oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Update error codes. Add name to group. Change return value of

Browse Source 
_krb5_dh_group_ok.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16131 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-10-07 08:53:15 +00:00
parent 71b2f65b0d
commit 29bab5c5f9
1 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
lib/krb5/pkinit.c
View File

@@ -106,6 +106,7 @@ struct krb5_pk_cert {
}; };
struct krb5_dh_moduli { struct krb5_dh_moduli {
char *name;
unsigned long bits; unsigned long bits;
heim_integer p; heim_integer p;
heim_integer g; heim_integer g;
@@ -1029,7 +1030,7 @@ pk_verify_chain_standard(krb5_context context,
int i; int i;
int ret; int ret;
ret = KRB5_KDC_ERROR_CLIENT_NAME_MISMATCH; ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
for (i = 0; i < sk_X509_num(chain); i++) { for (i = 0; i < sk_X509_num(chain); i++) {
cert = sk_X509_value(chain, i); cert = sk_X509_value(chain, i);
if (pk_peer_compare(context, client, cert) == TRUE) { if (pk_peer_compare(context, client, cert) == TRUE) {
@@ -1069,7 +1070,7 @@ pk_verify_chain_standard(krb5_context context,
ret = 0; ret = 0;
break; break;
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
ret = KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE; ret = KRB5_KDC_ERR_CANT_VERIFY_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: failed to verify " krb5_set_error_string(context, "PKINIT: failed to verify "
"certificate: %s ", "certificate: %s ",
X509_verify_cert_error_string(store_ctx->error)); X509_verify_cert_error_string(store_ctx->error));
@@ -1080,7 +1081,7 @@ pk_verify_chain_standard(krb5_context context,
case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_CERT_HAS_EXPIRED:
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: invalid certificate: %s ", krb5_set_error_string(context, "PKINIT: invalid certificate: %s ",
X509_verify_cert_error_string(store_ctx->error)); X509_verify_cert_error_string(store_ctx->error));
break; break;
@@ -1090,13 +1091,13 @@ pk_verify_chain_standard(krb5_context context,
case X509_V_ERR_CERT_CHAIN_TOO_LONG: case X509_V_ERR_CERT_CHAIN_TOO_LONG:
case X509_V_ERR_PATH_LENGTH_EXCEEDED: case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_CA: case X509_V_ERR_INVALID_CA:
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: unknown CA or can't " krb5_set_error_string(context, "PKINIT: unknown CA or can't "
"verify certificate: %s", "verify certificate: %s",
X509_verify_cert_error_string(store_ctx->error)); X509_verify_cert_error_string(store_ctx->error));
break; break;
default: default:
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; /* XXX */ ret = KRB5_KDC_ERR_INVALID_CERTIFICATE; /* XXX */
krb5_set_error_string(context, "PKINIT: failed to verify " krb5_set_error_string(context, "PKINIT: failed to verify "
"certificate: %s (%ld) ", "certificate: %s (%ld) ",
X509_verify_cert_error_string(store_ctx->error), X509_verify_cert_error_string(store_ctx->error),
@@ -2599,6 +2600,9 @@ parse_integer(krb5_context context, char **p, const char *file, int lineno,
file, name, lineno); file, name, lineno);
return EINVAL; return EINVAL;
} }
if (strcmp(p1, "-") == 0) {
memset(integer, 0, sizeof(*integer));
} else {
ret = der_parse_hex_heim_integer(p1, integer); ret = der_parse_hex_heim_integer(p1, integer);
if (ret) { if (ret) {
krb5_set_error_string(context, "moduli file %s failed parsing %s " krb5_set_error_string(context, "moduli file %s failed parsing %s "
@@ -2606,6 +2610,8 @@ parse_integer(krb5_context context, char **p, const char *file, int lineno,
file, name, lineno); file, name, lineno);
return ret; return ret;
} }
}
return 0; return 0;
} }
@@ -2634,6 +2640,19 @@ _krb5_parse_moduli_line(krb5_context context,
return 0; return 0;
ret = EINVAL; ret = EINVAL;
p1 = strsep(&p, " \t");
if (p1 == NULL) {
krb5_set_error_string(context, "moduli file %s missing name "
"on line %d", file, lineno);
goto out;
}
m1->name = strdup(p1);
if (p1 == NULL) {
krb5_set_error_string(context, "malloc - out of memeory");
ret = ENOMEM;
goto out;
}
p1 = strsep(&p, " \t"); p1 = strsep(&p, " \t");
if (p1 == NULL) { if (p1 == NULL) {
krb5_set_error_string(context, "moduli file %s missing bits on line %d", krb5_set_error_string(context, "moduli file %s missing bits on line %d",
@@ -2662,6 +2681,7 @@ _krb5_parse_moduli_line(krb5_context context,
return 0; return 0;
out: out:
free(m1->name);
free_heim_integer(&m1->p); free_heim_integer(&m1->p);
free_heim_integer(&m1->g); free_heim_integer(&m1->g);
free_heim_integer(&m1->q); free_heim_integer(&m1->q);
@@ -2674,6 +2694,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
{ {
int i; int i;
for (i = 0; moduli[i] != NULL; i++) { for (i = 0; moduli[i] != NULL; i++) {
free(moduli[i]->name);
free_heim_integer(&moduli[i]->p); free_heim_integer(&moduli[i]->p);
free_heim_integer(&moduli[i]->g); free_heim_integer(&moduli[i]->g);
free_heim_integer(&moduli[i]->q); free_heim_integer(&moduli[i]->q);
@@ -2684,6 +2705,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
static const char *default_moduli = static const char *default_moduli =
/* bits */ /* bits */
"RFC2412-MODP-group2 "
"1024 " "1024 "
/* p */ /* p */
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1" "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
@@ -2707,7 +2729,7 @@ krb5_error_code
_krb5_parse_moduli(krb5_context context, const char *file, _krb5_parse_moduli(krb5_context context, const char *file,
struct krb5_dh_moduli ***moduli) struct krb5_dh_moduli ***moduli)
{ {
/* bits P G Q */ /* comment bits P G Q */
krb5_error_code ret; krb5_error_code ret;
struct krb5_dh_moduli **m = NULL, **m2; struct krb5_dh_moduli **m = NULL, **m2;
char buf[4096]; char buf[4096];
@@ -2771,7 +2793,7 @@ _krb5_parse_moduli(krb5_context context, const char *file,
return 0; return 0;
} }
krb5_boolean krb5_error_code
_krb5_dh_group_ok(krb5_context context, unsigned long bits, _krb5_dh_group_ok(krb5_context context, unsigned long bits,
heim_integer *p, heim_integer *g, heim_integer *q, heim_integer *p, heim_integer *g, heim_integer *q,
struct krb5_dh_moduli **moduli) struct krb5_dh_moduli **moduli)
@@ -2782,11 +2804,11 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
heim_integer_cmp(&moduli[i]->p, p) == 0 && heim_integer_cmp(&moduli[i]->p, p) == 0 &&
heim_integer_cmp(&moduli[i]->q, q) == 0) heim_integer_cmp(&moduli[i]->q, q) == 0)
{ {
return TRUE; return 0;
} }
} }
krb5_set_error_string(context, "PKINIT: DH group parameter no ok");
return FALSE; return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
} }
static krb5_error_code static krb5_error_code
@@ -2795,6 +2817,8 @@ select_dh_group(krb5_context context, DH *dh, unsigned long bits,
{ {
const struct krb5_dh_moduli *m; const struct krb5_dh_moduli *m;
m = moduli[1]; /* XXX */
if (m == NULL)
m = moduli[0]; /* XXX */ m = moduli[0]; /* XXX */
dh->p = integer_to_BN(context, "p", &m->p); dh->p = integer_to_BN(context, "p", &m->p);