diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
| commit | 02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b (patch) | |
| tree | 61b9147863cd8be3eff63903dc36cae168254bd5 /src/plugins/preauth | |
| parent | 162ab371748cba0cc6f172419bd6e71fa04bb878 (diff) | |
| download | krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.gz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.xz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.zip | |
make mark-cstyle
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 2 | ||||
| -rw-r--r-- | src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c | 29 | ||||
| -rw-r--r-- | src/plugins/preauth/fast_factor.h | 2 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit.h | 12 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 20 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto.h | 24 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 90 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 5 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_matching.c | 10 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 44 |
10 files changed, 118 insertions, 120 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 5239513515..77de0a8b65 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -235,7 +235,7 @@ client_gic_opt(krb5_context kcontext, { #ifdef DEBUG fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c index 1229d2a7d3..45b309d8ba 100644 --- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c +++ b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +22,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework */ @@ -64,7 +64,7 @@ static krb5_error_code process_preauth krb5_keyblock *challenge_key = NULL, *armor_key = NULL; krb5_data *etype_data = NULL; krb5int_access kaccess; - + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) return 0; retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); @@ -174,10 +174,10 @@ static krb5_error_code process_preauth &etype_data); return retval; } - - - - + + + + static krb5_error_code kdc_include_padata (krb5_context context, krb5_kdc_req *request, @@ -222,10 +222,10 @@ static krb5_error_code kdc_verify_preauth krb5_data *client_data = NULL; krb5_keyblock *challenge_key = NULL; int i = 0; - + plain.data = NULL; if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) - return 0; + return 0; retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); if (retval == 0 &&armor_key == NULL) { @@ -243,7 +243,7 @@ static krb5_error_code kdc_verify_preauth retval = ENOMEM; } if (retval == 0) - retval = get_entry_proc(context, request, client, + retval = get_entry_proc(context, request, client, krb5plugin_preauth_keys, &client_data); if (retval == 0) { client_keys = (krb5_keyblock *) client_data->data; @@ -274,7 +274,7 @@ static krb5_error_code kdc_verify_preauth for (j = i+1; client_keys[j].enctype; j++) krb5_free_keyblock_contents(context, &client_keys[j]); } - + } if (retval == 0) retval = kaccess.decode_enc_ts(&plain, &ts); @@ -301,7 +301,7 @@ static krb5_error_code kdc_verify_preauth } if (armor_key) krb5_free_keyblock(context, armor_key); - if (plain.data) + if (plain.data) free(plain.data); if (enc) kaccess.free_enc_data(context, enc); @@ -332,7 +332,7 @@ static krb5_error_code kdc_return_preauth krb5_data *encoded = NULL; krb5_pa_data *pa = NULL; krb5int_access kaccess; - + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) return 0; if (challenge_key == NULL) @@ -408,4 +408,3 @@ struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { NULL, /* try_again function */ NULL /* get init creds opt function */ }; - diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h index 4059b28768..1e7696f02c 100644 --- a/src/plugins/preauth/fast_factor.h +++ b/src/plugins/preauth/fast_factor.h @@ -30,7 +30,7 @@ static krb5_error_code fast_kdc_get_armor_key if (retval == 0) { *armor_key = (krb5_keyblock *) data->data; data->data = NULL; - get_entry(context, request, client, + get_entry(context, request, client, krb5plugin_preauth_free_fast_armor, &data); } return retval; diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 04c64a4a8f..65984824e3 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -103,7 +103,7 @@ static inline void pkiDebug (const char *fmt, ...) { } /* #define pkiDebug (void) */ #endif -/* Solaris compiler doesn't grok __FUNCTION__ +/* Solaris compiler doesn't grok __FUNCTION__ * hack for now. Fix all the uses eventually. */ #define __FUNCTION__ __func__ @@ -125,15 +125,15 @@ extern const krb5_octet_data dh_oid; * (the kdc's identity is at the plugin level, the client's identity * information could change per-request.) * the identity context is meant to have the entity's cert, - * a list of trusted and intermediate cas, a list of crls, and any + * a list of trusted and intermediate cas, a list of crls, and any * pkcs11 information. the req context is meant to have the * received certificate and the DH related information. the plugin * context is meant to have global crypto information, i.e., OIDs * and constant DH parameter information. - */ + */ /* - * plugin crypto context should keep plugin common information, + * plugin crypto context should keep plugin common information, * eg., OIDs, known DHparams */ typedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context; @@ -159,7 +159,7 @@ typedef struct _pkinit_plg_opts { int accept_secondary_eku;/* accept secondary EKU (default is false) */ int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */ int dh_or_rsa; /* selects DH or RSA based pkinit */ - int require_crl_checking; /* require CRL for a CA (default is false) */ + int require_crl_checking; /* require CRL for a CA (default is false) */ int dh_min_bits; /* minimum DH modulus size allowed */ } pkinit_plg_opts; @@ -255,7 +255,7 @@ typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context; /* * Functions in pkinit_lib.c - */ + */ krb5_error_code pkinit_init_req_opts(pkinit_req_opts **); void pkinit_fini_req_opts(pkinit_req_opts *); diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 935ed2faf5..7fa42f34ab 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -271,7 +271,7 @@ pkinit_as_req_create(krb5_context context, /* add List of CMS algorithms */ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, + reqctx->cryptoctx, reqctx->idctx, &auth_pack->supportedCMSTypes); if (retval) goto cleanup; @@ -434,7 +434,7 @@ cleanup: free(auth_pack9); break; } - + pkiDebug("pkinit_as_req_create retval=%d\n", (int) retval); @@ -501,7 +501,7 @@ verify_kdc_san(krb5_context context, *need_eku_checking = 1; retval = pkinit_libdefault_strings(context, - krb5_princ_realm(context, kdcprinc), + krb5_princ_realm(context, kdcprinc), KRB5_CONF_PKINIT_KDC_HOSTNAME, &cfghosts); if (retval || cfghosts == NULL) { @@ -595,7 +595,7 @@ out: __FUNCTION__, retval, *valid_san, *need_eku_checking); return retval; } - + static krb5_error_code verify_kdc_eku(krb5_context context, pkinit_context plgctx, @@ -719,7 +719,7 @@ pkinit_as_rep_parse(krb5_context context, } if (need_eku_checking) { - retval = verify_kdc_eku(context, plgctx, reqctx, + retval = verify_kdc_eku(context, plgctx, reqctx, &valid_eku); if (retval) goto cleanup; @@ -729,7 +729,7 @@ pkinit_as_rep_parse(krb5_context context, retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; goto cleanup; } - } else + } else pkiDebug("%s: skipping EKU check\n", __FUNCTION__); OCTETDATA_TO_KRB5DATA(&dh_data, &k5data); @@ -863,7 +863,7 @@ cleanup: if (key_pack != NULL) { free_krb5_reply_key_pack(&key_pack); free(cksum.contents); - } + } if (key_pack9 != NULL) free_krb5_reply_key_pack_draft9(&key_pack9); @@ -1146,7 +1146,7 @@ pkinit_client_tryagain(krb5_context context, if (retval) goto cleanup; } - + retval = 0; cleanup: if (krb5_trusted_certifiers != NULL) @@ -1202,7 +1202,7 @@ pkinit_client_req_init(krb5_context context, retval = pkinit_init_req_opts(&reqctx->opts); if (retval) goto cleanup; - + reqctx->opts->require_eku = plgctx->opts->require_eku; reqctx->opts->accept_secondary_eku = plgctx->opts->accept_secondary_eku; reqctx->opts->dh_or_rsa = plgctx->opts->dh_or_rsa; @@ -1365,7 +1365,7 @@ add_string_to_array(krb5_context context, char ***array, const char *addition) free(*array); } *array = out; - + return 0; } static krb5_error_code diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index 779c08caed..83d2f1e19d 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -136,7 +136,7 @@ krb5_error_code cms_signeddata_create unsigned char **signed_data, /* OUT for CMS_SIGN_CLIENT receives DER encoded SignedAuthPack (CMS_SIGN_CLIENT) or DER - encoded DHInfo (CMS_SIGN_SERVER) */ + encoded DHInfo (CMS_SIGN_SERVER) */ unsigned int *signed_data_len); /* OUT receives length of signed_data */ @@ -177,12 +177,12 @@ krb5_error_code cms_signeddata_verify /* * this function creates a CMS message where eContentType is EnvelopedData */ -krb5_error_code cms_envelopeddata_create +krb5_error_code cms_envelopeddata_create (krb5_context context, /* IN */ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_preauthtype pa_type, /* IN */ + krb5_preauthtype pa_type, /* IN */ int include_certchain, /* IN specifies whether the certificates field in SignedData should contain certificate path */ @@ -210,7 +210,7 @@ krb5_error_code cms_envelopeddata_verify unsigned char *envel_data, /* IN contains DER encoded encKeyPack */ unsigned int envel_data_len, /* IN - contains length of envel_data */ + contains length of envel_data */ unsigned char **signed_data, /* OUT receives ReplyKeyPack */ unsigned int *signed_data_len); /* OUT @@ -222,7 +222,7 @@ krb5_error_code cms_envelopeddata_verify * upn_sans, or kdc_hostnames must be non-NULL. */ krb5_error_code crypto_retrieve_cert_sans - (krb5_context context, /* IN */ + (krb5_context context, /* IN */ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ @@ -237,7 +237,7 @@ krb5_error_code crypto_retrieve_cert_sans unsigned char ***kdc_hostname); /* OUT if non-NULL, a null-terminated array of dNSName (hostname) SAN values found in the - certificate are returned */ + certificate are returned */ /* * this function checks for acceptable key usage values @@ -301,14 +301,14 @@ krb5_error_code client_create_dh unsigned int *dh_params_len, /* OUT contains length of dh_parmas */ unsigned char **dh_pubkey, /* OUT - receives DER encoded DH pub key */ + receives DER encoded DH pub key */ unsigned int *dh_pubkey_len); /* OUT receives length of dh_pubkey */ /* * this function completes client's the DH protocol. client * processes received DH pub key from the KDC and computes - * the DH secret key + * the DH secret key */ krb5_error_code client_process_dh (krb5_context context, /* IN */ @@ -353,7 +353,7 @@ krb5_error_code server_process_dh unsigned int received_pub_len, /* IN contains length of received_pubkey */ unsigned char **dh_pubkey, /* OUT - receives KDC's DER encoded DH pub key */ + receives KDC's DER encoded DH pub key */ unsigned int *dh_pubkey_len, /* OUT receives length of dh_pubkey */ unsigned char **server_key, /* OUT @@ -521,7 +521,7 @@ krb5_error_code crypto_load_cas_and_crls pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_opts *idopts, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */ - int idtype, /* IN + int idtype, /* IN defines the storage type (file, directory, etc) */ int catype, /* IN defines the ca type (anchor, intermediate, crls) */ @@ -571,7 +571,7 @@ krb5_error_code pkinit_process_td_dh_params krb5_error_code pkinit_create_td_invalid_certificate (krb5_context context, /* IN */ pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ + pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ krb5_data **edata); /* OUT */ @@ -586,7 +586,7 @@ krb5_error_code pkinit_create_td_trusted_certifiers krb5_data **edata); /* OUT */ /* - * this function processes edata that contains either + * this function processes edata that contains either * TD-TRUSTED-CERTIFICATES or TD-INVALID-CERTIFICATES. * current implementation only decodes the received message * but does not act on it diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 2f0f09d310..84259e63a2 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -415,7 +415,7 @@ pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx) } \ } \ ctx->vn = OBJ_nid2obj(nid); - + CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.2", id_pkinit_san, "id-pkinit-san", "KRB5PrincipalName"); @@ -771,9 +771,9 @@ cms_signeddata_create(krb5_context context, id_cryptoctx->intermediateCAs); X509_STORE_CTX_trusted_stack(&certctx, id_cryptoctx->trustedCAs); if (!X509_verify_cert(&certctx)) { - pkiDebug("failed to create a certificate chain: %s\n", + pkiDebug("failed to create a certificate chain: %s\n", X509_verify_cert_error_string(X509_STORE_CTX_get_error(&certctx))); - if (!sk_X509_num(id_cryptoctx->trustedCAs)) + if (!sk_X509_num(id_cryptoctx->trustedCAs)) pkiDebug("No trusted CAs found. Check your X509_anchors\n"); goto cleanup; } @@ -851,7 +851,7 @@ cms_signeddata_create(krb5_context context, V_ASN1_OCTET_STRING, (char *) digest_attr); /* create a content-type attr */ - PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, + PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, V_ASN1_OBJECT, oid); /* create the signature over signed attributes. get DER encoded value */ @@ -871,12 +871,12 @@ cms_signeddata_create(krb5_context context, * digestAlgorithm AlgorithmIdentifier, * digest OCTET STRING } */ - if (id_cryptoctx->pkcs11_method == 1 && + if (id_cryptoctx->pkcs11_method == 1 && id_cryptoctx->mech == CKM_RSA_PKCS) { pkiDebug("mech = CKM_RSA_PKCS\n"); EVP_MD_CTX_init(&ctx2); /* if this is not draft9 request, include digest signed attribute */ - if (cms_msg_type != CMS_SIGN_DRAFT9) + if (cms_msg_type != CMS_SIGN_DRAFT9) EVP_DigestInit_ex(&ctx2, md_tmp, NULL); else EVP_DigestInit_ex(&ctx2, EVP_sha1(), NULL); @@ -929,7 +929,7 @@ cms_signeddata_create(krb5_context context, #ifdef DEBUG_SIG print_buffer(sig, sig_len); #endif - if (cms_msg_type != CMS_SIGN_DRAFT9) + if (cms_msg_type != CMS_SIGN_DRAFT9) free(abuf); if (retval) goto cleanup2; @@ -1013,10 +1013,10 @@ cms_signeddata_create(krb5_context context, #endif cleanup2: - if (cms_msg_type != CMS_SIGN_DRAFT9) + if (cms_msg_type != CMS_SIGN_DRAFT9) EVP_MD_CTX_cleanup(&ctx); #ifndef WITHOUT_PKCS11 - if (id_cryptoctx->pkcs11_method == 1 && + if (id_cryptoctx->pkcs11_method == 1 && id_cryptoctx->mech == CKM_RSA_PKCS) { EVP_MD_CTX_cleanup(&ctx2); free(digest_buf); @@ -1029,7 +1029,7 @@ cms_signeddata_create(krb5_context context, if (alg != NULL) X509_ALGOR_free(alg); cleanup: - if (p7 != NULL) + if (p7 != NULL) PKCS7_free(p7); free(sig); @@ -1235,7 +1235,7 @@ cms_signeddata_verify(krb5_context context, #endif } else { /* retrieve verified certificate chain */ - if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) + if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) verified_chain = X509_STORE_CTX_get1_chain(&cert_ctx); } X509_STORE_CTX_cleanup(&cert_ctx); @@ -1248,7 +1248,7 @@ cms_signeddata_verify(krb5_context context, if (PKCS7_verify(p7, NULL, store, NULL, out, flags)) { int valid_oid = 0; - if (!OBJ_cmp(p7->d.sign->contents->type, oid)) + if (!OBJ_cmp(p7->d.sign->contents->type, oid)) valid_oid = 1; else if (cms_msg_type == CMS_SIGN_DRAFT9) { /* @@ -1266,11 +1266,11 @@ cms_signeddata_verify(krb5_context context, valid_oid = 1; } - if (valid_oid) + if (valid_oid) pkiDebug("PKCS7 Verification successful\n"); else { pkiDebug("wrong oid in eContentType\n"); - print_buffer(p7->d.sign->contents->type->data, + print_buffer(p7->d.sign->contents->type->data, (unsigned int)p7->d.sign->contents->type->length); retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "wrong oid\n"); @@ -1310,11 +1310,11 @@ cms_signeddata_verify(krb5_context context, /* generate authorization data */ if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) { - if (authz_data == NULL || authz_data_len == NULL) + if (authz_data == NULL || authz_data_len == NULL) goto out; *authz_data = NULL; - retval = create_identifiers_from_stack(verified_chain, + retval = create_identifiers_from_stack(verified_chain, &krb5_verified_chain); if (retval) { pkiDebug("create_identifiers_from_stack failed\n"); @@ -1447,18 +1447,18 @@ cms_envelopeddata_create(krb5_context context, } switch (pa_type) { case KRB5_PADATA_PK_AS_REQ: - p7->d.enveloped->enc_data->content_type = + p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_signed); break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: - p7->d.enveloped->enc_data->content_type = + p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); break; break; break; break; - } + } *out_len = i2d_PKCS7(p7, NULL); if (!*out_len || (p = *out = malloc(*out_len)) == NULL) { @@ -1485,7 +1485,7 @@ cleanup: free(enc_data); if (encerts != NULL) sk_X509_free(encerts); - + return retval; } @@ -1631,7 +1631,7 @@ cms_envelopeddata_verify(krb5_context context, if (!retval) pkiDebug("PKCS7 Verification Success\n"); - else { + else { pkiDebug("PKCS7 Verification Failure\n"); goto cleanup; } @@ -1774,7 +1774,7 @@ crypto_retrieve_X509_sans(krb5_context context, pkiDebug("%s: found dns name = %s\n", __FUNCTION__, gen->d.dNSName->data); dnss[d] = (unsigned char *) - strdup((char *)gen->d.dNSName->data); + strdup((char *)gen->d.dNSName->data); if (dnss[d] == NULL) { pkiDebug("%s: failed to duplicate dns name\n", __FUNCTION__); @@ -2937,7 +2937,7 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) * We need this shadow version because our code * depends on the "other" type to be unknown to the * OpenSSL code. - */ + */ if (cryptoctx->id_pkinit_authData9 == NULL) { pkiDebug("%s: Creating shadow instance of pkcs7-data oid\n", __FUNCTION__); @@ -3954,7 +3954,7 @@ pkinit_get_certs_dir(krb5_context context, retval = 0; cleanup: - if (d) + if (d) closedir(d); return retval; @@ -4099,7 +4099,7 @@ pkinit_get_certs_pkcs11(krb5_context context, } for (i = 0; ; i++) { - if (i >= MAX_CREDS_ALLOWED) + if (i >= MAX_CREDS_ALLOWED) return KRB5KDC_ERR_PREAUTH_FAILED; /* Look for x.509 cert */ @@ -4338,7 +4338,7 @@ crypto_cert_iteration_next(krb5_context context, if (id_cryptoctx->creds[id->index] == NULL) return PKINIT_ITER_NO_MORE; - + cd = calloc(1, sizeof(*cd)); if (cd == NULL) return ENOMEM; @@ -4392,7 +4392,7 @@ crypto_retieve_X509_key_usage(krb5_context context, pkiDebug("%s: EKUs not requested, not checking\n", __FUNCTION__); goto check_kus; } - + /* Start with Extended Key usage */ i = X509_get_ext_by_NID(x, NID_ext_key_usage, -1); if (i >= 0) { @@ -4612,12 +4612,12 @@ crypto_cert_select(krb5_context context, cd = (struct _pkinit_cert_data *)md->ch; if (cd == NULL || cd->magic != CERT_MAGIC) return EINVAL; - - /* copy the selected cert into our id_cryptoctx */ + + /* copy the selected cert into our id_cryptoctx */ if (cd->idctx->my_certs != NULL) { sk_X509_pop_free(cd->idctx->my_certs, X509_free); } - cd->idctx->my_certs = sk_X509_new_null(); + cd->idctx->my_certs = sk_X509_new_null(); sk_X509_push(cd->idctx->my_certs, cd->cred->cert); cd->idctx->creds[cd->index]->cert = NULL; /* Don't free it twice */ cd->idctx->cert_index = 0; @@ -4625,7 +4625,7 @@ crypto_cert_select(krb5_context context, if (cd->idctx->pkcs11_method != 1) { cd->idctx->my_key = cd->cred->key; cd->idctx->creds[cd->index]->key = NULL; /* Don't free it twice */ - } + } #ifndef WITHOUT_PKCS11 else { cd->idctx->cert_id = cd->cred->cert_id; @@ -4662,11 +4662,11 @@ crypto_cert_select_default(krb5_context context, retval = EINVAL; goto errout; } - /* copy the selected cert into our id_cryptoctx */ + /* copy the selected cert into our id_cryptoctx */ if (id_cryptoctx->my_certs != NULL) { sk_X509_pop_free(id_cryptoctx->my_certs, X509_free); } - id_cryptoctx->my_certs = sk_X509_new_null(); + id_cryptoctx->my_certs = sk_X509_new_null(); sk_X509_push(id_cryptoctx->my_certs, id_cryptoctx->creds[0]->cert); id_cryptoctx->creds[0]->cert = NULL; /* Don't free it twice */ id_cryptoctx->cert_index = 0; @@ -4674,7 +4674,7 @@ crypto_cert_select_default(krb5_context context, if (id_cryptoctx->pkcs11_method != 1) { id_cryptoctx->my_key = id_cryptoctx->creds[0]->key; id_cryptoctx->creds[0]->key = NULL; /* Don't free it twice */ - } + } #ifndef WITHOUT_PKCS11 else { id_cryptoctx->cert_id = id_cryptoctx->creds[0]->cert_id; @@ -4757,7 +4757,7 @@ load_cas_and_crls(krb5_context context, */ for (i = 0; i < sk_X509_INFO_num(sk); i++) { X509_INFO *xi = sk_X509_INFO_value(sk, i); - if (xi != NULL && xi->x509 != NULL && catype != CATYPE_CRLS) { + if (xi != NULL && xi->x509 != NULL && catype != CATYPE_CRLS) { int j = 0, size = sk_X509_num(ca_certs), flag = 0; if (!size) { @@ -4770,7 +4770,7 @@ load_cas_and_crls(krb5_context context, flag = X509_cmp(x, xi->x509); if (flag == 0) break; - else + else continue; } if (flag != 0) { @@ -4804,7 +4804,7 @@ load_cas_and_crls(krb5_context context, case CATYPE_ANCHORS: if (sk_X509_num(ca_certs) == 0) { pkiDebug("no anchors in file, %s\n", filename); - if (id_cryptoctx->trustedCAs == NULL) + if (id_cryptoctx->trustedCAs == NULL) sk_X509_free(ca_certs); } else { if (id_cryptoctx->trustedCAs == NULL) @@ -4814,7 +4814,7 @@ load_cas_and_crls(krb5_context context, case CATYPE_INTERMEDIATES: if (sk_X509_num(ca_certs) == 0) { pkiDebug("no intermediates in file, %s\n", filename); - if (id_cryptoctx->intermediateCAs == NULL) + if (id_cryptoctx->intermediateCAs == NULL) sk_X509_free(ca_certs); } else { if (id_cryptoctx->intermediateCAs == NULL) @@ -4855,7 +4855,7 @@ load_cas_and_crls_dir(krb5_context context, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, int catype, - char *dirname) + char *dirname) { krb5_error_code retval = EINVAL; DIR *d = NULL; @@ -4866,7 +4866,7 @@ load_cas_and_crls_dir(krb5_context context, return EINVAL; d = opendir(dirname); - if (d == NULL) + if (d == NULL) return ENOENT; while ((dentry = readdir(d))) { @@ -4893,7 +4893,7 @@ load_cas_and_crls_dir(krb5_context context, retval = 0; cleanup: - if (d != NULL) + if (d != NULL) closedir(d); return retval; @@ -4907,7 +4907,7 @@ crypto_load_cas_and_crls(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, int idtype, int catype, - char *id) + char *id) { pkiDebug("%s: called with idtype %s and catype %s\n", __FUNCTION__, idtype2string(idtype), catype2string(catype)); @@ -5008,7 +5008,7 @@ if (longhorn == 0) { /* XXX Longhorn doesn't like this */ if ((p = krb5_cas[i]->subjectKeyIdentifier.data = malloc((size_t) len)) == NULL) goto cleanup; - i2d_ASN1_OCTET_STRING(ikeyid, &p); + i2d_ASN1_OCTET_STRING(ikeyid, &p); krb5_cas[i]->subjectKeyIdentifier.length = len; } if (ikeyid != NULL) @@ -5052,7 +5052,7 @@ create_krb5_invalidCertificates(krb5_context context, return KRB5KDC_ERR_PREAUTH_FAILED; sk = sk_X509_new_null(); - if (sk == NULL) + if (sk == NULL) goto cleanup; sk_X509_push(sk, req_cryptoctx->received_cert); @@ -5419,7 +5419,7 @@ pkcs7_dataDecode(krb5_context context, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); goto cleanup; } - + } /* If we haven't got a certificate try each ri in turn */ diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index b71f7c9457..48426e3481 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -459,7 +459,7 @@ static krb5_error_code process_option_ca_crl(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_opts *idopts, + pkinit_identity_opts *idopts, pkinit_identity_crypto_context id_cryptoctx, const char *value, int catype) @@ -558,7 +558,7 @@ pkinit_identity_initialize(krb5_context context, goto errout; } } - + retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); if (retval) @@ -595,4 +595,3 @@ pkinit_identity_initialize(krb5_context context, errout: return retval; } - diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c index 778ae38c96..806fcbb87c 100644 --- a/src/plugins/preauth/pkinit/pkinit_matching.c +++ b/src/plugins/preauth/pkinit/pkinit_matching.c @@ -135,10 +135,10 @@ typedef struct _rule_component { kw_value_type kwval_type; regex_t regexp; /* Compiled regular expression */ char *regsrc; /* The regular expression source (for debugging) */ - unsigned int ku_bits; + unsigned int ku_bits; unsigned int eku_bits; } rule_component; - + /* Set rule components */ typedef struct _rule_set { relation_type relation; @@ -180,7 +180,7 @@ free_rule_set(krb5_context context, static krb5_error_code parse_list_value(krb5_context context, - keyword_type type, + keyword_type type, char *value, rule_component *rc) { @@ -609,7 +609,7 @@ nextcert: pkiDebug("%s: After checking %d certs, we found %d matches\n", __FUNCTION__, certs_checked, total_cert_matches); if (total_cert_matches == 1) { - *match_found = 1; + *match_found = 1; *matching_cert = save_match; } @@ -764,7 +764,7 @@ pkinit_cert_matching(krb5_context context, if (retval) { if (retval == EINVAL) { pkiDebug("%s: Ignoring invalid rule pkinit_cert_match = '%s'\n", - __FUNCTION__, rules[x]); + __FUNCTION__, rules[x]); continue; } goto cleanup; diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 1de10da1f0..8b74472142 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -118,7 +118,7 @@ pkinit_server_get_edata(krb5_context context, /* * If we don't have a realm context for the given realm, - * don't tell the client that we support pkinit! + * don't tell the client that we support pkinit! */ plgctx = pkinit_find_realm_context(context, pa_plugin_context, request->server); @@ -142,7 +142,7 @@ verify_client_san(krb5_context context, #ifdef DEBUG_SAN_INFO char *client_string = NULL, *san_string; #endif - + retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, &princs, @@ -295,7 +295,7 @@ pkinit_server_verify_padata(krb5_context context, krb5_data **e_data, krb5_authdata ***authz_data) { - krb5_error_code retval = 0; + krb5_error_code retval = 0; krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; krb5_data *encoded_pkinit_authz_data = NULL; krb5_pa_pk_as_req *reqp = NULL; @@ -363,7 +363,7 @@ pkinit_server_verify_padata(krb5_context context, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT, plgctx->opts->require_crl_checking, reqp->signedAuthPack.data, reqp->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + &authp_data.data, &authp_data.length, &krb5_authz.data, &krb5_authz.length); break; case KRB5_PADATA_PK_AS_REP_OLD: @@ -385,7 +385,7 @@ pkinit_server_verify_padata(krb5_context context, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, plgctx->opts->require_crl_checking, reqp9->signedAuthPack.data, reqp9->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + &authp_data.data, &authp_data.length, &krb5_authz.data, &krb5_authz.length); break; default: @@ -433,7 +433,7 @@ pkinit_server_verify_padata(krb5_context context, } /* check dh parameters */ - if (auth_pack->clientPublicValue != NULL) { + if (auth_pack->clientPublicValue != NULL) { retval = server_check_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, &auth_pack->clientPublicValue->algorithm.parameters, @@ -450,12 +450,12 @@ pkinit_server_verify_padata(krb5_context context, * came from the client. Therefore, we use the original * packet contents. */ - retval = k5int_decode_krb5_as_req(req_pkt, &tmp_as_req); + retval = k5int_decode_krb5_as_req(req_pkt, &tmp_as_req); if (retval) { pkiDebug("decode_krb5_as_req returned %d\n", (int)retval); goto cleanup; } - + retval = k5int_encode_krb5_kdc_req_body(tmp_as_req, &der_req); if (retval) { pkiDebug("encode_krb5_kdc_req_body returned %d\n", (int) retval); @@ -514,7 +514,7 @@ pkinit_server_verify_padata(krb5_context context, pkiDebug("failed to decode krb5_auth_pack_draft9\n"); goto cleanup; } - if (auth_pack9->clientPublicValue != NULL) { + if (auth_pack9->clientPublicValue != NULL) { retval = server_check_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, &auth_pack9->clientPublicValue->algorithm.parameters, @@ -567,7 +567,7 @@ pkinit_server_verify_padata(krb5_context context, */ pkinit_authz_data->contents = krb5_authz.data; pkinit_authz_data->length = krb5_authz.length; - retval = k5int_encode_krb5_authdata_elt(pkinit_authz_data, + retval = k5int_encode_krb5_authdata_elt(pkinit_authz_data, &encoded_pkinit_authz_data); #ifdef DEBUG_ASN1 print_buffer_bin((unsigned char *)encoded_pkinit_authz_data->data, @@ -586,12 +586,12 @@ pkinit_server_verify_padata(krb5_context context, (krb5_octet *) encoded_pkinit_authz_data->data; my_authz_data[0]->length = encoded_pkinit_authz_data->length; *authz_data = my_authz_data; - pkiDebug("Returning %d bytes of authorization data\n", + pkiDebug("Returning %d bytes of authorization data\n", krb5_authz.length); encoded_pkinit_authz_data->data = NULL; /* Don't free during cleanup*/ free(encoded_pkinit_authz_data); break; - default: + default: *authz_data = NULL; } /* remember to set the PREAUTH flag in the reply */ @@ -619,7 +619,7 @@ pkinit_server_verify_padata(krb5_context context, free_krb5_pa_pk_as_req_draft9(&reqp9); } if (tmp_as_req != NULL) - k5int_krb5_free_kdc_req(context, tmp_as_req); + k5int_krb5_free_kdc_req(context, tmp_as_req); free(authp_data.data); free(krb5_authz.data); if (reqctx != NULL) @@ -684,7 +684,7 @@ pkinit_server_return_padata(krb5_context context, pkiDebug("missing request context \n"); return EINVAL; } - + plgctx = pkinit_find_realm_context(context, pa_plugin_context, request->server); if (plgctx == NULL) { @@ -762,14 +762,14 @@ pkinit_server_return_padata(krb5_context context, pkiDebug("received DH key delivery AS REQ\n"); retval = server_process_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, subjectPublicKey, - subjectPublicKey_len, &dh_pubkey, &dh_pubkey_len, + subjectPublicKey_len, &dh_pubkey, &dh_pubkey_len, &server_key, &server_key_len); if (retval) { pkiDebug("failed to process/create dh paramters\n"); goto cleanup; } } - + if ((rep9 != NULL && rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { @@ -846,7 +846,7 @@ pkinit_server_return_padata(krb5_context context, pkiDebug("%s: return checksum instead of nonce = %d\n", __FUNCTION__, fixed_keypack); - /* if this is an RFC reply or draft9 client requested a checksum + /* if this is an RFC reply or draft9 client requested a checksum * in the reply instead of the nonce, create an RFC-style keypack */ if ((int)padata->pa_type == KRB5_PADATA_PK_AS_REQ || fixed_keypack) { @@ -873,7 +873,7 @@ pkinit_server_return_padata(krb5_context context, pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); print_buffer(req_pkt->data, req_pkt->length); pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); - print_buffer(key_pack->asChecksum.contents, + print_buffer(key_pack->asChecksum.contents, key_pack->asChecksum.length); pkiDebug("encrypting key (%d)\n", encrypting_key->length); print_buffer(encrypting_key->contents, encrypting_key->length); @@ -894,7 +894,7 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REQ: rep->choice = choice_pa_pk_as_rep_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, + reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, (unsigned char *)encoded_key_pack->data, encoded_key_pack->length, &rep->u.encKeyPack.data, &rep->u.encKeyPack.length); @@ -902,7 +902,7 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: /* if the request is from the broken draft9 client that - * expects back a nonce, create it now + * expects back a nonce, create it now */ if (!fixed_keypack) { init_krb5_reply_key_pack_draft9(&key_pack9); @@ -920,11 +920,11 @@ pkinit_server_return_padata(krb5_context context, pkiDebug("failed to encode reply_key_pack\n"); goto cleanup; } - } + } rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, + reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, (unsigned char *)encoded_key_pack->data, encoded_key_pack->length, &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length); |