diff options
Diffstat (limited to 'src/plugins/preauth/pkinit')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 30 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto.h | 12 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 55 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 15 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 46 |
5 files changed, 90 insertions, 68 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 8f17f7e4af..6888c1b07b 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -346,17 +346,26 @@ pkinit_as_req_create(krb5_context context, retval = ENOMEM; goto cleanup; } - /*For the new protocol, we support anonymous*/ + /* For the new protocol, we support anonymous. */ if (krb5_principal_compare_any_realm(context, client, - krb5_anonymous_principal())) + krb5_anonymous_principal())) { retval = cms_contentinfo_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req->signedAuthPack.data, &req->signedAuthPack.length); - else retval = cms_signeddata_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, 1, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req->signedAuthPack.data, &req->signedAuthPack.length); + reqctx->cryptoctx, reqctx->idctx, + CMS_SIGN_CLIENT, (unsigned char *) + coded_auth_pack->data, + coded_auth_pack->length, + &req->signedAuthPack.data, + &req->signedAuthPack.length); + } else { + retval = cms_signeddata_create(context, plgctx->cryptoctx, + reqctx->cryptoctx, reqctx->idctx, + CMS_SIGN_CLIENT, 1, + (unsigned char *) + coded_auth_pack->data, + coded_auth_pack->length, + &req->signedAuthPack.data, + &req->signedAuthPack.length); + } #ifdef DEBUG_ASN1 print_buffer_bin((unsigned char *)req->signedAuthPack.data, req->signedAuthPack.length, @@ -687,7 +696,8 @@ pkinit_as_rep_parse(krb5_context context, reqctx->opts->require_crl_checking, kdc_reply->u.dh_Info.dhSignedData.data, kdc_reply->u.dh_Info.dhSignedData.length, - &dh_data.data, &dh_data.length, NULL, NULL, NULL)) != 0) { + &dh_data.data, &dh_data.length, + NULL, NULL, NULL)) != 0) { pkiDebug("failed to verify pkcs7 signed data\n"); goto cleanup; } diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index dedd8f9456..2c584b6bf4 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -120,9 +120,8 @@ krb5_error_code cms_contentinfo_create pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ int cms_msg_type, - unsigned char *in_data, unsigned int in_length, - unsigned char **out_data, unsigned int *out_data_len); - + unsigned char *in_data, unsigned int in_length, + unsigned char **out_data, unsigned int *out_data_len); /* * this function creates a CMS message where eContentType is SignedData @@ -181,9 +180,10 @@ krb5_error_code cms_signeddata_verify receives required authorization data that contains the verified certificate chain (only used by the KDC) */ - unsigned int *authz_data_len, /* OUT - receives length of authz_data */ - int *is_signed /*out: is message signed*/); + unsigned int *authz_data_len, /* OUT + receives length of authz_data */ + int *is_signed); /* OUT + receives whether message is signed */ /* * this function creates a CMS message where eContentType is EnvelopedData diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 887ec06270..85e8dcaac6 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -692,15 +692,16 @@ pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx, } /*helper function for creating pkinit ContentInfo*/ -static krb5_error_code create_contentinfo -(krb5_context context, pkinit_plg_crypto_context plg_crypto_context, - ASN1_OBJECT *oid, - unsigned char *data, size_t data_len, - PKCS7 **out_p7) +static krb5_error_code +create_contentinfo(krb5_context context, + pkinit_plg_crypto_context plg_crypto_context, + ASN1_OBJECT *oid, unsigned char *data, size_t data_len, + PKCS7 **out_p7) { krb5_error_code retval = EINVAL; PKCS7 *inner_p7; ASN1_TYPE *pkinit_data = NULL; + *out_p7 = NULL; if ((inner_p7 = PKCS7_new()) == NULL) goto cleanup; @@ -709,8 +710,8 @@ static krb5_error_code create_contentinfo pkinit_data->type = V_ASN1_OCTET_STRING; if ((pkinit_data->value.octet_string = ASN1_OCTET_STRING_new()) == NULL) goto cleanup; - if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, (unsigned char *) data, - data_len)) { + if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, + (unsigned char *) data, data_len)) { unsigned long err = ERR_peek_error(); retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "%s\n", @@ -732,20 +733,21 @@ cleanup: return retval; } -krb5_error_code cms_contentinfo_create -(krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - int cms_msg_type, - unsigned char *data, unsigned int data_len, - unsigned char **out_data, unsigned int *out_data_len) +krb5_error_code +cms_contentinfo_create(krb5_context context, /* IN */ + pkinit_plg_crypto_context plg_cryptoctx, /* IN */ + pkinit_req_crypto_context req_cryptoctx, /* IN */ + pkinit_identity_crypto_context id_cryptoctx, /* IN */ + int cms_msg_type, + unsigned char *data, unsigned int data_len, + unsigned char **out_data, unsigned int *out_data_len) { krb5_error_code retval = ENOMEM; ASN1_OBJECT *oid = NULL; PKCS7 *p7 = NULL; unsigned char *p; - /* pick the correct oid for the eContentInfo */ + + /* Pick the correct oid for the eContentInfo. */ oid = pkinit_pkcs7type2oid(plg_cryptoctx, cms_msg_type); if (oid == NULL) goto cleanup; @@ -822,10 +824,11 @@ cms_signeddata_create(krb5_context context, ASN1_OBJECT *oid = NULL; if (id_cryptoctx->my_certs == NULL) { - krb5_set_error_message(context, EINVAL, "cms_signdata_create called with no certificates"); + krb5_set_error_message(context, EINVAL, "cms_signdata_create called " + "with no certificates"); return EINVAL; } -/* start creating PKCS7 data */ + /* Start creating PKCS7 data. */ if ((p7 = PKCS7_new()) == NULL) goto cleanup; p7->type = OBJ_nid2obj(NID_pkcs7_signed); @@ -1164,13 +1167,15 @@ cms_signeddata_verify(krb5_context context, goto cleanup; } -/*Handle the case in pkinit anonymous where we get unsigned data.*/ - if (is_signed && !OBJ_cmp( p7->type, oid)) { + /* Handle the case in pkinit anonymous where we get unsigned data. */ + if (is_signed && !OBJ_cmp(p7->type, oid)) { unsigned char *d; *is_signed = 0; if (p7->d.other->type != V_ASN1_OCTET_STRING) { retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Invalid pkinit packet: octet string expected"); + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, + "Invalid pkinit packet: octet string " + "expected"); goto cleanup; } *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); @@ -1183,14 +1188,15 @@ cms_signeddata_verify(krb5_context context, *data_len); *data = d; goto out; - } else /* verify that the received message is PKCS7 SignedData message */ + } else { + /* Verify that the received message is PKCS7 SignedData message. */ if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { - pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", OBJ_obj2nid(p7->type)); krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; } + } /* setup to verify X509 certificate used to sign PKCS7 message */ if (!(store = X509_STORE_new())) @@ -3521,7 +3527,8 @@ pkinit_C_Decrypt(pkinit_identity_crypto_context id_cryptoctx, rv = id_cryptoctx->p11->C_Decrypt(id_cryptoctx->session, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen); if (rv == CKR_OK) { - pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData, (int) *pulDataLen); + pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData, + (int) *pulDataLen); } return rv; } diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index aecea2c787..2ba05a470d 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -518,15 +518,16 @@ pkinit_identity_initialize(krb5_context context, * in the config file. */ if (idopts->identity != NULL) { - retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, - idopts->identity); + retval = process_option_identity(context, plg_cryptoctx, + req_cryptoctx, idopts, + id_cryptoctx, idopts->identity); } else if (idopts->identity_alt != NULL) { - for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) + for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->identity_alt[i]); + } } else { pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; @@ -540,8 +541,8 @@ pkinit_identity_initialize(krb5_context context, goto errout; if (do_matching) { - retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, princ); + retval = pkinit_cert_matching(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx, princ); if (retval) { pkiDebug("%s: No matching certificate found\n", __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, @@ -565,7 +566,7 @@ pkinit_identity_initialize(krb5_context context, id_cryptoctx); if (retval) goto errout; - } /*not anonymous principal*/ + } /* Not anonymous principal */ for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 34700ad18b..9db4d0a460 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -406,8 +406,8 @@ pkinit_server_verify_padata(krb5_context context, if (retval) goto cleanup; if (!valid_san) { - pkiDebug("%s: did not find an acceptable SAN in user certificate\n", - __FUNCTION__); + pkiDebug("%s: did not find an acceptable SAN in user " + "certificate\n", __FUNCTION__); retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; goto cleanup; } @@ -416,15 +416,17 @@ pkinit_server_verify_padata(krb5_context context, goto cleanup; if (!valid_eku) { - pkiDebug("%s: did not find an acceptable EKU in user certificate\n", - __FUNCTION__); + pkiDebug("%s: did not find an acceptable EKU in user " + "certificate\n", __FUNCTION__); retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; goto cleanup; } - } else { /*!is_signed*/ - if (!krb5_principal_compare( context, request->client, krb5_anonymous_principal())) { + } else { /* !is_signed */ + if (!krb5_principal_compare(context, request->client, + krb5_anonymous_principal())) { retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "Pkinit request not signed, but client not anonymous."); + krb5_set_error_message(context, retval, "Pkinit request not " + "signed, but client not anonymous."); goto cleanup; } } @@ -545,13 +547,13 @@ pkinit_server_verify_padata(krb5_context context, break; } + /* + * This code used to generate ad-initial-verified-cas authorization data. + * However that has been removed until the ad-kdc-issued discussion can + * happen in the working group. Dec 2009 + */ /* return authorization data to be included in the ticket */ switch ((int)data->pa_type) { -/* - * This code used to generate ad-initial-verified-cas authorization data. - * However that has been removed until the ad-kdc-issued discussion can happen - * in the working group. Dec 2009 - */ default: *authz_data = NULL; } @@ -593,9 +595,9 @@ cleanup: return retval; } static krb5_error_code -return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, - krb5_pa_data **out_padata) +return_pkinit_kx(krb5_context context, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **out_padata) { krb5_error_code ret = 0; krb5_keyblock *session = reply->ticket->enc_part2->session; @@ -603,15 +605,16 @@ return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *rep krb5_pa_data *pa = NULL; krb5_enc_data enc; krb5_data *scratch = NULL; + *out_padata = NULL; enc.ciphertext.data = NULL; if (!krb5_principal_compare(context, request->client, krb5_anonymous_principal())) return 0; /* - *The KDC contribution key needs to be a fresh key of an - *enctype supported by the client and server. The existing - *session key meets these requirements so we use itt. + * The KDC contribution key needs to be a fresh key of an enctype supported + * by the client and server. The existing session key meets these + * requirements so we use it. */ ret = krb5_c_fx_cf2_simple(context, session, "PKINIT", encrypting_key, "KEYEXCHANGE", @@ -621,8 +624,8 @@ return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *rep ret = encode_krb5_encryption_key( session, &scratch); if (ret) goto cleanup; - ret = krb5_encrypt_helper( context, encrypting_key, KRB5_KEYUSAGE_PA_PKINIT_KX, - scratch, &enc); + ret = krb5_encrypt_helper(context, encrypting_key, + KRB5_KEYUSAGE_PA_PKINIT_KX, scratch, &enc); if (ret) goto cleanup; memset(scratch->data, 0, scratch->length); @@ -699,9 +702,10 @@ pkinit_server_return_padata(krb5_context context, int fixed_keypack = 0; *send_pa = NULL; - if (padata->pa_type == KRB5_PADATA_PKINIT_KX) + if (padata->pa_type == KRB5_PADATA_PKINIT_KX) { return return_pkinit_kx(context, request, reply, encrypting_key, send_pa); + } if (padata == NULL || padata->length <= 0 || padata->contents == NULL) return 0; |