oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

use krb5_set_error_message

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23316 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2008-06-23 04:32:32 +00:00
parent 75ea702745
commit 7fcd266fdd
67 changed files with 967 additions and 876 deletions
Download Patch File Download Diff File Expand all files Collapse all files

235
lib/krb5/pkinit.c
View File

@@ -114,7 +114,7 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
if (bn == NULL) {
krb5_set_error_string(context, "PKINIT: parsing BN failed %s", field);
krb5_set_error_message(context, ENOMEM, "PKINIT: parsing BN failed %s", field);
return NULL;
}
BN_set_negative(bn, f->negative);
@@ -150,7 +150,7 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
ret = hx509_query_match_eku(q, cf[i].oid);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed setting %s OID", cf[i].type);
"Failed setting %s OID", cf[i].type);
return ret;
}
@@ -158,7 +158,7 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
if (ret == 0)
break;
pk_copy_error(context, id->hx509ctx, ret,
"Failed cert for finding %s OID", cf[i].type);
"Failed cert for finding %s OID", cf[i].type);
}
return ret;
}
@@ -179,7 +179,7 @@ create_signature(krb5_context context,
ret = hx509_query_alloc(id->hx509ctx, &q);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Allocate query to find signing certificate");
"Allocate query to find signing certificate");
return ret;
}
@@ -205,7 +205,7 @@ create_signature(krb5_context context,
hx509_cert_free(cert);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Create CMS signedData");
"Create CMS signedData");
return ret;
}
@@ -536,8 +536,8 @@ pk_mk_padata(krb5_context context,
&ap, &size, ret);
free_AuthPack_Win2k(&ap);
if (ret) {
krb5_set_error_string(context, "AuthPack_Win2k: %d",
(int)ret);
krb5_set_error_message(context, ret, "AuthPack_Win2k: %d",
(int)ret);
goto out;
}
if (buf.length != size)
@@ -558,7 +558,7 @@ pk_mk_padata(krb5_context context,
ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
free_AuthPack(&ap);
if (ret) {
krb5_set_error_string(context, "AuthPack: %d", (int)ret);
krb5_set_error_message(context, ret, "AuthPack: %d", (int)ret);
goto out;
}
if (buf.length != size)
@@ -577,8 +577,8 @@ pk_mk_padata(krb5_context context,
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), &sd_buf, &buf);
krb5_data_free(&sd_buf);
if (ret) {
krb5_set_error_string(context,
"ContentInfo wrapping of signedData failed");
krb5_set_error_message(context, ret,
"ContentInfo wrapping of signedData failed");
goto out;
}
@@ -615,7 +615,7 @@ pk_mk_padata(krb5_context context,
ret = build_edi(context, ctx->id->hx509ctx,
ctx->id->anchors, req.trustedCertifiers);
if (ret) {
krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
krb5_set_error_message(context, ret, "pk-init: failed to build trustedCertifiers");
free_PA_PK_AS_REQ(&req);
goto out;
}
@@ -630,7 +630,7 @@ pk_mk_padata(krb5_context context,
} else
krb5_abortx(context, "internal pkinit error");
if (ret) {
krb5_set_error_string(context, "PA-PK-AS-REQ %d", (int)ret);
krb5_set_error_message(context, ret, "PA-PK-AS-REQ %d", (int)ret);
goto out;
}
if (buf.length != size)
@@ -643,7 +643,7 @@ pk_mk_padata(krb5_context context,
if (ret == 0 && ctx->type == PKINIT_WIN2K)
krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
out:
out:
free_ContentInfo(&content_info);
return ret;
@@ -738,7 +738,7 @@ _krb5_pk_verify_sign(krb5_context context,
&signer_certs);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"CMS verify signed failed");
"CMS verify signed failed");
return ret;
}
@@ -752,11 +752,11 @@ _krb5_pk_verify_sign(krb5_context context,
ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed to get on of the signer certs");
"Failed to get on of the signer certs");
goto out;
}
out:
out:
hx509_certs_free(&signer_certs);
if (ret) {
if (*signer) {
@@ -784,20 +784,19 @@ get_reply_key_win(krb5_context context,
&key_pack,
&size);
if (ret) {
krb5_set_error_string(context, "PKINIT decoding reply key failed");
krb5_set_error_message(context, ret, "PKINIT decoding reply key failed");
free_ReplyKeyPack_Win2k(&key_pack);
return ret;
}
if (key_pack.nonce != nonce) {
krb5_set_error_string(context, "PKINIT enckey nonce is wrong");
krb5_set_error_message(context, ret, "PKINIT enckey nonce is wrong");
free_ReplyKeyPack_Win2k(&key_pack);
return KRB5KRB_AP_ERR_MODIFIED;
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
krb5_set_error_string(context, "PKINIT failed allocating reply key");
free_ReplyKeyPack_Win2k(&key_pack);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
@@ -806,7 +805,7 @@ get_reply_key_win(krb5_context context,
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack_Win2k(&key_pack);
if (ret) {
krb5_set_error_string(context, "PKINIT failed copying reply key");
krb5_set_error_message(context, ret, "PKINIT failed copying reply key");
free(*key);
*key = NULL;
}
@@ -829,7 +828,7 @@ get_reply_key(krb5_context context,
&key_pack,
&size);
if (ret) {
krb5_set_error_string(context, "PKINIT decoding reply key failed");
krb5_set_error_message(context, ret, "PKINIT decoding reply key failed");
free_ReplyKeyPack(&key_pack);
return ret;
}
@@ -860,7 +859,6 @@ get_reply_key(krb5_context context,
*key = malloc (sizeof (**key));
if (*key == NULL) {
krb5_set_error_string(context, "PKINIT failed allocating reply key");
free_ReplyKeyPack(&key_pack);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
@@ -869,7 +867,7 @@ get_reply_key(krb5_context context,
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack(&key_pack);
if (ret) {
krb5_set_error_string(context, "PKINIT failed copying reply key");
krb5_set_error_message(context, ret, "PKINIT failed copying reply key");
free(*key);
*key = NULL;
}
@@ -891,7 +889,7 @@ pk_verify_host(krb5_context context,
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
krb5_set_error_message(context, ret, "No PK-INIT KDC EKU in kdc certificate");
return ret;
}
}
@@ -904,8 +902,8 @@ pk_verify_host(krb5_context context,
oid_id_pkinit_san(),
&list);
if (ret) {
krb5_set_error_string(context, "Failed to find the PK-INIT "
"subjectAltName in the KDC certificate");
krb5_set_error_message(context, ret, "Failed to find the PK-INIT "
"subjectAltName in the KDC certificate");
return ret;
}
@@ -918,8 +916,8 @@ pk_verify_host(krb5_context context,
&r,
NULL);
if (ret) {
krb5_set_error_string(context, "Failed to decode the PK-INIT "
"subjectAltName in the KDC certificate");
krb5_set_error_message(context, ret, "Failed to decode the PK-INIT "
"subjectAltName in the KDC certificate");
break;
}
@@ -928,11 +926,11 @@ pk_verify_host(krb5_context context,
strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
strcmp(r.principalName.name_string.val[1], realm) != 0 ||
strcmp(r.realm, realm) != 0)
{
krb5_set_error_string(context, "KDC have wrong realm name in "
"the certificate");
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
}
{
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
krb5_set_error_message(context, ret, "KDC have wrong realm name in "
"the certificate");
}
free_KRB5PrincipalName(&r);
if (ret)
@@ -951,8 +949,8 @@ pk_verify_host(krb5_context context,
hi->ai->ai_addr, hi->ai->ai_addrlen);
if (ret)
krb5_set_error_string(context, "Address mismatch in "
"the KDC certificate");
krb5_set_error_message(context, ret, "Address mismatch in "
"the KDC certificate");
}
return ret;
}
@@ -977,7 +975,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
heim_oid contentType = { 0, NULL };
if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) {
krb5_set_error_string(context, "PKINIT: Invalid content type");
krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type");
return EINVAL;
}
@@ -992,7 +990,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
&content);
if (ret) {
pk_copy_error(context, ctx->id->hx509ctx, ret,
"Failed to unenvelope CMS data in PK-INIT reply");
"Failed to unenvelope CMS data in PK-INIT reply");
return ret;
}
der_free_oid(&contentType);
@@ -1023,7 +1021,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL);
if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) {
ret = EINVAL; /* XXX */
krb5_set_error_string(context, "PKINIT: Invalid content type");
krb5_set_error_message(context, ret, "PKINIT: Invalid content type");
der_free_oid(&type);
der_free_octet_string(&out);
goto out;
@@ -1033,7 +1031,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
ret = krb5_data_copy(&content, out.data, out.length);
der_free_octet_string(&out);
if (ret) {
krb5_set_error_string(context, "PKINIT: out of memory");
krb5_set_error_message(context, ret, "PKINIT: out of memory");
goto out;
}
}
@@ -1057,14 +1055,14 @@ pk_rd_pa_reply_enckey(krb5_context context,
#if 0
if (type == PKINIT_WIN2K) {
if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) != 0) {
krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
goto out;
}
} else {
if (der_heim_oid_cmp(&contentType, oid_id_pkrkeydata()) != 0) {
krb5_set_error_string(context, "PKINIT: reply key, wrong oid");
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
goto out;
}
}
@@ -1122,7 +1120,7 @@ pk_rd_pa_reply_dh(krb5_context context,
memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) {
krb5_set_error_string(context, "PKINIT: Invalid content type");
krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type");
return EINVAL;
}
@@ -1142,8 +1140,8 @@ pk_rd_pa_reply_dh(krb5_context context,
goto out;
if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) {
krb5_set_error_string(context, "pkinit - dh reply contains wrong oid");
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_set_error_message(context, ret, "pkinit - dh reply contains wrong oid");
goto out;
}
@@ -1153,35 +1151,35 @@ pk_rd_pa_reply_dh(krb5_context context,
&size);
if (ret) {
krb5_set_error_string(context, "pkinit - "
"failed to decode KDC DH Key Info");
krb5_set_error_message(context, ret, "pkinit - "
"failed to decode KDC DH Key Info");
goto out;
}
if (kdc_dh_info.nonce != nonce) {
krb5_set_error_string(context, "PKINIT: DH nonce is wrong");
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret, "PKINIT: DH nonce is wrong");
goto out;
}
if (kdc_dh_info.dhKeyExpiration) {
if (k_n == NULL) {
krb5_set_error_string(context, "pkinit; got key expiration "
"without server nonce");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "pkinit; got key expiration "
"without server nonce");
goto out;
}
if (c_n == NULL) {
krb5_set_error_string(context, "pkinit; got DH reuse but no "
"client nonce");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "pkinit; got DH reuse but no "
"client nonce");
goto out;
}
} else {
if (k_n) {
krb5_set_error_string(context, "pkinit: got server nonce "
"without key expiration");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "pkinit: got server nonce "
"without key expiration");
goto out;
}
c_n = NULL;
@@ -1195,15 +1193,15 @@ pk_rd_pa_reply_dh(krb5_context context,
DHPublicKey k;
ret = decode_DHPublicKey(p, size, &k, NULL);
if (ret) {
krb5_set_error_string(context, "pkinit: can't decode "
"without key expiration");
krb5_set_error_message(context, ret, "pkinit: can't decode "
"without key expiration");
goto out;
}
kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k);
free_DHPublicKey(&k);
if (kdc_dh_pubkey == NULL) {
ret = KRB5KRB_ERR_GENERIC;
ret = ENOMEM;
goto out;
}
}
@@ -1224,9 +1222,9 @@ pk_rd_pa_reply_dh(krb5_context context,
dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
kdc_dh_pubkey, ctx->dh);
if (dh_gen_keylen == -1) {
krb5_set_error_string(context,
"PKINIT: Can't compute Diffie-Hellman key");
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"PKINIT: Can't compute Diffie-Hellman key");
goto out;
}
@@ -1243,8 +1241,8 @@ pk_rd_pa_reply_dh(krb5_context context,
c_n, k_n,
*key);
if (ret) {
krb5_set_error_string(context,
"PKINIT: can't create key from DH key");
krb5_set_error_message(context, ret,
"PKINIT: can't create key from DH key");
free(*key);
*key = NULL;
goto out;
@@ -1289,7 +1287,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
heim_oid oid;
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_string(context, "PKINIT: wrong padata recv");
krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv");
return EINVAL;
}
@@ -1298,7 +1296,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
&rep,
&size);
if (ret) {
krb5_set_error_string(context, "Failed to decode pkinit AS rep");
krb5_set_error_message(context, ret, "Failed to decode pkinit AS rep");
return ret;
}
@@ -1311,15 +1309,15 @@ _krb5_pk_rd_pa_reply(krb5_context context,
break;
default:
free_PA_PK_AS_REP(&rep);
krb5_set_error_string(context, "PKINIT: -27 reply "
"invalid content type");
krb5_set_error_message(context, EINVAL, "PKINIT: -27 reply "
"invalid content type");
return EINVAL;
}
ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
if (ret) {
free_PA_PK_AS_REP(&rep);
krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI");
return ret;
}
@@ -1348,7 +1346,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
#if 0 /* should this be ? */
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_string(context, "PKINIT: wrong padata recv");
krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv");
return EINVAL;
}
#endif
@@ -1360,8 +1358,8 @@ _krb5_pk_rd_pa_reply(krb5_context context,
&w2krep,
&size);
if (ret) {
krb5_set_error_string(context, "PKINIT: Failed decoding windows "
"pkinit reply %d", (int)ret);
krb5_set_error_message(context, ret, "PKINIT: Failed decoding windows "
"pkinit reply %d", (int)ret);
return ret;
}
@@ -1376,7 +1374,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
&oid, &data, NULL);
free_PA_PK_AS_REP_Win2k(&w2krep);
if (ret) {
krb5_set_error_string(context, "PKINIT: failed to unwrap CI");
krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI");
return ret;
}
@@ -1389,15 +1387,15 @@ _krb5_pk_rd_pa_reply(krb5_context context,
}
default:
free_PA_PK_AS_REP_Win2k(&w2krep);
krb5_set_error_string(context, "PKINIT: win2k reply invalid "
"content type");
ret = EINVAL;
krb5_set_error_message(context, ret, "PKINIT: win2k reply invalid "
"content type");
break;
}
} else {
krb5_set_error_string(context, "PKINIT: unknown reply type");
ret = EINVAL;
krb5_set_error_message(context, ret, "PKINIT: unknown reply type");
}
return ret;
@@ -1471,13 +1469,14 @@ _krb5_pk_load_id(krb5_context context,
*ret_id = NULL;
if (anchor_id == NULL) {
krb5_set_error_string(context, "PKINIT: No anchor given");
krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
"PKINIT: No anchor given");
return HEIM_PKINIT_NO_VALID_CA;
}
if (user_id == NULL) {
krb5_set_error_string(context,
"PKINIT: No user certificate given");
krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
"PKINIT: No user certificate given");
return HEIM_PKINIT_NO_PRIVATE_KEY;
}
@@ -1510,14 +1509,14 @@ _krb5_pk_load_id(krb5_context context,
ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed to init cert certs");
"Failed to init cert certs");
goto out;
}
ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed to init anchors");
"Failed to init anchors");
goto out;
}
@@ -1525,7 +1524,7 @@ _krb5_pk_load_id(krb5_context context,
0, NULL, &id->certpool);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed to init chain");
"Failed to init chain");
goto out;
}
@@ -1534,8 +1533,8 @@ _krb5_pk_load_id(krb5_context context,
NULL, *chain_list);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed to laod chain %s",
*chain_list);
"Failed to laod chain %s",
*chain_list);
goto out;
}
chain_list++;
@@ -1545,7 +1544,7 @@ _krb5_pk_load_id(krb5_context context,
ret = hx509_revoke_init(id->hx509ctx, &id->revokectx);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed init revoke list");
"Failed init revoke list");
goto out;
}
@@ -1555,7 +1554,7 @@ _krb5_pk_load_id(krb5_context context,
*revoke_list);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed load revoke list");
"Failed load revoke list");
goto out;
}
revoke_list++;
@@ -1566,14 +1565,14 @@ _krb5_pk_load_id(krb5_context context,
ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
"Failed init verify context");
"Failed init verify context");
goto out;
}
hx509_verify_attach_anchors(id->verify_ctx, id->anchors);
hx509_verify_attach_revoke(id->verify_ctx, id->revokectx);
out:
out:
if (ret) {
hx509_verify_destroy_ctx(id->verify_ctx);
hx509_certs_free(&id->certs);
@@ -1607,10 +1606,10 @@ select_dh_group(krb5_context context, DH *dh, unsigned long bits,
break;
}
if (moduli[i] == NULL) {
krb5_set_error_string(context,
"Did not find a DH group parameter "
"matching requirement of %lu bits",
bits);
krb5_set_error_message(context, EINVAL,
"Did not find a DH group parameter "
"matching requirement of %lu bits",
bits);
return EINVAL;
}
m = moduli[i];
@@ -1657,7 +1656,7 @@ pk_copy_error(krb5_context context,
free(f);
return;
}
krb5_set_error_string(context, "%s: %s", f, s);
krb5_set_error_message(context, hxret, "%s: %s", f, s);
free(s);
free(f);
}
@@ -1672,15 +1671,15 @@ parse_integer(krb5_context context, char **p, const char *file, int lineno,
char *p1;
p1 = strsep(p, " \t");
if (p1 == NULL) {
krb5_set_error_string(context, "moduli file %s missing %s on line %d",
file, name, lineno);
krb5_set_error_message(context, EINVAL, "moduli file %s missing %s on line %d",
file, name, lineno);
return EINVAL;
}
ret = der_parse_hex_heim_integer(p1, integer);
if (ret) {
krb5_set_error_string(context, "moduli file %s failed parsing %s "
"on line %d",
file, name, lineno);
krb5_set_error_message(context, ret, "moduli file %s failed parsing %s "
"on line %d",
file, name, lineno);
return ret;
}
@@ -1714,28 +1713,28 @@ _krb5_parse_moduli_line(krb5_context context,
p1 = strsep(&p, " \t");
if (p1 == NULL) {
krb5_set_error_string(context, "moduli file %s missing name "
"on line %d", file, lineno);
krb5_set_error_message(context, ret, "moduli file %s missing name "
"on line %d", file, lineno);
goto out;
}
m1->name = strdup(p1);
if (p1 == NULL) {
krb5_set_error_string(context, "malloc - out of memeory");
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc - out of memeory");
goto out;
}
p1 = strsep(&p, " \t");
if (p1 == NULL) {
krb5_set_error_string(context, "moduli file %s missing bits on line %d",
file, lineno);
krb5_set_error_message(context, ret, "moduli file %s missing bits on line %d",
file, lineno);
goto out;
}
m1->bits = atoi(p1);
if (m1->bits == 0) {
krb5_set_error_string(context, "moduli file %s have un-parsable "
"bits on line %d", file, lineno);
krb5_set_error_message(context, ret, "moduli file %s have un-parsable "
"bits on line %d", file, lineno);
goto out;
}
@@ -1752,7 +1751,7 @@ _krb5_parse_moduli_line(krb5_context context,
*m = m1;
return 0;
out:
out:
free(m1->name);
der_free_heim_integer(&m1->p);
der_free_heim_integer(&m1->g);
@@ -1921,19 +1920,23 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
(q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
{
if (bits && bits > moduli[i]->bits) {
krb5_set_error_string(context, "PKINIT: DH group parameter %s "
"no accepted, not enough bits generated",
moduli[i]->name);
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
{
if (bits && bits > moduli[i]->bits) {
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
"PKINIT: DH group parameter %s "
"no accepted, not enough bits generated",
moduli[i]->name);
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
if (name)
*name = strdup(moduli[i]->name);
return 0;
}
if (name)
*name = strdup(moduli[i]->name);
return 0;
}
}
krb5_set_error_string(context, "PKINIT: DH group parameter no ok");
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
"PKINIT: DH group parameter no ok");
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
@@ -1948,7 +1951,7 @@ _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
ctx = opt->opt_private->pk_init_ctx;
if (ctx->dh)
DH_free(ctx->dh);
ctx->dh = NULL;
ctx->dh = NULL;
if (ctx->id) {
hx509_verify_destroy_ctx(ctx->id->verify_ctx);
hx509_certs_free(&ctx->id->certs);
@@ -1988,7 +1991,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
char *anchors = NULL;
if (opt->opt_private == NULL) {
krb5_set_error_string(context, "PKINIT: on non extendable opt");
krb5_set_error_message(context, EINVAL, "PKINIT: on non extendable opt");
return EINVAL;
}
@@ -2079,15 +2082,15 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
}
if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
krb5_set_error_string(context, "pkinit: failed to generate DH key");
_krb5_get_init_creds_opt_free_pkinit(opt);
krb5_set_error_message(context, ENOMEM, "pkinit: failed to generate DH key");
return ENOMEM;
}
}
return 0;
#else
krb5_set_error_string(context, "no support for PKINIT compiled in");
krb5_set_error_message(context, EINVAL, "no support for PKINIT compiled in");
return EINVAL;
#endif
}