diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-04 20:16:07 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-04 20:16:07 +0000 |
| commit | cbb4ede6d5a939f39f3325ad040406ac05c99713 (patch) | |
| tree | 70eb9e23b1ac63b45b0596ec70609d742fde45d2 /src/plugins/preauth | |
| parent | a046e6135690f97adfa6bb4065d7367cf6142c40 (diff) | |
| download | krb5-cbb4ede6d5a939f39f3325ad040406ac05c99713.tar.gz krb5-cbb4ede6d5a939f39f3325ad040406ac05c99713.tar.xz krb5-cbb4ede6d5a939f39f3325ad040406ac05c99713.zip | |
Create e_data as pa_data in KDC interfaces
All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data. Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements. Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.
ticket: 6969
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit.h | 1 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto.h | 6 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 106 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_lib.c | 10 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 12 |
5 files changed, 38 insertions, 97 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index ffe2a14f7..2536aeeb1 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -304,7 +304,6 @@ void init_krb5_auth_pack(krb5_auth_pack **in); void init_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in); void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); -void init_krb5_typed_data(krb5_typed_data **in); void init_krb5_subject_pk_info(krb5_subject_pk_info **in); void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in); diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index 7da5cb02f..5dac85427 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -559,7 +559,7 @@ krb5_error_code pkinit_create_td_dh_parameters pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ pkinit_plg_opts *opts, /* IN */ - krb5_data **edata); /* OUT */ + krb5_pa_data ***e_data_out); /* OUT */ /* * this function processes edata that contains TD-DH-PARAMETERS. @@ -584,7 +584,7 @@ krb5_error_code pkinit_create_td_invalid_certificate pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_data **edata); /* OUT */ + krb5_pa_data ***e_data_out); /* OUT */ /* * this function creates edata that contains TD-TRUSTED-CERTIFIERS @@ -594,7 +594,7 @@ krb5_error_code pkinit_create_td_trusted_certifiers pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_data **edata); /* OUT */ + krb5_pa_data ***e_data_out); /* OUT */ /* * this function processes edata that contains either diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index be752f714..547ecc739 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -108,7 +108,7 @@ static krb5_error_code pkinit_create_sequence_of_principal_identifiers (krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - int type, krb5_data **out_data); + int type, krb5_pa_data ***e_data_out); #ifndef WITHOUT_PKCS11 static krb5_error_code pkinit_find_private_key @@ -2973,12 +2973,12 @@ pkinit_create_sequence_of_principal_identifiers( pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, int type, - krb5_data **out_data) + krb5_pa_data ***e_data_out) { krb5_error_code retval = KRB5KRB_ERR_GENERIC; krb5_external_principal_identifier **krb5_trusted_certifiers = NULL; - krb5_data *td_certifiers = NULL, *data = NULL; - krb5_typed_data **typed_data = NULL; + krb5_data *td_certifiers = NULL; + krb5_pa_data **pa_data = NULL; switch(type) { case TD_TRUSTED_CERTIFIERS: @@ -3011,49 +3011,27 @@ pkinit_create_sequence_of_principal_identifiers( print_buffer_bin((unsigned char *)td_certifiers->data, td_certifiers->length, "/tmp/kdc_td_certifiers"); #endif - typed_data = malloc(2 * sizeof(krb5_typed_data *)); - if (typed_data == NULL) { + pa_data = malloc(2 * sizeof(krb5_pa_data *)); + if (pa_data == NULL) { retval = ENOMEM; goto cleanup; } - typed_data[1] = NULL; - init_krb5_typed_data(&typed_data[0]); - if (typed_data[0] == NULL) { + pa_data[1] = NULL; + pa_data[0] = malloc(sizeof(krb5_pa_data)); + if (pa_data[0] == NULL) { retval = ENOMEM; goto cleanup; } - typed_data[0]->type = type; - typed_data[0]->length = td_certifiers->length; - typed_data[0]->data = (unsigned char *)td_certifiers->data; - retval = k5int_encode_krb5_typed_data((const krb5_typed_data **)typed_data, - &data); - if (retval) { - pkiDebug("encode_krb5_typed_data failed\n"); - goto cleanup; - } -#ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)data->data, data->length, - "/tmp/kdc_edata"); -#endif - *out_data = malloc(sizeof(krb5_data)); - (*out_data)->length = data->length; - (*out_data)->data = malloc(data->length); - memcpy((*out_data)->data, data->data, data->length); - + pa_data[0]->pa_type = type; + pa_data[0]->length = td_certifiers->length; + pa_data[0]->contents = (krb5_octet *)td_certifiers->data; + *e_data_out = pa_data; retval = 0; cleanup: if (krb5_trusted_certifiers != NULL) free_krb5_external_principal_identifier(&krb5_trusted_certifiers); - - if (data != NULL) { - free(data->data); - free(data); - } - free(td_certifiers); - free_krb5_typed_data(&typed_data); - return retval; } @@ -3062,13 +3040,13 @@ pkinit_create_td_trusted_certifiers(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_data **out_data) + krb5_pa_data ***e_data_out) { krb5_error_code retval = KRB5KRB_ERR_GENERIC; retval = pkinit_create_sequence_of_principal_identifiers(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, - TD_TRUSTED_CERTIFIERS, out_data); + TD_TRUSTED_CERTIFIERS, e_data_out); return retval; } @@ -3079,13 +3057,13 @@ pkinit_create_td_invalid_certificate( pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_data **out_data) + krb5_pa_data ***e_data_out) { krb5_error_code retval = KRB5KRB_ERR_GENERIC; retval = pkinit_create_sequence_of_principal_identifiers(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, - TD_INVALID_CERTIFICATES, out_data); + TD_INVALID_CERTIFICATES, e_data_out); return retval; } @@ -3096,13 +3074,13 @@ pkinit_create_td_dh_parameters(krb5_context context, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, pkinit_plg_opts *opts, - krb5_data **out_data) + krb5_pa_data ***e_data_out) { krb5_error_code retval = ENOMEM; unsigned int buf1_len = 0, buf2_len = 0, buf3_len = 0, i = 0; unsigned char *buf1 = NULL, *buf2 = NULL, *buf3 = NULL; - krb5_typed_data **typed_data = NULL; - krb5_data *data = NULL, *encoded_algId = NULL; + krb5_pa_data **pa_data = NULL; + krb5_data *encoded_algId = NULL; krb5_algorithm_identifier **algId = NULL; if (opts->dh_min_bits > 4096) @@ -3211,53 +3189,27 @@ pkinit_create_td_dh_parameters(krb5_context context, print_buffer_bin((unsigned char *)encoded_algId->data, encoded_algId->length, "/tmp/kdc_td_dh_params"); #endif - typed_data = malloc(2 * sizeof(krb5_typed_data *)); - if (typed_data == NULL) { + pa_data = malloc(2 * sizeof(krb5_pa_data *)); + if (pa_data == NULL) { retval = ENOMEM; goto cleanup; } - typed_data[1] = NULL; - init_krb5_typed_data(&typed_data[0]); - if (typed_data == NULL) { + pa_data[1] = NULL; + pa_data[0] = malloc(sizeof(krb5_pa_data)); + if (pa_data[0] == NULL) { retval = ENOMEM; goto cleanup; } - typed_data[0]->type = TD_DH_PARAMETERS; - typed_data[0]->length = encoded_algId->length; - typed_data[0]->data = (unsigned char *)encoded_algId->data; - retval = k5int_encode_krb5_typed_data((const krb5_typed_data**)typed_data, - &data); - if (retval) { - pkiDebug("encode_krb5_typed_data failed\n"); - goto cleanup; - } -#ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)data->data, data->length, - "/tmp/kdc_edata"); -#endif - *out_data = malloc(sizeof(krb5_data)); - if (*out_data == NULL) - goto cleanup; - (*out_data)->length = data->length; - (*out_data)->data = malloc(data->length); - if ((*out_data)->data == NULL) { - free(*out_data); - *out_data = NULL; - goto cleanup; - } - memcpy((*out_data)->data, data->data, data->length); - + pa_data[0]->pa_type = TD_DH_PARAMETERS; + pa_data[0]->length = encoded_algId->length; + pa_data[0]->contents = (krb5_octet *)encoded_algId->data; + *e_data_out = pa_data; retval = 0; cleanup: free(buf1); free(buf2); free(buf3); - if (data != NULL) { - free(data->data); - free(data); - } - free_krb5_typed_data(&typed_data); free(encoded_algId); if (algId != NULL) { diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index f93c0743f..6b1018004 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -392,16 +392,6 @@ init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in) } void -init_krb5_typed_data(krb5_typed_data **in) -{ - (*in) = malloc(sizeof(krb5_typed_data)); - if ((*in) == NULL) return; - (*in)->type = 0; - (*in)->length = 0; - (*in)->data = NULL; -} - -void init_krb5_subject_pk_info(krb5_subject_pk_info **in) { (*in) = malloc(sizeof(krb5_subject_pk_info)); diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 1967ea65c..2fbc24391 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -66,7 +66,7 @@ pkinit_create_edata(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, pkinit_plg_opts *opts, krb5_error_code err_code, - krb5_data **e_data) + krb5_pa_data ***e_data_out) { krb5_error_code retval = KRB5KRB_ERR_GENERIC; @@ -75,16 +75,16 @@ pkinit_create_edata(krb5_context context, switch(err_code) { case KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE: retval = pkinit_create_td_trusted_certifiers(context, - plg_cryptoctx, req_cryptoctx, id_cryptoctx, e_data); + plg_cryptoctx, req_cryptoctx, id_cryptoctx, e_data_out); break; case KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED: retval = pkinit_create_td_dh_parameters(context, plg_cryptoctx, - req_cryptoctx, id_cryptoctx, opts, e_data); + req_cryptoctx, id_cryptoctx, opts, e_data_out); break; case KRB5KDC_ERR_INVALID_CERTIFICATE: case KRB5KDC_ERR_REVOKED_CERTIFICATE: retval = pkinit_create_td_invalid_certificate(context, - plg_cryptoctx, req_cryptoctx, id_cryptoctx, e_data); + plg_cryptoctx, req_cryptoctx, id_cryptoctx, e_data_out); break; default: pkiDebug("no edata needed for error %d (%s)\n", @@ -314,7 +314,7 @@ pkinit_server_verify_padata(krb5_context context, krb5_data k5data; int is_signed = 1; krb5_keyblock *armor_key; - krb5_data *e_data = NULL; + krb5_pa_data **e_data = NULL; krb5_kdcpreauth_modreq modreq = NULL; pkiDebug("pkinit_verify_padata: entered!\n"); @@ -1147,7 +1147,7 @@ pkinit_server_get_flags(krb5_context kcontext, krb5_preauthtype patype) { if (patype == KRB5_PADATA_PKINIT_KX) return PA_INFO; - return PA_SUFFICIENT | PA_REPLACES_KEY; + return PA_SUFFICIENT | PA_REPLACES_KEY | PA_TYPED_E_DATA; } static krb5_preauthtype supported_server_pa_types[] = { |