95 pk_check_pkauthenticator_win2k(krb5_context context,
101     krb5_timeofday (context, &now);
104     if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
105 	krb5_clear_error_message(context);
112 pk_check_pkauthenticator(krb5_context context,
123     krb5_timeofday (context, &now);
126     if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
127 	krb5_clear_error_message(context);
133 	krb5_clear_error_message(context);
137 	krb5_abortx(context, "Internal error in ASN.1 encoder");
139     ret = krb5_create_checksum(context,
148 	krb5_clear_error_message(context);
153 	krb5_clear_error_message(context);
159 	krb5_clear_error_message(context);
170 _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp)
192     krb5_free_keyblock_contents(context, &cp->reply_key);
204 generate_dh_keyblock(krb5_context context,
219 	    krb5_set_error_message(context, ret, "public_key");
225 	    krb5_set_error_message(context, ret,
235 	    krb5_set_error_message(context, ret, "malloc: out of memory");
242 	    krb5_set_error_message(context, ret,
258 	    krb5_set_error_message(context, ret, "public_key");
279 	    krb5_set_error_message(context, ret,
291 	krb5_set_error_message(context, ret,
296     ret = _krb5_pk_octetstring2key(context,
306 	krb5_free_keyblock_contents(context, &key);
312 integer_to_BN(krb5_context context, const char *field, heim_integer *f)
318 	krb5_set_error_message(context, KRB5_BADMSGTYPE,
327 get_dh_param(krb5_context context,
340 	krb5_set_error_message(context, ret,
347 	krb5_set_error_message(context, KRB5_BADMSGTYPE,
358 	krb5_set_error_message(context, ret, "Can't decode algorithm "
363     ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
374 	krb5_set_error_message(context, ret, "Cannot create DH structure");
378     dh->p = integer_to_BN(context, "DH prime", &dhparam.p);
381     dh->g = integer_to_BN(context, "DH base", &dhparam.g);
384     dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
397 	    krb5_clear_error_message(context);
401 	client_params->u.dh.public_key = integer_to_BN(context,
425 get_ecdh_param(krb5_context context,
438 	krb5_set_error_message(context, KRB5_BADMSGTYPE,
471 	krb5_set_error_message(context, ret,
488 _kdc_pk_rd_padata(krb5_context context,
508 	kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled");
509 	krb5_clear_error_message(context);
515 	krb5_clear_error_message(context);
520     ret = hx509_certs_init(context->hx509ctx,
524 	krb5_set_error_message(context, ret, "failed to create trust anchors");
528     ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
532 	krb5_set_error_message(context, ret, "failed to create verify context");
543 	    ret = hx509_cert_init_data(context->hx509ctx,
549 	    hx509_certs_add(context->hx509ctx, trust_anchors, cert);
554     ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
557 	krb5_set_error_message(context, ret, "failed to create verify context");
575 	    krb5_set_error_message(context, ret,
585 	    krb5_set_error_message(context, ret, "Can't decode "
596 	    krb5_set_error_message(context, ret,
611 	    krb5_set_error_message(context, ret,
621 	    ret = hx509_certs_init(context->hx509ctx,
626 		krb5_set_error_message(context, ret,
648 		ret = hx509_query_alloc(context->hx509ctx, &q);
650 		    krb5_set_error_message(context, ret,
660 		    hx509_query_free(context->hx509ctx, q);
666 		    hx509_query_free(context->hx509ctx, q);
670 		ret = hx509_certs_find(context->hx509ctx,
674 		hx509_query_free(context->hx509ctx, q);
677 		hx509_certs_add(context->hx509ctx,
689 	    krb5_set_error_message(context, ret,
695 	krb5_clear_error_message(context);
703 	krb5_set_error_message(context, ret,
710 	krb5_set_error_message(context, ret,
722 	ret = hx509_cms_verify_signed(context->hx509ctx,
733 	    char *s = hx509_get_error_string(context->hx509ctx, ret);
734 	    krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
741 	    ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
754 	krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
766 	    krb5_set_error_message(context, ret,
771 	ret = pk_check_pkauthenticator_win2k(context,
784 	    krb5_set_error_message(context, ret,
798 	    krb5_set_error_message(context, ret,
808 	    krb5_set_error_message(context, ret,
813 	ret = pk_check_pkauthenticator(context,
827 		ret = get_dh_param(context, config,
832 		ret = get_ecdh_param(context, config,
837 		krb5_set_error_message(context, ret, "PKINIT unknown DH mechanism");
846 	ret = hx509_peer_info_alloc(context->hx509ctx,
854 	    ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
864 	    hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
866 	    hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
868 	    hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
873 	krb5_abortx(context, "internal pkinit error");
875     kdc_log(context, config, 0, "PK-INIT request of type %s", type);
879 	krb5_warn(context, ret, "PKINIT");
887         _kdc_pk_free_client_param(context, cp);
898 BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
903 	krb5_clear_error_message(context);
912 pk_mk_pa_reply_enckey(krb5_context context,
956 	krb5_abortx(context, "internal pkinit error");
965 	    krb5_clear_error_message(context);
981 	    krb5_clear_error_message(context);
985 	ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
987 	    krb5_clear_error_message(context);
991 	ret = krb5_create_checksum(context, ascrypto, 6, 0,
995 	    krb5_clear_error_message(context);
999 	ret = krb5_crypto_destroy(context, ascrypto);
1001 	    krb5_clear_error_message(context);
1008 	krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
1013 	krb5_abortx(context, "Internal ASN.1 encoder error");
1019 	ret = hx509_query_alloc(context->hx509ctx, &q);
1027 	ret = hx509_certs_find(context->hx509ctx,
1031 	hx509_query_free(context->hx509ctx, q);
1035 	ret = hx509_cms_create_signed_1(context->hx509ctx,
1063     ret = hx509_cms_envelope_1(context->hx509ctx,
1072     ret = _krb5_pk_mk_ContentInfo(context,
1092 pk_mk_pa_reply_dh(krb5_context context,
1117 	ret = BN_to_integer(context, kdc_dh->pub_key, &i);
1124 	    krb5_set_error_message(context, ret, "ASN.1 encoding of "
1129 	    krb5_abortx(context, "Internal ASN.1 encoder error");
1155 	krb5_abortx(context, "no keyex selected ?");
1163 	krb5_set_error_message(context, ret, "ASN.1 encoding of "
1168 	krb5_abortx(context, "Internal ASN.1 encoder error");
1175     ret = hx509_query_alloc(context->hx509ctx, &q);
1183     ret = hx509_certs_find(context->hx509ctx,
1187     hx509_query_free(context->hx509ctx, q);
1191     ret = hx509_cms_create_signed_1(context->hx509ctx,
1203 	kdc_log(context, config, 0, "Failed signing the DH* reply: %d", ret);
1208     ret = _krb5_pk_mk_ContentInfo(context,
1233 _kdc_pk_mk_pa_reply(krb5_context context,
1253 	krb5_clear_error_message(context);
1259 	    if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
1263 	    krb5_set_error_message(context, ret,
1286 	    ret = krb5_generate_random_keyblock(context, enctype,
1292 	    ret = pk_mk_pa_reply_enckey(context,
1309 		krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1315 		krb5_abortx(context, "Internal ASN.1 encoder error");
1317 	    ret = krb5_generate_random_keyblock(context, sessionetype,
1332 	    default: krb5_abortx(context, "unknown keyex"); break;
1340 	    ret = generate_dh_keyblock(context, cp, enctype);
1344 	    ret = pk_mk_pa_reply_dh(context, config,
1350 		krb5_set_error_message(context, ret,
1361 		krb5_set_error_message(context, ret,
1368 		krb5_abortx(context, "Internal ASN.1 encoder error");
1371 	    ret = krb5_generate_random_keyblock(context, sessionetype,
1400 	    krb5_set_error_message(context, ret,
1405 	    krb5_abortx(context, "Internal ASN.1 encoder error");
1407 	kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
1415 	    krb5_set_error_message(context, ret,
1425 	ret = krb5_generate_random_keyblock(context, enctype,
1431 	ret = pk_mk_pa_reply_enckey(context,
1448 	    krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1454 	    krb5_abortx(context, "Internal ASN.1 encoder error");
1459 	    krb5_set_error_message(context, ret,
1464 	    krb5_abortx(context, "Internal ASN.1 encoder error");
1466 	ret = krb5_generate_random_keyblock(context, sessionetype,
1474 	krb5_abortx(context, "PK-INIT internal error");
1477     ret = krb5_padata_add(context, md, pa_type, buf, len);
1479 	krb5_set_error_message(context, ret,
1498 		kdc_log(context, config, 0,
1506 		kdc_log(context, config, 0,
1514 		kdc_log(context, config, 0,
1522 		kdc_log(context, config, 0,
1527 	    ret = hx509_ocsp_verify(context->hx509ctx,
1534 		kdc_log(context, config, 0,
1550 	    ret = krb5_padata_add(context, md,
1554 		krb5_set_error_message(context, ret,
1571 match_rfc_san(krb5_context context,
1599 	    const char *msg = krb5_get_error_message(context, ret);
1600 	    kdc_log(context, config, 0,
1602 	    krb5_free_error_message(context, msg);
1606 	    kdc_log(context, config, 0,
1614 	if (krb5_principal_compare(context, &principal, match) == TRUE)
1631 match_ms_upn_san(krb5_context context,
1654 	kdc_log(context, config, 0,
1661 	kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
1666 	kdc_log(context, config, 0, "Trailing data in ");
1671     kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
1673     ret = krb5_parse_name(context, upn, &principal);
1676 	kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
1681 	ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
1689 	if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
1695 	krb5_free_principal(context, principal);
1702 _kdc_pk_check_client(krb5_context context,
1723     ret = hx509_cert_get_base_subject(context->hx509ctx,
1734     kdc_log(context, config, 0,
1744 	    ret = hx509_cert_init_data(context->hx509ctx,
1753 		kdc_log(context, config, 5,
1762 	ret = match_rfc_san(context, config,
1763 			    context->hx509ctx,
1767 	    kdc_log(context, config, 5,
1771 	ret = match_ms_upn_san(context, config,
1772 			       context->hx509ctx,
1777 	    kdc_log(context, config, 5,
1799 	    kdc_log(context, config, 5,
1808 	b = krb5_principal_compare(context,
1815 	kdc_log(context, config, 5,
1821     krb5_set_error_message(context, ret,
1825     kdc_log(context, config, 5,
1836 add_principal_mapping(krb5_context context,
1850    ret = krb5_parse_name(context, principal_name, &principal);
1858        krb5_free_principal(context, principal);
1867 _kdc_add_inital_verified_cas(krb5_context context,
1886 	krb5_abortx(context, "internal asn.1 encoder error");
1888     ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
1900 load_mappings(krb5_context context, const char *fn)
1924 	    krb5_warnx(context, "pkinit mapping file line %lu "
1931 	ret = add_principal_mapping(context, p, subject_name);
1933 	    krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
1947 krb5_kdc_pk_initialize(krb5_context context,
1958     file = krb5_config_get_string(context, NULL,
1961     ret = _krb5_parse_moduli(context, file, &moduli);
1963 	krb5_err(context, 1, ret, "PKINIT: failed to load modidi file");
1968     ret = _krb5_pk_load_id(context,
1978 	krb5_warn(context, ret, "PKINIT: ");
1987 	ret = hx509_query_alloc(context->hx509ctx, &q);
1989 	    krb5_warnx(context, "PKINIT: out of memory");
1997 	ret = hx509_certs_find(context->hx509ctx,
2001 	hx509_query_free(context->hx509ctx, q);
2003 	    if (hx509_cert_check_eku(context->hx509ctx, cert,
2010 		    krb5_warnx(context, "WARNING Found KDC certificate (%s)"
2019 	    krb5_warnx(context, "PKINIT: failed to find a signing "
2023     if (krb5_config_get_bool_default(context,
2031     file = krb5_config_get_string(context,
2037 	asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
2041     load_mappings(context, file);

Indexes created Thu Sep 05 03:17:26 MDT 2024