diff options
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 113 |
1 files changed, 52 insertions, 61 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 2e5afef75f..ad354cf0bd 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -93,7 +93,7 @@ pa_pkinit_gen_req(krb5_context context, pkinit_context plgctx, pkinit_req_context reqctx, krb5_kdc_req * request, - krb5_pa_data * in_padata, + krb5_preauthtype pa_type, krb5_pa_data *** out_padata, krb5_prompter_fct prompter, void *prompter_data, @@ -110,7 +110,7 @@ pa_pkinit_gen_req(krb5_context context, krb5_pa_data **return_pa_data = NULL; cksum.contents = NULL; - reqctx->pa_type = in_padata->pa_type; + reqctx->pa_type = pa_type; pkiDebug("kdc_options = 0x%x till = %d\n", request->kdc_options, request->till); @@ -183,10 +183,10 @@ pa_pkinit_gen_req(krb5_context context, return_pa_data[0]->magic = KV5M_PA_DATA; - if (in_padata->pa_type == KRB5_PADATA_PK_AS_REQ_OLD) + if (pa_type == KRB5_PADATA_PK_AS_REQ_OLD) return_pa_data[0]->pa_type = KRB5_PADATA_PK_AS_REP_OLD; else - return_pa_data[0]->pa_type = in_padata->pa_type; + return_pa_data[0]->pa_type = pa_type; return_pa_data[0]->length = out_data->length; return_pa_data[0]->contents = (krb5_octet *) out_data->data; @@ -1084,7 +1084,7 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, return retval; } retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, - in_padata, out_padata, prompter, + in_padata->pa_type, out_padata, prompter, prompter_data, gic_opt); } else { /* @@ -1110,85 +1110,76 @@ pkinit_client_tryagain(krb5_context context, krb5_clpreauth_moddata moddata, krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, krb5_kdc_req *request, krb5_data *encoded_request_body, krb5_data *encoded_previous_request, - krb5_pa_data *in_padata, krb5_error *err_reply, - krb5_prompter_fct prompter, void *prompter_data, - krb5_pa_data ***out_padata) + krb5_preauthtype pa_type, krb5_error *err_reply, + krb5_pa_data **err_padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***out_padata) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; pkinit_context plgctx = (pkinit_context)moddata; pkinit_req_context reqctx = (pkinit_req_context)modreq; - krb5_typed_data **typed_data = NULL; + krb5_pa_data *pa; krb5_data scratch; - krb5_external_principal_identifier **krb5_trusted_certifiers = NULL; + krb5_external_principal_identifier **certifiers = NULL; krb5_algorithm_identifier **algId = NULL; int do_again = 0; pkiDebug("pkinit_client_tryagain %p %p %p %p\n", context, plgctx, reqctx, request); - if (reqctx->pa_type != in_padata->pa_type) + if (reqctx->pa_type != pa_type || err_padata == NULL) return retval; -#ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)err_reply->e_data.data, - err_reply->e_data.length, "/tmp/client_edata"); -#endif - retval = k5int_decode_krb5_typed_data(&err_reply->e_data, &typed_data); - if (retval) { - pkiDebug("decode_krb5_typed_data failed\n"); - goto cleanup; - } -#ifdef DEBUG_ASN1 - print_buffer_bin(typed_data[0]->data, typed_data[0]->length, - "/tmp/client_typed_data"); -#endif - OCTETDATA_TO_KRB5DATA(typed_data[0], &scratch); - - switch(typed_data[0]->type) { - case TD_TRUSTED_CERTIFIERS: - case TD_INVALID_CERTIFICATES: - retval = k5int_decode_krb5_td_trusted_certifiers(&scratch, - &krb5_trusted_certifiers); - if (retval) { - pkiDebug("failed to decode sequence of trusted certifiers\n"); - goto cleanup; - } - retval = pkinit_process_td_trusted_certifiers(context, - plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, - krb5_trusted_certifiers, typed_data[0]->type); - if (!retval) - do_again = 1; - break; - case TD_DH_PARAMETERS: - retval = k5int_decode_krb5_td_dh_parameters(&scratch, &algId); - if (retval) { - pkiDebug("failed to decode td_dh_parameters\n"); - goto cleanup; + for (; *err_padata != NULL && !do_again; err_padata++) { + pa = *err_padata; + PADATA_TO_KRB5DATA(pa, &scratch); + switch (pa->pa_type) { + case TD_TRUSTED_CERTIFIERS: + case TD_INVALID_CERTIFICATES: + retval = k5int_decode_krb5_td_trusted_certifiers(&scratch, + &certifiers); + if (retval) { + pkiDebug("failed to decode sequence of trusted certifiers\n"); + goto cleanup; + } + retval = pkinit_process_td_trusted_certifiers(context, + plgctx->cryptoctx, + reqctx->cryptoctx, + reqctx->idctx, + certifiers, + pa->pa_type); + if (!retval) + do_again = 1; + break; + case TD_DH_PARAMETERS: + retval = k5int_decode_krb5_td_dh_parameters(&scratch, &algId); + if (retval) { + pkiDebug("failed to decode td_dh_parameters\n"); + goto cleanup; + } + retval = pkinit_process_td_dh_params(context, plgctx->cryptoctx, + reqctx->cryptoctx, + reqctx->idctx, algId, + &reqctx->opts->dh_size); + if (!retval) + do_again = 1; + break; + default: + break; } - retval = pkinit_process_td_dh_params(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, algId, - &reqctx->opts->dh_size); - if (!retval) - do_again = 1; - break; - default: - break; } if (do_again) { - retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, in_padata, - out_padata, prompter, prompter_data, gic_opt); + retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, pa_type, + out_padata, prompter, prompter_data, + gic_opt); if (retval) goto cleanup; } retval = 0; cleanup: - if (krb5_trusted_certifiers != NULL) - free_krb5_external_principal_identifier(&krb5_trusted_certifiers); - - if (typed_data != NULL) - free_krb5_typed_data(&typed_data); + if (certifiers != NULL) + free_krb5_external_principal_identifier(&certifiers); if (algId != NULL) free_krb5_algorithm_identifiers(&algId); |