oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

rename client_params and set proxy cert bit on the right context

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24994 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2009-03-29 09:04:00 +00:00
parent d93ac20298
commit dd3405112f
1 changed files with 70 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
kdc/pkinit.c
View File

@@ -488,7 +488,7 @@ _kdc_pk_rd_padata(krb5_context context,
hdb_entry_ex *client, hdb_entry_ex *client,
pk_client_params **ret_params) pk_client_params **ret_params)
{ {
pk_client_params *client_params; pk_client_params *cp;
krb5_error_code ret; krb5_error_code ret;
heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL }; heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
krb5_data eContent = { 0, NULL }; krb5_data eContent = { 0, NULL };
@@ -506,8 +506,8 @@ _kdc_pk_rd_padata(krb5_context context,
return 0; return 0;
} }
client_params = calloc(1, sizeof(*client_params)); cp = calloc(1, sizeof(*cp));
if (client_params == NULL) { if (cp == NULL) {
krb5_clear_error_message(context); krb5_clear_error_message(context);
ret = ENOMEM; ret = ENOMEM;
goto out; goto out;
@@ -547,19 +547,19 @@ _kdc_pk_rd_padata(krb5_context context,
} }
} }
ret = hx509_verify_init_ctx(kdc_identity->hx509ctx, &client_params->verify_ctx); ret = hx509_verify_init_ctx(kdc_identity->hx509ctx, &cp->verify_ctx);
if (ret) { if (ret) {
hx509_certs_free(&trust_anchors); hx509_certs_free(&trust_anchors);
krb5_set_error_message(context, ret, "failed to create verify context"); krb5_set_error_message(context, ret, "failed to create verify context");
goto out; goto out;
} }
hx509_verify_set_time(client_params->verify_ctx, kdc_time); hx509_verify_set_time(cp->verify_ctx, kdc_time);
hx509_verify_attach_anchors(client_params->verify_ctx, trust_anchors); hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors);
hx509_certs_free(&trust_anchors); hx509_certs_free(&trust_anchors);
if (config->pkinit_allow_proxy_certs) if (config->pkinit_allow_proxy_certs)
hx509_verify_set_proxy_certificate(kdc_identity->verify_ctx, 1); hx509_verify_set_proxy_certificate(cp->verify_ctx, 1);
if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) { if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
PA_PK_AS_REQ_Win2k r; PA_PK_AS_REQ_Win2k r;
@@ -617,7 +617,7 @@ _kdc_pk_rd_padata(krb5_context context,
ret = hx509_certs_init(kdc_identity->hx509ctx, ret = hx509_certs_init(kdc_identity->hx509ctx,
"MEMORY:client-anchors", "MEMORY:client-anchors",
0, NULL, 0, NULL,
&client_params->client_anchors); &cp->client_anchors);
if (ret) { if (ret) {
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
"Can't allocate client anchors: %d", "Can't allocate client anchors: %d",
@@ -664,7 +664,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (ret) if (ret)
continue; continue;
hx509_certs_add(kdc_identity->hx509ctx, hx509_certs_add(kdc_identity->hx509ctx,
client_params->client_anchors, cert); cp->client_anchors, cert);
hx509_cert_free(cert); hx509_cert_free(cert);
} }
} }
@@ -709,7 +709,7 @@ _kdc_pk_rd_padata(krb5_context context,
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER; flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
ret = hx509_cms_verify_signed(kdc_identity->hx509ctx, ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
client_params->verify_ctx, cp->verify_ctx,
flags, flags,
signed_content.data, signed_content.data,
signed_content.length, signed_content.length,
@@ -728,7 +728,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (signer_certs) { if (signer_certs) {
ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs, ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
&client_params->cert); &cp->cert);
hx509_certs_free(&signer_certs); hx509_certs_free(&signer_certs);
} }
if (ret) if (ret)
@@ -765,8 +765,8 @@ _kdc_pk_rd_padata(krb5_context context,
goto out; goto out;
} }
client_params->type = PKINIT_WIN2K; cp->type = PKINIT_WIN2K;
client_params->nonce = ap.pkAuthenticator.nonce; cp->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) { if (ap.clientPublicValue) {
ret = KRB5KRB_ERR_GENERIC; ret = KRB5KRB_ERR_GENERIC;
@@ -807,19 +807,19 @@ _kdc_pk_rd_padata(krb5_context context,
goto out; goto out;
} }
client_params->type = PKINIT_27; cp->type = PKINIT_27;
client_params->nonce = ap.pkAuthenticator.nonce; cp->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) { if (ap.clientPublicValue) {
if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_dhpublicnumber) == 0) { if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_dhpublicnumber) == 0) {
client_params->keyex = USE_DH; cp->keyex = USE_DH;
ret = get_dh_param(context, config, ret = get_dh_param(context, config,
ap.clientPublicValue, client_params); ap.clientPublicValue, cp);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
} else if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_ecPublicKey) == 0) { } else if (der_heim_oid_cmp(&ap.clientPublicValue->algorithm.algorithm, &asn1_oid_id_ecPublicKey) == 0) {
client_params->keyex = USE_ECDH; cp->keyex = USE_ECDH;
ret = get_ecdh_param(context, config, ret = get_ecdh_param(context, config,
ap.clientPublicValue, client_params); ap.clientPublicValue, cp);
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
} else { } else {
ret = KRB5_BADMSGTYPE; ret = KRB5_BADMSGTYPE;
@@ -830,17 +830,17 @@ _kdc_pk_rd_padata(krb5_context context,
goto out; goto out;
} }
} else } else
client_params->keyex = USE_RSA; cp->keyex = USE_RSA;
if (ap.supportedCMSTypes) { if (ap.supportedCMSTypes) {
ret = hx509_peer_info_alloc(kdc_identity->hx509ctx, ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
&client_params->peer); &cp->peer);
if (ret) { if (ret) {
free_AuthPack(&ap); free_AuthPack(&ap);
goto out; goto out;
} }
ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx, ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
client_params->peer, cp->peer,
ap.supportedCMSTypes->val, ap.supportedCMSTypes->val,
ap.supportedCMSTypes->len); ap.supportedCMSTypes->len);
if (ret) { if (ret) {
@@ -864,9 +864,9 @@ out:
der_free_oid(&eContentType); der_free_oid(&eContentType);
der_free_oid(&contentInfoOid); der_free_oid(&contentInfoOid);
if (ret) { if (ret) {
_kdc_pk_free_client_param(context, client_params); _kdc_pk_free_client_param(context, cp);
} else } else
*ret_params = client_params; *ret_params = cp;
return ret; return ret;
} }
@@ -891,7 +891,7 @@ BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
static krb5_error_code static krb5_error_code
pk_mk_pa_reply_enckey(krb5_context context, pk_mk_pa_reply_enckey(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
pk_client_params *client_params, pk_client_params *cp,
const KDC_REQ *req, const KDC_REQ *req,
const krb5_data *req_buffer, const krb5_data *req_buffer,
krb5_keyblock *reply_key, krb5_keyblock *reply_key,
@@ -915,7 +915,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
* no replay attacks. * no replay attacks.
*/ */
switch (client_params->type) { switch (cp->type) {
case PKINIT_WIN2K: { case PKINIT_WIN2K: {
int i = 0; int i = 0;
if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
@@ -945,7 +945,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
krb5_clear_error_message(context); krb5_clear_error_message(context);
goto out; goto out;
} }
kp.nonce = client_params->nonce; kp.nonce = cp->nonce;
ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
buf.data, buf.length, buf.data, buf.length,
@@ -1019,8 +1019,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
buf.length, buf.length,
NULL, NULL,
cert, cert,
client_params->peer, cp->peer,
client_params->client_anchors, cp->client_anchors,
kdc_identity->certpool, kdc_identity->certpool,
&signed_data); &signed_data);
*kdc_cert = cert; *kdc_cert = cert;
@@ -1030,7 +1030,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (ret) if (ret)
goto out; goto out;
if (client_params->type == PKINIT_WIN2K) { if (cp->type == PKINIT_WIN2K) {
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(), ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
&signed_data, &signed_data,
&buf); &buf);
@@ -1042,7 +1042,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx, ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
HX509_CMS_EV_NO_KU_CHECK, HX509_CMS_EV_NO_KU_CHECK,
client_params->cert, cp->cert,
signed_data.data, signed_data.length, signed_data.data, signed_data.length,
envelopedAlg, envelopedAlg,
evAlg, &buf); evAlg, &buf);
@@ -1071,7 +1071,7 @@ out:
static krb5_error_code static krb5_error_code
pk_mk_pa_reply_dh(krb5_context context, pk_mk_pa_reply_dh(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
pk_client_params *client_params, pk_client_params *cp,
ContentInfo *content_info, ContentInfo *content_info,
hx509_cert *kdc_cert) hx509_cert *kdc_cert)
{ {
@@ -1088,8 +1088,8 @@ pk_mk_pa_reply_dh(krb5_context context,
*kdc_cert = NULL; *kdc_cert = NULL;
if (client_params->keyex == USE_DH) { if (cp->keyex == USE_DH) {
DH *kdc_dh = client_params->u.dh.key; DH *kdc_dh = cp->u.dh.key;
heim_integer i; heim_integer i;
ret = BN_to_integer(context, kdc_dh->pub_key, &i); ret = BN_to_integer(context, kdc_dh->pub_key, &i);
@@ -1110,11 +1110,11 @@ pk_mk_pa_reply_dh(krb5_context context,
dh_info.subjectPublicKey.data = buf.data; dh_info.subjectPublicKey.data = buf.data;
krb5_data_zero(&buf); krb5_data_zero(&buf);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
} else if (client_params->keyex == USE_ECDH) { } else if (cp->keyex == USE_ECDH) {
unsigned char *p; unsigned char *p;
int len; int len;
len = i2o_ECPublicKey(client_params->u.ecdh.key, NULL); len = i2o_ECPublicKey(cp->u.ecdh.key, NULL);
if (len <= 0) if (len <= 0)
abort(); abort();
@@ -1125,7 +1125,7 @@ pk_mk_pa_reply_dh(krb5_context context,
dh_info.subjectPublicKey.length = len * 8; dh_info.subjectPublicKey.length = len * 8;
dh_info.subjectPublicKey.data = p; dh_info.subjectPublicKey.data = p;
len = i2o_ECPublicKey(client_params->u.ecdh.key, &p); len = i2o_ECPublicKey(cp->u.ecdh.key, &p);
if (len <= 0) if (len <= 0)
abort(); abort();
#endif #endif
@@ -1133,7 +1133,7 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_abortx(context, "no keyex selected ?"); krb5_abortx(context, "no keyex selected ?");
dh_info.nonce = client_params->nonce; dh_info.nonce = cp->nonce;
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size, ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
ret); ret);
@@ -1177,8 +1177,8 @@ pk_mk_pa_reply_dh(krb5_context context,
buf.length, buf.length,
NULL, NULL,
cert, cert,
client_params->peer, cp->peer,
client_params->client_anchors, cp->client_anchors,
kdc_identity->certpool, kdc_identity->certpool,
&signed_data); &signed_data);
*kdc_cert = cert; *kdc_cert = cert;
@@ -1213,7 +1213,7 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_error_code krb5_error_code
_kdc_pk_mk_pa_reply(krb5_context context, _kdc_pk_mk_pa_reply(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
pk_client_params *client_params, pk_client_params *cp,
const hdb_entry_ex *client, const hdb_entry_ex *client,
krb5_enctype sessionetype, krb5_enctype sessionetype,
const KDC_REQ *req, const KDC_REQ *req,
@@ -1249,7 +1249,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else } else
enctype = ETYPE_DES3_CBC_SHA1; enctype = ETYPE_DES3_CBC_SHA1;
if (client_params->type == PKINIT_27) { if (cp->type == PKINIT_27) {
PA_PK_AS_REP rep; PA_PK_AS_REP rep;
const char *type, *other = ""; const char *type, *other = "";
@@ -1257,7 +1257,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
pa_type = KRB5_PADATA_PK_AS_REP; pa_type = KRB5_PADATA_PK_AS_REP;
if (client_params->keyex == USE_RSA) { if (cp->keyex == USE_RSA) {
ContentInfo info; ContentInfo info;
type = "enckey"; type = "enckey";
@@ -1265,17 +1265,17 @@ _kdc_pk_mk_pa_reply(krb5_context context,
rep.element = choice_PA_PK_AS_REP_encKeyPack; rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype, ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key); &cp->reply_key);
if (ret) { if (ret) {
free_PA_PK_AS_REP(&rep); free_PA_PK_AS_REP(&rep);
goto out; goto out;
} }
ret = pk_mk_pa_reply_enckey(context, ret = pk_mk_pa_reply_enckey(context,
config, config,
client_params, cp,
req, req,
req_buffer, req_buffer,
&client_params->reply_key, &cp->reply_key,
&info, &info,
&kdc_cert); &kdc_cert);
if (ret) { if (ret) {
@@ -1305,7 +1305,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
} else { } else {
ContentInfo info; ContentInfo info;
switch (client_params->keyex) { switch (cp->keyex) {
case USE_DH: type = "dh"; break; case USE_DH: type = "dh"; break;
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
case USE_ECDH: type = "ecdh"; break; case USE_ECDH: type = "ecdh"; break;
@@ -1313,17 +1313,17 @@ _kdc_pk_mk_pa_reply(krb5_context context,
default: krb5_abortx(context, "unknown keyex"); break; default: krb5_abortx(context, "unknown keyex"); break;
} }
if (client_params->dh_group_name) if (cp->dh_group_name)
other = client_params->dh_group_name; other = cp->dh_group_name;
rep.element = choice_PA_PK_AS_REP_dhInfo; rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, client_params, enctype); ret = generate_dh_keyblock(context, cp, enctype);
if (ret) if (ret)
return ret; return ret;
ret = pk_mk_pa_reply_dh(context, config, ret = pk_mk_pa_reply_dh(context, config,
client_params, cp,
&info, &info,
&kdc_cert); &kdc_cert);
@@ -1365,11 +1365,11 @@ _kdc_pk_mk_pa_reply(krb5_context context,
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other); kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (client_params->type == PKINIT_WIN2K) { } else if (cp->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep; PA_PK_AS_REP_Win2k rep;
ContentInfo info; ContentInfo info;
if (client_params->keyex != USE_RSA) { if (cp->keyex != USE_RSA) {
ret = KRB5KRB_ERR_GENERIC; ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, krb5_set_error_message(context, ret,
"Windows PK-INIT doesn't support DH"); "Windows PK-INIT doesn't support DH");
@@ -1382,17 +1382,17 @@ _kdc_pk_mk_pa_reply(krb5_context context,
rep.element = choice_PA_PK_AS_REP_encKeyPack; rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype, ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key); &cp->reply_key);
if (ret) { if (ret) {
free_PA_PK_AS_REP_Win2k(&rep); free_PA_PK_AS_REP_Win2k(&rep);
goto out; goto out;
} }
ret = pk_mk_pa_reply_enckey(context, ret = pk_mk_pa_reply_enckey(context,
config, config,
client_params, cp,
req, req,
req_buffer, req_buffer,
&client_params->reply_key, &cp->reply_key,
&info, &info,
&kdc_cert); &kdc_cert);
if (ret) { if (ret) {
@@ -1520,7 +1520,7 @@ out:
hx509_cert_free(kdc_cert); hx509_cert_free(kdc_cert);
if (ret == 0) if (ret == 0)
*reply_key = &client_params->reply_key; *reply_key = &cp->reply_key;
return ret; return ret;
} }
@@ -1651,7 +1651,7 @@ krb5_error_code
_kdc_pk_check_client(krb5_context context, _kdc_pk_check_client(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
const hdb_entry_ex *client, const hdb_entry_ex *client,
pk_client_params *client_params, pk_client_params *cp,
char **subject_name) char **subject_name)
{ {
const HDB_Ext_PKINIT_acl *acl; const HDB_Ext_PKINIT_acl *acl;
@@ -1660,7 +1660,7 @@ _kdc_pk_check_client(krb5_context context,
hx509_name name; hx509_name name;
int i; int i;
if (client_params->cert == NULL) { if (cp->cert == NULL) {
*subject_name = strdup("anonymous client client"); *subject_name = strdup("anonymous client client");
if (*subject_name == NULL) if (*subject_name == NULL)
@@ -1669,7 +1669,7 @@ _kdc_pk_check_client(krb5_context context,
} }
ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
client_params->cert, cp->cert,
&name); &name);
if (ret) if (ret)
return ret; return ret;
@@ -1695,7 +1695,7 @@ _kdc_pk_check_client(krb5_context context,
&cert); &cert);
if (ret) if (ret)
continue; continue;
ret = hx509_cert_cmp(cert, client_params->cert); ret = hx509_cert_cmp(cert, cp->cert);
hx509_cert_free(cert); hx509_cert_free(cert);
if (ret == 0) { if (ret == 0) {
kdc_log(context, config, 5, kdc_log(context, config, 5,
@@ -1709,7 +1709,7 @@ _kdc_pk_check_client(krb5_context context,
if (config->pkinit_princ_in_cert) { if (config->pkinit_princ_in_cert) {
ret = match_rfc_san(context, config, ret = match_rfc_san(context, config,
kdc_identity->hx509ctx, kdc_identity->hx509ctx,
client_params->cert, cp->cert,
client->entry.principal); client->entry.principal);
if (ret == 0) { if (ret == 0) {
kdc_log(context, config, 5, kdc_log(context, config, 5,
@@ -1718,7 +1718,7 @@ _kdc_pk_check_client(krb5_context context,
} }
ret = match_ms_upn_san(context, config, ret = match_ms_upn_san(context, config,
kdc_identity->hx509ctx, kdc_identity->hx509ctx,
client_params->cert, cp->cert,
client->entry.principal); client->entry.principal);
if (ret == 0) { if (ret == 0) {
kdc_log(context, config, 5, kdc_log(context, config, 5,
@@ -1813,7 +1813,7 @@ add_principal_mapping(krb5_context context,
krb5_error_code krb5_error_code
_kdc_add_inital_verified_cas(krb5_context context, _kdc_add_inital_verified_cas(krb5_context context,
krb5_kdc_configuration *config, krb5_kdc_configuration *config,
pk_client_params *params, pk_client_params *cp,
EncTicketPart *tkt) EncTicketPart *tkt)
{ {
AD_INITIAL_VERIFIED_CAS cas; AD_INITIAL_VERIFIED_CAS cas;
@@ -1966,13 +1966,12 @@ _kdc_pk_initialize(krb5_context context,
"certifiate with a public key"); "certifiate with a public key");
} }
ret = krb5_config_get_bool_default(context, if (krb5_config_get_bool_default(context,
NULL, NULL,
FALSE, FALSE,
"kdc", "kdc",
"pkinit_allow_proxy_certificate", "pkinit_allow_proxy_certificate",
NULL); NULL))
if (ret != 0)
config->pkinit_allow_proxy_certs = 1; config->pkinit_allow_proxy_certs = 1;
file = krb5_config_get_string(context, file = krb5_config_get_string(context,