oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Sprinkel setting error strings.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17391 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-05-01 14:02:50 +00:00
parent c45fec90c7
commit 74a41b918b
2 changed files with 79 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
lib/hx509/cert.c
View File

@@ -106,6 +106,8 @@ hx509_context_init(hx509_context *context)
(*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF; (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
initialize_hx_error_table_r(&(*context)->et_list);
return 0; return 0;
} }
@@ -126,6 +128,7 @@ hx509_context_free(hx509_context *context)
(*context)->ks_ops = NULL; (*context)->ks_ops = NULL;
} }
(*context)->ks_num_ops = 0; (*context)->ks_num_ops = 0;
free_error_table ((*context)->et_list);
free(*context); free(*context);
*context = NULL; *context = NULL;
} }
@@ -489,7 +492,8 @@ hx509_cert_find_subjectAltName_otherName(hx509_cert cert,
static int static int
check_key_usage(const Certificate *cert, unsigned flags, int req_present) check_key_usage(hx509_context context, const Certificate *cert,
unsigned flags, int req_present)
{ {
const Extension *e; const Extension *e;
KeyUsage ku; KeyUsage ku;
@@ -502,8 +506,12 @@ check_key_usage(const Certificate *cert, unsigned flags, int req_present)
e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i); e = find_extension(cert, oid_id_x509_ce_keyUsage(), &i);
if (e == NULL) { if (e == NULL) {
if (req_present) if (req_present) {
hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
"Required extension key "
"usage missing from certifiate");
return HX509_KU_CERT_MISSING; return HX509_KU_CERT_MISSING;
}
return 0; return 0;
} }
@@ -511,21 +519,26 @@ check_key_usage(const Certificate *cert, unsigned flags, int req_present)
if (ret) if (ret)
return ret; return ret;
ku_flags = KeyUsage2int(ku); ku_flags = KeyUsage2int(ku);
if ((ku_flags & flags) != flags) if ((ku_flags & flags) != flags) {
hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
"Key usage missing from certifiate");
return HX509_KU_CERT_MISSING; return HX509_KU_CERT_MISSING;
}
return 0; return 0;
} }
int int
_hx509_check_key_usage(hx509_cert cert, unsigned flags, int req_present) _hx509_check_key_usage(hx509_context context, hx509_cert cert,
unsigned flags, int req_present)
{ {
return check_key_usage(_hx509_get_cert(cert), flags, req_present); return check_key_usage(context, _hx509_get_cert(cert), flags, req_present);
} }
enum certtype { PROXY_CERT, EE_CERT, CA_CERT }; enum certtype { PROXY_CERT, EE_CERT, CA_CERT };
static int static int
check_basic_constraints(const Certificate *cert, enum certtype type, int depth) check_basic_constraints(hx509_context context, const Certificate *cert,
enum certtype type, int depth)
{ {
BasicConstraints bc; BasicConstraints bc;
const Extension *e; const Extension *e;
@@ -541,9 +554,17 @@ check_basic_constraints(const Certificate *cert, enum certtype type, int depth)
case PROXY_CERT: case PROXY_CERT:
case EE_CERT: case EE_CERT:
return 0; return 0;
case CA_CERT: case CA_CERT: {
char *name;
ret = _hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
assert(ret == 0);
hx509_set_error_string(context, 0, HX509_EXTENSION_NOT_FOUND,
"basicConstraints missing from "
"CA certifiacte %s", name);
free(name);
return HX509_EXTENSION_NOT_FOUND; return HX509_EXTENSION_NOT_FOUND;
} }
}
} }
ret = decode_BasicConstraints(e->extnValue.data, ret = decode_BasicConstraints(e->extnValue.data,
@@ -1306,7 +1327,7 @@ hx509_verify_path(hx509_context context,
switch (type) { switch (type) {
case CA_CERT: case CA_CERT:
ret = check_key_usage(c, 1 << 5, TRUE); /* XXX make constants */ ret = check_key_usage(context, c, 1 << 5, TRUE); /* XXX make constants */
if (ret) if (ret)
goto out; goto out;
break; break;
@@ -1409,7 +1430,7 @@ hx509_verify_path(hx509_context context,
break; break;
} }
ret = check_basic_constraints(c, type, i - proxy_cert_depth); ret = check_basic_constraints(context, c, type, i - proxy_cert_depth);
if (ret) if (ret)
goto out; goto out;
@@ -1728,7 +1749,7 @@ hx509_query_free(hx509_context context, hx509_query *q)
} }
int int
_hx509_query_match_cert(const hx509_query *q, hx509_cert cert) _hx509_query_match_cert(hx509_context context, const hx509_query *q, hx509_cert cert)
{ {
Certificate *c = _hx509_get_cert(cert); Certificate *c = _hx509_get_cert(cert);
@@ -1787,7 +1808,7 @@ _hx509_query_match_cert(const hx509_query *q, hx509_cert cert)
ku |= (1 << 5); ku |= (1 << 5);
if (q->match & HX509_QUERY_KU_CRLSIGN) if (q->match & HX509_QUERY_KU_CRLSIGN)
ku |= (1 << 6); ku |= (1 << 6);
if (ku && check_key_usage(c, ku, TRUE)) if (ku && check_key_usage(context, c, ku, TRUE))
return 0; return 0;
} }
if ((q->match & HX509_QUERY_ANCHOR)) if ((q->match & HX509_QUERY_ANCHOR))

59
lib/hx509/ks_file.c
View File

@@ -108,8 +108,10 @@ parse_certificate(hx509_context context, struct hx509_collector *c,
int ret; int ret;
ret = decode_Certificate(data, len, &t, &size); ret = decode_Certificate(data, len, &t, &size);
if (ret) if (ret) {
hx509_clear_error_string(context);
return ret; return ret;
}
ret = hx509_cert_init(context, &t, &cert); ret = hx509_cert_init(context, &t, &cert);
free_Certificate(&t); free_Certificate(&t);
@@ -144,26 +146,43 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
hx509_lock lock; hx509_lock lock;
lock = _hx509_collector_get_lock(c); lock = _hx509_collector_get_lock(c);
if (lock == NULL) if (lock == NULL) {
hx509_set_error_string(context, 0, EINVAL,
"Failed to get password for "
"password protected file");
return EINVAL; return EINVAL;
}
pw = _hx509_lock_get_passwords(lock); pw = _hx509_lock_get_passwords(lock);
if (pw == NULL || pw->len < 1) if (pw == NULL || pw->len < 1) {
hx509_set_error_string(context, 0, EINVAL,
"No passwords when decoding a "
"password protected file");
return EINVAL; return EINVAL;
}
password = pw->val[0]; password = pw->val[0];
passwordlen = strlen(password); passwordlen = strlen(password);
if (strcmp(enc, "4,ENCRYPTED") != 0) if (strcmp(enc, "4,ENCRYPTED") != 0) {
hx509_set_error_string(context, 0, EINVAL,
"RSA key encrypted in unknown method %s",
enc);
hx509_clear_error_string(context);
return EINVAL; return EINVAL;
}
dek = find_header(headers, "DEK-Info"); dek = find_header(headers, "DEK-Info");
if (dek == NULL) if (dek == NULL) {
hx509_set_error_string(context, 0, EINVAL,
"Encrypted RSA missing DEK-Info");
return EINVAL; return EINVAL;
}
type = strdup(dek); type = strdup(dek);
if (type == NULL) if (type == NULL) {
hx509_clear_error_string(context);
return ENOMEM; return ENOMEM;
}
iv = strchr(type, ','); iv = strchr(type, ',');
if (iv) if (iv)
@@ -172,6 +191,7 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
size = strlen(iv); size = strlen(iv);
ivdata = malloc(size); ivdata = malloc(size);
if (ivdata == NULL) { if (ivdata == NULL) {
hx509_clear_error_string(context);
free(type); free(type);
return ENOMEM; return ENOMEM;
} }
@@ -180,6 +200,10 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
if (cipher == NULL) { if (cipher == NULL) {
free(type); free(type);
free(ivdata); free(ivdata);
hx509_set_error_string(context, 0, EINVAL,
"RSA key encrypted with "
"unsupported cipher: %s",
type);
return EINVAL; return EINVAL;
} }
@@ -189,6 +213,7 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
if (ssize < 0 || ssize < PKCS5_SALT_LEN || ssize < EVP_CIPHER_iv_length(cipher)) { if (ssize < 0 || ssize < PKCS5_SALT_LEN || ssize < EVP_CIPHER_iv_length(cipher)) {
free(ivdata); free(ivdata);
free(type); free(type);
hx509_clear_error_string(context);
return EINVAL; return EINVAL;
} }
@@ -196,6 +221,7 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
if (key == NULL) { if (key == NULL) {
free(type); free(type);
free(ivdata); free(ivdata);
hx509_clear_error_string(context);
return ENOMEM; return ENOMEM;
} }
@@ -206,6 +232,8 @@ parse_rsa_private_key(hx509_context context, struct hx509_collector *c,
if (ret <= 0) { if (ret <= 0) {
free(key); free(key);
free(ivdata); free(ivdata);
hx509_clear_error_string(context);
return EINVAL; return EINVAL;
} }
@@ -269,9 +297,12 @@ parse_pem_file(hx509_context context,
where = BEFORE; where = BEFORE;
*found_data = 0; *found_data = 0;
if ((f = fopen(fn, "r")) == NULL) if ((f = fopen(fn, "r")) == NULL) {
hx509_set_error_string(context, 0, ENOENT,
"Failed to open PEM file \"%s\": %s",
fn, strerror(errno));
return ENOENT; return ENOENT;
}
ret = 0; ret = 0;
while (fgets(buf, sizeof(buf), f) != NULL) { while (fgets(buf, sizeof(buf), f) != NULL) {
@@ -385,7 +416,7 @@ file_init(hx509_context context,
{ {
char *files = NULL, *p, *pnext; char *files = NULL, *p, *pnext;
int ret; int ret;
struct ks_file *f; struct ks_file *f = NULL;
struct hx509_collector *c; struct hx509_collector *c;
*data = NULL; *data = NULL;
@@ -399,12 +430,14 @@ file_init(hx509_context context,
f = calloc(1, sizeof(*f)); f = calloc(1, sizeof(*f));
if (f == NULL) { if (f == NULL) {
hx509_clear_error_string(context);
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
} }
files = strdup(residue); files = strdup(residue);
if (files == NULL) { if (files == NULL) {
hx509_clear_error_string(context);
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
} }
@@ -426,8 +459,10 @@ file_init(hx509_context context,
int ret; int ret;
ret = _hx509_map_file(p, &data, &length, NULL); ret = _hx509_map_file(p, &data, &length, NULL);
if (ret) if (ret) {
hx509_clear_error_string(context);
goto out; goto out;
}
ret = parse_certificate(context, c, NULL, data, length); ret = parse_certificate(context, c, NULL, data, length);
_hx509_unmap_file(data, length); _hx509_unmap_file(data, length);
@@ -437,11 +472,11 @@ file_init(hx509_context context,
} }
ret = _hx509_collector_collect(context, c, &f->certs); ret = _hx509_collector_collect(context, c, &f->certs);
out:
if (ret == 0) if (ret == 0)
*data = f; *data = f;
else else
free(f); free(f);
out:
free(files); free(files);
_hx509_collector_free(c); _hx509_collector_free(c);