? */
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_string(context, "PKINIT: wrong padata recv");
return EINVAL;
}
#endif
memset(&w2krep, 0, sizeof(w2krep)); memset(&w2krep, 0, sizeof(w2krep));
ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data, ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
@@ -1334,6 +1344,9 @@ _krb5_pk_rd_pa_reply(krb5_context context,
break; break;
} }
} else {
krb5_set_error_string(context, "PKINIT: unknown reply type");
ret = EINVAL;
} }
return ret; return ret;