diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-12-28 18:03:31 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-12-28 18:03:31 +0000 |
| commit | 92516277cb0205a1781b06d204d9d103d599f8a7 (patch) | |
| tree | 0c1fdfa704f8c8e31dba09768d216f0ae7d23607 /src | |
| parent | ec49e6e673ab229462ef18aa2986167eaa643643 (diff) | |
| download | krb5-92516277cb0205a1781b06d204d9d103d599f8a7.tar.gz krb5-92516277cb0205a1781b06d204d9d103d599f8a7.tar.xz krb5-92516277cb0205a1781b06d204d9d103d599f8a7.zip | |
Whitespace fixes for new anonymous support
ticket: 6607
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/clients/kinit/kinit.c | 26 | ||||
| -rw-r--r-- | src/include/krb5/krb5.hin | 19 | ||||
| -rw-r--r-- | src/kadmin/cli/kadmin.c | 15 | ||||
| -rw-r--r-- | src/kdc/do_as_req.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_authdata.c | 7 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/import_name.c | 3 | ||||
| -rw-r--r-- | src/lib/kadm5/clnt/client_init.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/krb/bld_princ.c | 14 | ||||
| -rw-r--r-- | src/lib/krb5/krb/chk_trans.c | 6 | ||||
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 45 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 30 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto.h | 12 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 55 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 15 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 46 |
15 files changed, 167 insertions, 134 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 79ac65418..9349f487a 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -190,7 +190,7 @@ usage() USAGE_BREAK_LONG "[-p | -P" USAGE_LONG_PROXIABLE "] " USAGE_BREAK_LONG - "-n" + "-n " "[-a | -A" USAGE_LONG_ADDRESSES "] " USAGE_BREAK_LONG "[-C" USAGE_LONG_CANONICALIZE "] " @@ -216,7 +216,7 @@ usage() fprintf(stderr, "\t-F not forwardable\n"); fprintf(stderr, "\t-p proxiable\n"); fprintf(stderr, "\t-P not proxiable\n"); - fprintf(stderr, "\t -n anonymous\n"); + fprintf(stderr, "\t-n anonymous\n"); fprintf(stderr, "\t-a include addresses\n"); fprintf(stderr, "\t-A do not include addresses\n"); fprintf(stderr, "\t-v validate\n"); @@ -487,10 +487,12 @@ k5_begin(opts, k5) } code = krb5_build_principal_ext(k5->ctx, &k5->me, strlen(defrealm), defrealm, - strlen(KRB5_WELLKNOWN_NAMESTR), KRB5_WELLKNOWN_NAMESTR, - strlen(KRB5_ANONYMOUS_PRINCSTR), KRB5_ANONYMOUS_PRINCSTR, + strlen(KRB5_WELLKNOWN_NAMESTR), + KRB5_WELLKNOWN_NAMESTR, + strlen(KRB5_ANONYMOUS_PRINCSTR), + KRB5_ANONYMOUS_PRINCSTR, 0); - krb5_free_default_realm( k5->ctx, defrealm); + krb5_free_default_realm(k5->ctx, defrealm); if (code) { com_err(progname, code, "while building principal"); return 0; @@ -507,29 +509,27 @@ k5_begin(opts, k5) } if (k5->me->realm.data[0] == 0) { code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); - if (code == 0) + if (code == 0) { com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, "(principal %s)", k5->name); - else + } else { com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, "for local services"); + } return 0; } } else { /* Get default principal from cache if one exists */ code = krb5_cc_get_principal(k5->ctx, k5->cc, &k5->me); - if (code) - { + if (code) { char *name = get_name_from_os(); - if (!name) - { + if (!name) { fprintf(stderr, "Unable to identify user\n"); return 0; } if ((code = krb5_parse_name_flags(k5->ctx, name, - flags, &k5->me))) - { + flags, &k5->me))) { com_err(progname, code, "when parsing name %s", name); return 0; diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 470ca4d50..76aef5659 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -261,8 +261,9 @@ typedef krb5_principal_data * krb5_principal; #define KRB5_NT_SMTP_NAME 7 /* Windows 2000 UPN */ #define KRB5_NT_ENTERPRISE_PRINCIPAL 10 -#define KRB5_NT_WELLKNOWN 11 -#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /*first component of NT_WELLKNOWN principals*/ +#define KRB5_NT_WELLKNOWN 11 +/* First component of NT_WELLKNOWN principals */ +#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /* Windows 2000 UPN and SID */ #define KRB5_NT_MS_PRINCIPAL -128 /* NT 4 style name */ @@ -295,14 +296,12 @@ typedef const krb5_principal_data *krb5_const_principal; */ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *); -/*Both these functions return constant storage that must not be freed*/ +/* Both these functions return constant storage that must not be freed. */ +const krb5_data *KRB5_CALLCONV krb5_anonymous_realm(void); +krb5_const_principal KRB5_CALLCONV krb5_anonymous_principal(void); -const krb5_data *KRB5_CALLCONV -krb5_anonymous_realm(void); -krb5_const_principal KRB5_CALLCONV -krb5_anonymous_principal(void); #define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS" -#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /*wellknown name type*/ +#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /* wellknown name type */ /* * end "base-defs.h" */ @@ -638,7 +637,7 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 /* XXX note conflict with above */ #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 -#define KRB5_KEYUSAGE_PA_PKINIT_KX 44 +#define KRB5_KEYUSAGE_PA_PKINIT_KX 44 /* define in draft-ietf-krb-wg-preauth-framework*/ #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 #define KRB5_KEYUSAGE_FAST_ENC 51 @@ -939,7 +938,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 #define TKT_FLG_OK_AS_DELEGATE 0x00040000 #define TKT_FLG_ENC_PA_REP 0x00010000 -#define TKT_FLG_ANONYMOUS 0x00008000 +#define TKT_FLG_ANONYMOUS 0x00008000 /* #define TKT_FLG_RESERVED 0x00004000 */ /* #define TKT_FLG_RESERVED 0x00002000 */ /* #define TKT_FLG_RESERVED 0x00001000 */ diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 1bcf891ed..c8ef3eb20 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -270,7 +270,8 @@ kadmin_startup(int argc, char *argv[]) exit(1); } - while ((optchar = getopt(argc, argv, "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { + while ((optchar = getopt(argc, argv, + "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { switch (optchar) { case 'x': db_args_size++; @@ -352,9 +353,9 @@ kadmin_startup(int argc, char *argv[]) } } if ((ccache_name && use_keytab) || - (keytab_name && !use_keytab) - || (ccache_name && use_anonymous) - || (use_anonymous &&use_keytab)) + (keytab_name && !use_keytab) || + (ccache_name && use_anonymous) || + (use_anonymous && use_keytab)) usage(); if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) { @@ -492,9 +493,9 @@ kadmin_startup(int argc, char *argv[]) retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, db_args, &handle); - } else if ( use_anonymous) { - printf("Authenticating as principal %s with password; anonymous requested.\n", - princstr); + } else if (use_anonymous) { + printf("Authenticating as principal %s with password; " + "anonymous requested.\n", princstr); retval = kadm5_init_anonymous(context, princstr, svcname, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, db_args, &handle); diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 58da726cb..55493ba77 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -389,7 +389,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; - /* If anonymous requests are being used, adjust the realm of the client principal*/ + /* If anonymous requests are being used, adjust the realm of the client + * principal. */ if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) { if (!krb5_principal_compare_any_realm(kdc_context, request->client, krb5_anonymous_principal())) { diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 882167443..8b01ad388 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -128,7 +128,7 @@ typedef struct _krb5_authdata_systems { int type; #define AUTHDATA_FLAG_CRITICAL 0x1 #define AUTHDATA_FLAG_PRE_PLUGIN 0x2 -#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/ +#define AUTHDATA_FLAG_ANONYMOUS 0x4 /* Use plugin even for anonymous tickets */ int flags; void *plugin_context; init_proc init; @@ -144,7 +144,8 @@ static krb5_authdata_systems static_authdata_systems[] = { /* Propagate client-submitted authdata */ "tgs_req", AUTHDATA_SYSTEM_V2, - AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS, + AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN | + AUTHDATA_FLAG_ANONYMOUS, NULL, NULL, NULL, @@ -154,7 +155,7 @@ static krb5_authdata_systems static_authdata_systems[] = { /* Propagate TGT authdata */ "tgt", AUTHDATA_SYSTEM_V2, - AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS, + AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_ANONYMOUS, NULL, NULL, NULL, diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index cfb75fb22..23a6df951 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -156,7 +156,8 @@ krb5_gss_import_name(minor_status, input_name_buffer, } } else if ((input_name_type != NULL) && g_OID_equal(input_name_type, GSS_C_NT_ANONYMOUS)) { - code = krb5_copy_principal(context, krb5_anonymous_principal(), &princ); + code = krb5_copy_principal(context, krb5_anonymous_principal(), + &princ); if (code != 0) { krb5_free_context(context); *minor_status = code; diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index 82033e9fd..03e0a9c55 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -59,7 +59,7 @@ #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" -enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS , INIT_ANONYMOUS}; +enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name, @@ -356,7 +356,8 @@ static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name, * The RPC connection is open; establish the GSS-API * authentication context. */ - code = kadm5_setup_gss(handle, params_in, (init_type == INIT_CREDS)?client_name:NULL, + code = kadm5_setup_gss(handle, params_in, + (init_type == INIT_CREDS) ? client_name : NULL, full_svcname); if (code) goto error; diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index 8378599d3..372f6c991 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -189,21 +189,20 @@ krb5_build_principal(krb5_context context, } /*Anonymous and well known principals*/ -static const char anon_realm_str[] -= KRB5_ANONYMOUS_REALMSTR; +static const char anon_realm_str[] = KRB5_ANONYMOUS_REALMSTR; static const krb5_data anon_realm_data = { - KV5M_DATA, sizeof(anon_realm_str)-1, - (char *) anon_realm_str}; + KV5M_DATA, sizeof(anon_realm_str) - 1, (char *) anon_realm_str +}; static const char wellknown_str[] = KRB5_WELLKNOWN_NAMESTR; static const char anon_str[] = KRB5_ANONYMOUS_PRINCSTR; static const krb5_data anon_princ_data[] = { - {KV5M_DATA, sizeof(wellknown_str)-1, (char *) wellknown_str}, - {KV5M_DATA, sizeof(anon_str)-1, (char *)anon_str} + { KV5M_DATA, sizeof(wellknown_str) - 1, (char *) wellknown_str }, + { KV5M_DATA, sizeof(anon_str) - 1, (char *) anon_str } }; const krb5_principal_data anon_princ = { KV5M_PRINCIPAL, - {KV5M_DATA, sizeof(anon_realm_str)-1, (char *) anon_realm_str}, + { KV5M_DATA, sizeof(anon_realm_str) - 1, (char *) anon_realm_str }, (krb5_data *) anon_princ_data, 2, KRB5_NT_WELLKNOWN }; @@ -212,6 +211,7 @@ krb5_anonymous_realm() { return &anon_realm_data; } + krb5_const_principal KRB5_CALLCONV krb5_anonymous_principal() { diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index def50885c..64ccb3030 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -329,9 +329,9 @@ krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, if (trans.length == 0) return 0; anonymous = krb5_anonymous_realm(); - if (crealm->length == anonymous->length - && (memcmp(crealm->data, anonymous->data, anonymous->length) == 0)) - return 0; /*Nothing to check for anonymous*/ + if (crealm->length == anonymous->length && + (memcmp(crealm->data, anonymous->data, anonymous->length) == 0)) + return 0; /* Nothing to check for anonymous */ r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs, KRB5_REALM_BRANCH_CHAR); diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 315bdc943..09df3f052 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -300,14 +300,15 @@ verify_anonymous( krb5_context context, krb5_kdc_req *request, krb5_keyblock *kdc_key = NULL, *expected = NULL; krb5_enc_data *enc = NULL; krb5_keyblock *session = reply->enc_part2->session; + if (!krb5_principal_compare_any_realm(context, request->client, krb5_anonymous_principal())) - return 0; /*Only applies to fully anonymous*/ + return 0; /* Only applies to fully anonymous */ pa = krb5int_find_pa_data(context, reply->padata, KRB5_PADATA_PKINIT_KX); if (pa == NULL) goto verification_error; scratch.length = pa->length; - scratch.data = (char *) pa->contents; + scratch.data = (char *) pa->contents; ret = decode_krb5_enc_data( &scratch, &enc); if (ret) goto cleanup; @@ -318,7 +319,7 @@ verify_anonymous( krb5_context context, krb5_kdc_req *request, ret = krb5_c_decrypt(context, as_key, KRB5_KEYUSAGE_PA_PKINIT_KX, NULL /*cipherstate*/, enc, &scratch); if (ret) { - free( scratch.data); + free(scratch.data); goto cleanup; } ret = decode_krb5_encryption_key( &scratch, &kdc_key); @@ -326,13 +327,13 @@ verify_anonymous( krb5_context context, krb5_kdc_req *request, free(scratch.data); if (ret) goto cleanup; - ret = krb5_c_fx_cf2_simple( context, kdc_key, "PKINIT", - as_key, "KEYEXCHANGE", &expected); + ret = krb5_c_fx_cf2_simple(context, kdc_key, "PKINIT", + as_key, "KEYEXCHANGE", &expected); if (ret) goto cleanup; - if ((expected->enctype != session->enctype) - || (expected->length != session->length) - || (memcmp(expected->contents, session->contents, expected->length) != 0)) + if ((expected->enctype != session->enctype) || + (expected->length != session->length) || + (memcmp(expected->contents, session->contents, expected->length) != 0)) goto verification_error; cleanup: if (kdc_key) @@ -344,7 +345,8 @@ cleanup: return ret; verification_error: ret = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, ret, "Reply has wrong form of session key for anonymous request"); + krb5_set_error_message(context, ret, "Reply has wrong form of session key " + "for anonymous request"); goto cleanup; } @@ -369,14 +371,17 @@ verify_as_reply(krb5_context context, * principal) and we requested (and received) a TGT. */ canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) || - (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL) - || (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS); + (krb5_princ_type(context, request->client) == + KRB5_NT_ENTERPRISE_PRINCIPAL) || + (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS); if (canon_req) { canon_ok = IS_TGS_PRINC(context, request->server) && IS_TGS_PRINC(context, as_reply->enc_part2->server); - if ((!canon_ok ) && (request->kdc_options &KDC_OPT_REQUEST_ANONYMOUS)) - canon_ok = krb5_principal_compare_any_realm(context, as_reply->client, + if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) { + canon_ok = krb5_principal_compare_any_realm(context, + as_reply->client, krb5_anonymous_principal()); + } } else canon_ok = 0; @@ -1463,13 +1468,14 @@ krb5_init_creds_init(krb5_context context, ctx->salt.data = NULL; } - /*Anonymous*/ + /* Anonymous. */ if(opte->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) { ctx->request->kdc_options |= KDC_OPT_REQUEST_ANONYMOUS; - /*Remap @REALM to WELLKNOWN/ANONYMOUS@REALM*/ + /* Remap @REALM to WELLKNOWN/ANONYMOUS@REALM. */ if (client->length == 1 && client->data[0].length ==0) { krb5_principal new_client; - code = krb5_build_principal_ext(context, &new_client, client->realm.length, + code = krb5_build_principal_ext(context, &new_client, + client->realm.length, client->realm.data, strlen(KRB5_WELLKNOWN_NAMESTR), KRB5_WELLKNOWN_NAMESTR, @@ -1483,7 +1489,8 @@ krb5_init_creds_init(krb5_context context, krb5_princ_type(context, ctx->request->client) = KRB5_NT_WELLKNOWN; } } - /*We will also handle anonymous if the input principal is the anonymous principal*/ + /* We will also handle anonymous if the input principal is the anonymous + * principal. */ if (krb5_principal_compare_any_realm(context, ctx->request->client, krb5_anonymous_principal())) { ctx->request->kdc_options |= KDC_OPT_REQUEST_ANONYMOUS; @@ -1924,8 +1931,8 @@ init_creds_step_reply(krb5_context context, ctx->request, ctx->reply); if (code != 0) goto cleanup; - code = verify_anonymous( context, ctx->request, ctx->reply, - &encrypting_key); + code = verify_anonymous(context, ctx->request, ctx->reply, + &encrypting_key); if (code) goto cleanup; diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 8f17f7e4a..6888c1b07 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -346,17 +346,26 @@ pkinit_as_req_create(krb5_context context, retval = ENOMEM; goto cleanup; } - /*For the new protocol, we support anonymous*/ + /* For the new protocol, we support anonymous. */ if (krb5_principal_compare_any_realm(context, client, - krb5_anonymous_principal())) + krb5_anonymous_principal())) { retval = cms_contentinfo_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req->signedAuthPack.data, &req->signedAuthPack.length); - else retval = cms_signeddata_create(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, 1, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req->signedAuthPack.data, &req->signedAuthPack.length); + reqctx->cryptoctx, reqctx->idctx, + CMS_SIGN_CLIENT, (unsigned char *) + coded_auth_pack->data, + coded_auth_pack->length, + &req->signedAuthPack.data, + &req->signedAuthPack.length); + } else { + retval = cms_signeddata_create(context, plgctx->cryptoctx, + reqctx->cryptoctx, reqctx->idctx, + CMS_SIGN_CLIENT, 1, + (unsigned char *) + coded_auth_pack->data, + coded_auth_pack->length, + &req->signedAuthPack.data, + &req->signedAuthPack.length); + } #ifdef DEBUG_ASN1 print_buffer_bin((unsigned char *)req->signedAuthPack.data, req->signedAuthPack.length, @@ -687,7 +696,8 @@ pkinit_as_rep_parse(krb5_context context, reqctx->opts->require_crl_checking, kdc_reply->u.dh_Info.dhSignedData.data, kdc_reply->u.dh_Info.dhSignedData.length, - &dh_data.data, &dh_data.length, NULL, NULL, NULL)) != 0) { + &dh_data.data, &dh_data.length, + NULL, NULL, NULL)) != 0) { pkiDebug("failed to verify pkcs7 signed data\n"); goto cleanup; } diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index dedd8f945..2c584b6bf 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -120,9 +120,8 @@ krb5_error_code cms_contentinfo_create pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ int cms_msg_type, - unsigned char *in_data, unsigned int in_length, - unsigned char **out_data, unsigned int *out_data_len); - + unsigned char *in_data, unsigned int in_length, + unsigned char **out_data, unsigned int *out_data_len); /* * this function creates a CMS message where eContentType is SignedData @@ -181,9 +180,10 @@ krb5_error_code cms_signeddata_verify receives required authorization data that contains the verified certificate chain (only used by the KDC) */ - unsigned int *authz_data_len, /* OUT - receives length of authz_data */ - int *is_signed /*out: is message signed*/); + unsigned int *authz_data_len, /* OUT + receives length of authz_data */ + int *is_signed); /* OUT + receives whether message is signed */ /* * this function creates a CMS message where eContentType is EnvelopedData diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 887ec0627..85e8dcaac 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -692,15 +692,16 @@ pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx, } /*helper function for creating pkinit ContentInfo*/ -static krb5_error_code create_contentinfo -(krb5_context context, pkinit_plg_crypto_context plg_crypto_context, - ASN1_OBJECT *oid, - unsigned char *data, size_t data_len, - PKCS7 **out_p7) +static krb5_error_code +create_contentinfo(krb5_context context, + pkinit_plg_crypto_context plg_crypto_context, + ASN1_OBJECT *oid, unsigned char *data, size_t data_len, + PKCS7 **out_p7) { krb5_error_code retval = EINVAL; PKCS7 *inner_p7; ASN1_TYPE *pkinit_data = NULL; + *out_p7 = NULL; if ((inner_p7 = PKCS7_new()) == NULL) goto cleanup; @@ -709,8 +710,8 @@ static krb5_error_code create_contentinfo pkinit_data->type = V_ASN1_OCTET_STRING; if ((pkinit_data->value.octet_string = ASN1_OCTET_STRING_new()) == NULL) goto cleanup; - if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, (unsigned char *) data, - data_len)) { + if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, + (unsigned char *) data, data_len)) { unsigned long err = ERR_peek_error(); retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "%s\n", @@ -732,20 +733,21 @@ cleanup: return retval; } -krb5_error_code cms_contentinfo_create -(krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - int cms_msg_type, - unsigned char *data, unsigned int data_len, - unsigned char **out_data, unsigned int *out_data_len) +krb5_error_code +cms_contentinfo_create(krb5_context context, /* IN */ + pkinit_plg_crypto_context plg_cryptoctx, /* IN */ + pkinit_req_crypto_context req_cryptoctx, /* IN */ + pkinit_identity_crypto_context id_cryptoctx, /* IN */ + int cms_msg_type, + unsigned char *data, unsigned int data_len, + unsigned char **out_data, unsigned int *out_data_len) { krb5_error_code retval = ENOMEM; ASN1_OBJECT *oid = NULL; PKCS7 *p7 = NULL; unsigned char *p; - /* pick the correct oid for the eContentInfo */ + + /* Pick the correct oid for the eContentInfo. */ oid = pkinit_pkcs7type2oid(plg_cryptoctx, cms_msg_type); if (oid == NULL) goto cleanup; @@ -822,10 +824,11 @@ cms_signeddata_create(krb5_context context, ASN1_OBJECT *oid = NULL; if (id_cryptoctx->my_certs == NULL) { - krb5_set_error_message(context, EINVAL, "cms_signdata_create called with no certificates"); + krb5_set_error_message(context, EINVAL, "cms_signdata_create called " + "with no certificates"); return EINVAL; } -/* start creating PKCS7 data */ + /* Start creating PKCS7 data. */ if ((p7 = PKCS7_new()) == NULL) goto cleanup; p7->type = OBJ_nid2obj(NID_pkcs7_signed); @@ -1164,13 +1167,15 @@ cms_signeddata_verify(krb5_context context, goto cleanup; } -/*Handle the case in pkinit anonymous where we get unsigned data.*/ - if (is_signed && !OBJ_cmp( p7->type, oid)) { + /* Handle the case in pkinit anonymous where we get unsigned data. */ + if (is_signed && !OBJ_cmp(p7->type, oid)) { unsigned char *d; *is_signed = 0; if (p7->d.other->type != V_ASN1_OCTET_STRING) { retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Invalid pkinit packet: octet string expected"); + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, + "Invalid pkinit packet: octet string " + "expected"); goto cleanup; } *data_len = ASN1_STRING_length(p7->d.other->value.octet_string); @@ -1183,14 +1188,15 @@ cms_signeddata_verify(krb5_context context, *data_len); *data = d; goto out; - } else /* verify that the received message is PKCS7 SignedData message */ + } else { + /* Verify that the received message is PKCS7 SignedData message. */ if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) { - pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n", OBJ_obj2nid(p7->type)); krb5_set_error_message(context, retval, "wrong oid\n"); goto cleanup; } + } /* setup to verify X509 certificate used to sign PKCS7 message */ if (!(store = X509_STORE_new())) @@ -3521,7 +3527,8 @@ pkinit_C_Decrypt(pkinit_identity_crypto_context id_cryptoctx, rv = id_cryptoctx->p11->C_Decrypt(id_cryptoctx->session, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen); if (rv == CKR_OK) { - pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData, (int) *pulDataLen); + pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData, + (int) *pulDataLen); } return rv; } diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index aecea2c78..2ba05a470 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -518,15 +518,16 @@ pkinit_identity_initialize(krb5_context context, * in the config file. */ if (idopts->identity != NULL) { - retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, - idopts->identity); + retval = process_option_identity(context, plg_cryptoctx, + req_cryptoctx, idopts, + id_cryptoctx, idopts->identity); } else if (idopts->identity_alt != NULL) { - for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) + for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->identity_alt[i]); + } } else { pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; @@ -540,8 +541,8 @@ pkinit_identity_initialize(krb5_context context, goto errout; if (do_matching) { - retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, princ); + retval = pkinit_cert_matching(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx, princ); if (retval) { pkiDebug("%s: No matching certificate found\n", __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, @@ -565,7 +566,7 @@ pkinit_identity_initialize(krb5_context context, id_cryptoctx); if (retval) goto errout; - } /*not anonymous principal*/ + } /* Not anonymous principal */ for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 34700ad18..9db4d0a46 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -406,8 +406,8 @@ pkinit_server_verify_padata(krb5_context context, if (retval) goto cleanup; if (!valid_san) { - pkiDebug("%s: did not find an acceptable SAN in user certificate\n", - __FUNCTION__); + pkiDebug("%s: did not find an acceptable SAN in user " + "certificate\n", __FUNCTION__); retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; goto cleanup; } @@ -416,15 +416,17 @@ pkinit_server_verify_padata(krb5_context context, goto cleanup; if (!valid_eku) { - pkiDebug("%s: did not find an acceptable EKU in user certificate\n", - __FUNCTION__); + pkiDebug("%s: did not find an acceptable EKU in user " + "certificate\n", __FUNCTION__); retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; goto cleanup; } - } else { /*!is_signed*/ - if (!krb5_principal_compare( context, request->client, krb5_anonymous_principal())) { + } else { /* !is_signed */ + if (!krb5_principal_compare(context, request->client, + krb5_anonymous_principal())) { retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "Pkinit request not signed, but client not anonymous."); + krb5_set_error_message(context, retval, "Pkinit request not " + "signed, but client not anonymous."); goto cleanup; } } @@ -545,13 +547,13 @@ pkinit_server_verify_padata(krb5_context context, break; } + /* + * This code used to generate ad-initial-verified-cas authorization data. + * However that has been removed until the ad-kdc-issued discussion can + * happen in the working group. Dec 2009 + */ /* return authorization data to be included in the ticket */ switch ((int)data->pa_type) { -/* - * This code used to generate ad-initial-verified-cas authorization data. - * However that has been removed until the ad-kdc-issued discussion can happen - * in the working group. Dec 2009 - */ default: *authz_data = NULL; } @@ -593,9 +595,9 @@ cleanup: return retval; } static krb5_error_code -return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, - krb5_pa_data **out_padata) +return_pkinit_kx(krb5_context context, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **out_padata) { krb5_error_code ret = 0; krb5_keyblock *session = reply->ticket->enc_part2->session; @@ -603,15 +605,16 @@ return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *rep krb5_pa_data *pa = NULL; krb5_enc_data enc; krb5_data *scratch = NULL; + *out_padata = NULL; enc.ciphertext.data = NULL; if (!krb5_principal_compare(context, request->client, krb5_anonymous_principal())) return 0; /* - *The KDC contribution key needs to be a fresh key of an - *enctype supported by the client and server. The existing - *session key meets these requirements so we use itt. + * The KDC contribution key needs to be a fresh key of an enctype supported + * by the client and server. The existing session key meets these + * requirements so we use it. */ ret = krb5_c_fx_cf2_simple(context, session, "PKINIT", encrypting_key, "KEYEXCHANGE", @@ -621,8 +624,8 @@ return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *rep ret = encode_krb5_encryption_key( session, &scratch); if (ret) goto cleanup; - ret = krb5_encrypt_helper( context, encrypting_key, KRB5_KEYUSAGE_PA_PKINIT_KX, - scratch, &enc); + ret = krb5_encrypt_helper(context, encrypting_key, + KRB5_KEYUSAGE_PA_PKINIT_KX, scratch, &enc); if (ret) goto cleanup; memset(scratch->data, 0, scratch->length); @@ -699,9 +702,10 @@ pkinit_server_return_padata(krb5_context context, int fixed_keypack = 0; *send_pa = NULL; - if (padata->pa_type == KRB5_PADATA_PKINIT_KX) + if (padata->pa_type == KRB5_PADATA_PKINIT_KX) { return return_pkinit_kx(context, request, reply, encrypting_key, send_pa); + } if (padata == NULL || padata->length <= 0 || padata->contents == NULL) return 0; |