Use hx509_context that build from krb5_context
This commit is contained in:
Love Hornquist Astrand
76
kdc/pkinit.c
76
kdc/pkinit.c
@@ -517,7 +517,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_certs_init(kdc_identity->hx509ctx,
|
ret = hx509_certs_init(context->hx509ctx,
|
||||||
"MEMORY:trust-anchors",
|
"MEMORY:trust-anchors",
|
||||||
0, NULL, &trust_anchors);
|
0, NULL, &trust_anchors);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
@@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_certs_merge(kdc_identity->hx509ctx, trust_anchors,
|
ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
|
||||||
kdc_identity->anchors);
|
kdc_identity->anchors);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
hx509_certs_free(&trust_anchors);
|
hx509_certs_free(&trust_anchors);
|
||||||
@@ -540,18 +540,18 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < pc->len; i++) {
|
for (i = 0; i < pc->len; i++) {
|
||||||
ret = hx509_cert_init_data(kdc_identity->hx509ctx,
|
ret = hx509_cert_init_data(context->hx509ctx,
|
||||||
pc->val[i].cert.data,
|
pc->val[i].cert.data,
|
||||||
pc->val[i].cert.length,
|
pc->val[i].cert.length,
|
||||||
&cert);
|
&cert);
|
||||||
if (ret)
|
if (ret)
|
||||||
continue;
|
continue;
|
||||||
hx509_certs_add(kdc_identity->hx509ctx, trust_anchors, cert);
|
hx509_certs_add(context->hx509ctx, trust_anchors, cert);
|
||||||
hx509_cert_free(cert);
|
hx509_cert_free(cert);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_verify_init_ctx(kdc_identity->hx509ctx, &cp->verify_ctx);
|
ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
hx509_certs_free(&trust_anchors);
|
hx509_certs_free(&trust_anchors);
|
||||||
krb5_set_error_message(context, ret, "failed to create verify context");
|
krb5_set_error_message(context, ret, "failed to create verify context");
|
||||||
@@ -618,7 +618,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
|
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
|
||||||
unsigned int i, maxedi;
|
unsigned int i, maxedi;
|
||||||
|
|
||||||
ret = hx509_certs_init(kdc_identity->hx509ctx,
|
ret = hx509_certs_init(context->hx509ctx,
|
||||||
"MEMORY:client-anchors",
|
"MEMORY:client-anchors",
|
||||||
0, NULL,
|
0, NULL,
|
||||||
&cp->client_anchors);
|
&cp->client_anchors);
|
||||||
@@ -645,7 +645,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
if (edi->val[i].issuerAndSerialNumber == NULL)
|
if (edi->val[i].issuerAndSerialNumber == NULL)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
|
ret = hx509_query_alloc(context->hx509ctx, &q);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_set_error_message(context, ret,
|
krb5_set_error_message(context, ret,
|
||||||
"Failed to allocate hx509_query");
|
"Failed to allocate hx509_query");
|
||||||
@@ -657,24 +657,24 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
&iasn,
|
&iasn,
|
||||||
&size);
|
&size);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
|
ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
|
||||||
free_IssuerAndSerialNumber(&iasn);
|
free_IssuerAndSerialNumber(&iasn);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(context->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
q,
|
q,
|
||||||
&cert);
|
&cert);
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
if (ret)
|
if (ret)
|
||||||
continue;
|
continue;
|
||||||
hx509_certs_add(kdc_identity->hx509ctx,
|
hx509_certs_add(context->hx509ctx,
|
||||||
cp->client_anchors, cert);
|
cp->client_anchors, cert);
|
||||||
hx509_cert_free(cert);
|
hx509_cert_free(cert);
|
||||||
}
|
}
|
||||||
@@ -719,7 +719,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
if (req->req_body.kdc_options.request_anonymous)
|
if (req->req_body.kdc_options.request_anonymous)
|
||||||
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
|
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
|
||||||
|
|
||||||
ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
|
ret = hx509_cms_verify_signed(context->hx509ctx,
|
||||||
cp->verify_ctx,
|
cp->verify_ctx,
|
||||||
flags,
|
flags,
|
||||||
signed_content.data,
|
signed_content.data,
|
||||||
@@ -730,7 +730,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
&eContent,
|
&eContent,
|
||||||
&signer_certs);
|
&signer_certs);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
|
char *s = hx509_get_error_string(context->hx509ctx, ret);
|
||||||
krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
|
krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
|
||||||
s, ret);
|
s, ret);
|
||||||
free(s);
|
free(s);
|
||||||
@@ -738,7 +738,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (signer_certs) {
|
if (signer_certs) {
|
||||||
ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
|
ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
|
||||||
&cp->cert);
|
&cp->cert);
|
||||||
hx509_certs_free(&signer_certs);
|
hx509_certs_free(&signer_certs);
|
||||||
}
|
}
|
||||||
@@ -843,7 +843,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
} else
|
} else
|
||||||
cp->keyex = USE_RSA;
|
cp->keyex = USE_RSA;
|
||||||
|
|
||||||
ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
|
ret = hx509_peer_info_alloc(context->hx509ctx,
|
||||||
&cp->peer);
|
&cp->peer);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
free_AuthPack(&ap);
|
free_AuthPack(&ap);
|
||||||
@@ -851,7 +851,7 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (ap.supportedCMSTypes) {
|
if (ap.supportedCMSTypes) {
|
||||||
ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
|
ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
|
||||||
cp->peer,
|
cp->peer,
|
||||||
ap.supportedCMSTypes->val,
|
ap.supportedCMSTypes->val,
|
||||||
ap.supportedCMSTypes->len);
|
ap.supportedCMSTypes->len);
|
||||||
@@ -861,11 +861,11 @@ _kdc_pk_rd_padata(krb5_context context,
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* assume old client */
|
/* assume old client */
|
||||||
hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
|
hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
|
||||||
hx509_crypto_des_rsdi_ede3_cbc());
|
hx509_crypto_des_rsdi_ede3_cbc());
|
||||||
hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
|
hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
|
||||||
hx509_signature_rsa_with_sha1());
|
hx509_signature_rsa_with_sha1());
|
||||||
hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
|
hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
|
||||||
hx509_signature_sha1());
|
hx509_signature_sha1());
|
||||||
}
|
}
|
||||||
free_AuthPack(&ap);
|
free_AuthPack(&ap);
|
||||||
@@ -1016,7 +1016,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
|
|||||||
hx509_query *q;
|
hx509_query *q;
|
||||||
hx509_cert cert;
|
hx509_cert cert;
|
||||||
|
|
||||||
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
|
ret = hx509_query_alloc(context->hx509ctx, &q);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1024,15 +1024,15 @@ pk_mk_pa_reply_enckey(krb5_context context,
|
|||||||
if (config->pkinit_kdc_friendly_name)
|
if (config->pkinit_kdc_friendly_name)
|
||||||
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(context->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
q,
|
q,
|
||||||
&cert);
|
&cert);
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
|
ret = hx509_cms_create_signed_1(context->hx509ctx,
|
||||||
0,
|
0,
|
||||||
sdAlg,
|
sdAlg,
|
||||||
buf.data,
|
buf.data,
|
||||||
@@ -1060,7 +1060,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
|
|||||||
signed_data = buf;
|
signed_data = buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
|
ret = hx509_cms_envelope_1(context->hx509ctx,
|
||||||
HX509_CMS_EV_NO_KU_CHECK,
|
HX509_CMS_EV_NO_KU_CHECK,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
signed_data.data, signed_data.length,
|
signed_data.data, signed_data.length,
|
||||||
@@ -1172,7 +1172,7 @@ pk_mk_pa_reply_dh(krb5_context context,
|
|||||||
* filled in above
|
* filled in above
|
||||||
*/
|
*/
|
||||||
|
|
||||||
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
|
ret = hx509_query_alloc(context->hx509ctx, &q);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -1180,15 +1180,15 @@ pk_mk_pa_reply_dh(krb5_context context,
|
|||||||
if (config->pkinit_kdc_friendly_name)
|
if (config->pkinit_kdc_friendly_name)
|
||||||
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(context->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
q,
|
q,
|
||||||
&cert);
|
&cert);
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
|
ret = hx509_cms_create_signed_1(context->hx509ctx,
|
||||||
0,
|
0,
|
||||||
&asn1_oid_id_pkdhkeydata,
|
&asn1_oid_id_pkdhkeydata,
|
||||||
buf.data,
|
buf.data,
|
||||||
@@ -1509,7 +1509,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
|
|||||||
goto out_ocsp;
|
goto out_ocsp;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
|
ret = hx509_ocsp_verify(context->hx509ctx,
|
||||||
kdc_time,
|
kdc_time,
|
||||||
kdc_cert,
|
kdc_cert,
|
||||||
0,
|
0,
|
||||||
@@ -1703,7 +1703,7 @@ _kdc_pk_check_client(krb5_context context,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
|
ret = hx509_cert_get_base_subject(context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
&name);
|
&name);
|
||||||
if (ret)
|
if (ret)
|
||||||
@@ -1724,7 +1724,7 @@ _kdc_pk_check_client(krb5_context context,
|
|||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
||||||
for (i = 0; i < pc->len; i++) {
|
for (i = 0; i < pc->len; i++) {
|
||||||
ret = hx509_cert_init_data(kdc_identity->hx509ctx,
|
ret = hx509_cert_init_data(context->hx509ctx,
|
||||||
pc->val[i].cert.data,
|
pc->val[i].cert.data,
|
||||||
pc->val[i].cert.length,
|
pc->val[i].cert.length,
|
||||||
&cert);
|
&cert);
|
||||||
@@ -1743,7 +1743,7 @@ _kdc_pk_check_client(krb5_context context,
|
|||||||
|
|
||||||
if (config->pkinit_princ_in_cert) {
|
if (config->pkinit_princ_in_cert) {
|
||||||
ret = match_rfc_san(context, config,
|
ret = match_rfc_san(context, config,
|
||||||
kdc_identity->hx509ctx,
|
context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
client->entry.principal);
|
client->entry.principal);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
@@ -1752,7 +1752,7 @@ _kdc_pk_check_client(krb5_context context,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
ret = match_ms_upn_san(context, config,
|
ret = match_ms_upn_san(context, config,
|
||||||
kdc_identity->hx509ctx,
|
context->hx509ctx,
|
||||||
cp->cert,
|
cp->cert,
|
||||||
clientdb,
|
clientdb,
|
||||||
client);
|
client);
|
||||||
@@ -1967,7 +1967,7 @@ _kdc_pk_initialize(krb5_context context,
|
|||||||
hx509_query *q;
|
hx509_query *q;
|
||||||
hx509_cert cert;
|
hx509_cert cert;
|
||||||
|
|
||||||
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
|
ret = hx509_query_alloc(context->hx509ctx, &q);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
krb5_warnx(context, "PKINIT: out of memory");
|
krb5_warnx(context, "PKINIT: out of memory");
|
||||||
return ENOMEM;
|
return ENOMEM;
|
||||||
@@ -1977,13 +1977,13 @@ _kdc_pk_initialize(krb5_context context,
|
|||||||
if (config->pkinit_kdc_friendly_name)
|
if (config->pkinit_kdc_friendly_name)
|
||||||
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
|
||||||
|
|
||||||
ret = hx509_certs_find(kdc_identity->hx509ctx,
|
ret = hx509_certs_find(context->hx509ctx,
|
||||||
kdc_identity->certs,
|
kdc_identity->certs,
|
||||||
q,
|
q,
|
||||||
&cert);
|
&cert);
|
||||||
hx509_query_free(kdc_identity->hx509ctx, q);
|
hx509_query_free(context->hx509ctx, q);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
|
if (hx509_cert_check_eku(context->hx509ctx, cert,
|
||||||
&asn1_oid_id_pkkdcekuoid, 0)) {
|
&asn1_oid_id_pkkdcekuoid, 0)) {
|
||||||
hx509_name name;
|
hx509_name name;
|
||||||
char *str;
|
char *str;
|
||||||
|
|||||||
Reference in New Issue
Block a user