oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add pkinit_require_eku and pkinit_require_krbtgt_otherName

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17177 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-23 20:07:51 +00:00
parent 5798b46e47
commit 9578393792
1 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
lib/krb5/pkinit.c
View File

@@ -82,6 +82,8 @@ struct krb5_pk_init_ctx_data {
krb5_data *clientDHNonce; krb5_data *clientDHNonce;
struct krb5_dh_moduli **m; struct krb5_dh_moduli **m;
int require_binding; int require_binding;
int require_eku;
int require_krbtgt_otherName;
}; };
void KRB5_LIB_FUNCTION void KRB5_LIB_FUNCTION
@@ -507,6 +509,22 @@ _krb5_pk_mk_padata(krb5_context context,
} else } else
type = COMPAT_IETF; type = COMPAT_IETF;
ctx->require_eku =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_require_eku",
NULL);
ctx->require_krbtgt_otherName =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_require_krbtgt_otherName",
NULL);
return pk_mk_padata(context, type, ctx, req_body, nonce, md); return pk_mk_padata(context, type, ctx, req_body, nonce, md);
} }
@@ -522,6 +540,8 @@ _krb5_pk_verify_sign(krb5_context context,
hx509_certs signer_certs; hx509_certs signer_certs;
int ret; int ret;
*signer = NULL;
ret = hx509_cms_verify_signed(id->hx509ctx, ret = hx509_cms_verify_signed(id->hx509ctx,
id->verify_ctx, id->verify_ctx,
data, data,
@@ -570,6 +590,13 @@ _krb5_pk_verify_sign(krb5_context context,
out: out:
hx509_certs_free(&signer_certs); hx509_certs_free(&signer_certs);
if (ret) {
if (*signer) {
hx509_cert_free((*signer)->cert);
free(*signer);
*signer = NULL;
}
}
return ret; return ret;
} }
@@ -682,9 +709,24 @@ get_reply_key(krb5_context context,
static krb5_error_code static krb5_error_code
pk_verify_host(krb5_context context, struct krb5_pk_cert *host) pk_verify_host(krb5_context context,
struct krb5_pk_init_ctx_data *ctx,
struct krb5_pk_cert *host)
{ {
krb5_error_code ret;
if (ctx->require_eku) {
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
krb5_clear_error_string(context);
return ret;
}
}
if (ctx->require_krbtgt_otherName) {
/* XXX */ /* XXX */
}
return 0; return 0;
} }
@@ -769,7 +811,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
goto out; goto out;
/* make sure that it is the kdc's certificate */ /* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, host); ret = pk_verify_host(context, ctx, host);
if (ret) { if (ret) {
krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret); krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
goto out; goto out;
@@ -861,7 +903,7 @@ pk_rd_pa_reply_dh(krb5_context context,
goto out; goto out;
/* make sure that it is the kdc's certificate */ /* make sure that it is the kdc's certificate */
ret = pk_verify_host(context, host); ret = pk_verify_host(context, ctx, host);
if (ret) if (ret)
goto out; goto out;
@@ -1590,6 +1632,8 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
opt->opt_private->pk_init_ctx->id = NULL; opt->opt_private->pk_init_ctx->id = NULL;
opt->opt_private->pk_init_ctx->clientDHNonce = NULL; opt->opt_private->pk_init_ctx->clientDHNonce = NULL;
opt->opt_private->pk_init_ctx->require_binding = 0; opt->opt_private->pk_init_ctx->require_binding = 0;
opt->opt_private->pk_init_ctx->require_eku = 1;
opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1;
ret = _krb5_pk_load_id(context, ret = _krb5_pk_load_id(context,
&opt->opt_private->pk_init_ctx->id, &opt->opt_private->pk_init_ctx->id,