Lines Matching refs:ret
118 krb5_error_code ret;
131 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
132 if (ret) {
134 return ret;
139 ret = krb5_create_checksum(context,
147 if (ret) {
149 return ret;
154 ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
160 ret = KRB5KRB_ERR_GENERIC;
166 return ret;
210 krb5_error_code ret;
218 ret = KRB5KRB_ERR_GENERIC;
219 krb5_set_error_message(context, ret, "public_key");
224 ret = KRB5KRB_ERR_GENERIC;
225 krb5_set_error_message(context, ret,
234 ret = ENOMEM;
235 krb5_set_error_message(context, ret, "malloc: out of memory");
241 ret = KRB5KRB_ERR_GENERIC;
242 krb5_set_error_message(context, ret,
252 ret = 0;
257 ret = KRB5KRB_ERR_GENERIC;
258 krb5_set_error_message(context, ret, "public_key");
264 ret = ENOMEM;
271 ret = ENOMEM;
278 ret = ENOMEM;
279 krb5_set_error_message(context, ret,
290 ret = KRB5KRB_ERR_GENERIC;
291 krb5_set_error_message(context, ret,
296 ret = _krb5_pk_octetstring2key(context,
308 return ret;
334 krb5_error_code ret;
339 ret = KRB5_BADMSGTYPE;
340 krb5_set_error_message(context, ret,
353 ret = decode_DomainParameters(dh_key_info->algorithm.parameters->data,
357 if (ret) {
358 krb5_set_error_message(context, ret, "Can't decode algorithm "
363 ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
366 if (ret) {
373 ret = ENOMEM;
374 krb5_set_error_message(context, ret, "Cannot create DH structure");
377 ret = KRB5_BADMSGTYPE;
392 ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data,
396 if (ret) {
398 return ret;
406 ret = KRB5_BADMSGTYPE;
413 ret = 0;
419 return ret;
432 krb5_error_code ret;
446 ret = decode_ECParameters(dh_key_info->algorithm.parameters->data,
448 if (ret)
452 ret = KRB5_BADMSGTYPE;
459 ret = KRB5_BADMSGTYPE;
470 ret = KRB5_BADMSGTYPE;
471 krb5_set_error_message(context, ret,
482 return ret;
496 krb5_error_code ret;
516 ret = ENOMEM;
520 ret = hx509_certs_init(context->hx509ctx,
523 if (ret) {
524 krb5_set_error_message(context, ret, "failed to create trust anchors");
528 ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
530 if (ret) {
532 krb5_set_error_message(context, ret, "failed to create verify context");
537 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
538 if (ret == 0 && pc != NULL) {
543 ret = hx509_cert_init_data(context->hx509ctx,
547 if (ret)
554 ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
555 if (ret) {
557 krb5_set_error_message(context, ret, "failed to create verify context");
574 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
575 krb5_set_error_message(context, ret,
580 ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
584 if (ret) {
585 krb5_set_error_message(context, ret, "Can't decode "
586 "PK-AS-REQ-Win2k: %d", ret);
590 ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
595 if (ret) {
596 krb5_set_error_message(context, ret,
597 "Can't unwrap ContentInfo(win): %d", ret);
606 ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
610 if (ret) {
611 krb5_set_error_message(context, ret,
612 "Can't decode PK-AS-REQ: %d", ret);
621 ret = hx509_certs_init(context->hx509ctx,
625 if (ret) {
626 krb5_set_error_message(context, ret,
628 ret);
648 ret = hx509_query_alloc(context->hx509ctx, &q);
649 if (ret) {
650 krb5_set_error_message(context, ret,
655 ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
659 if (ret) {
663 ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
665 if (ret) {
670 ret = hx509_certs_find(context->hx509ctx,
675 if (ret)
683 ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
688 if (ret) {
689 krb5_set_error_message(context, ret,
690 "Can't unwrap ContentInfo: %d", ret);
696 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
700 ret = der_heim_oid_cmp(&contentInfoOid, &asn1_oid_id_pkcs7_signedData);
701 if (ret != 0) {
702 ret = KRB5KRB_ERR_GENERIC;
703 krb5_set_error_message(context, ret,
709 ret = KRB5KRB_ERR_GENERIC;
710 krb5_set_error_message(context, ret,
722 ret = hx509_cms_verify_signed(context->hx509ctx,
732 if (ret) {
733 char *s = hx509_get_error_string(context->hx509ctx, ret);
735 s, ret);
741 ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
745 if (ret)
753 ret = KRB5_BADMSGTYPE;
754 krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
761 ret = decode_AuthPack_Win2k(eContent.data,
765 if (ret) {
766 krb5_set_error_message(context, ret,
767 "Can't decode AuthPack: %d", ret);
771 ret = pk_check_pkauthenticator_win2k(context,
774 if (ret) {
783 ret = KRB5KRB_ERR_GENERIC;
784 krb5_set_error_message(context, ret,
793 ret = decode_AuthPack(eContent.data,
797 if (ret) {
798 krb5_set_error_message(context, ret,
799 "Can't decode AuthPack: %d", ret);
807 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
808 krb5_set_error_message(context, ret,
813 ret = pk_check_pkauthenticator(context,
816 if (ret) {
827 ret = get_dh_param(context, config,
832 ret = get_ecdh_param(context, config,
836 ret = KRB5_BADMSGTYPE;
837 krb5_set_error_message(context, ret, "PKINIT unknown DH mechanism");
839 if (ret) {
846 ret = hx509_peer_info_alloc(context->hx509ctx,
848 if (ret) {
854 ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
858 if (ret) {
878 if (ret)
879 krb5_warn(context, ret, "PKINIT");
886 if (ret) {
890 return ret;
922 krb5_error_code ret;
963 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
964 if (ret) {
972 &kp, &size,ret);
979 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
980 if (ret) {
985 ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
986 if (ret) {
991 ret = krb5_create_checksum(context, ascrypto, 6, 0,
994 if (ret) {
999 ret = krb5_crypto_destroy(context, ascrypto);
1000 if (ret) {
1004 ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
1007 if (ret) {
1008 krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
1009 "failed (%d)", ret);
1019 ret = hx509_query_alloc(context->hx509ctx, &q);
1020 if (ret)
1027 ret = hx509_certs_find(context->hx509ctx,
1032 if (ret)
1035 ret = hx509_cms_create_signed_1(context->hx509ctx,
1050 if (ret)
1054 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData,
1057 if (ret)
1063 ret = hx509_cms_envelope_1(context->hx509ctx,
1069 if (ret)
1072 ret = _krb5_pk_mk_ContentInfo(context,
1077 if (ret && *kdc_cert) {
1084 return ret;
1101 krb5_error_code ret;
1117 ret = BN_to_integer(context, kdc_dh->pub_key, &i);
1118 if (ret)
1119 return ret;
1121 ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
1123 if (ret) {
1124 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1125 "DHPublicKey failed (%d)", ret);
1126 return ret;
1161 ret);
1162 if (ret) {
1163 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1164 "KdcDHKeyInfo failed (%d)", ret);
1175 ret = hx509_query_alloc(context->hx509ctx, &q);
1176 if (ret)
1183 ret = hx509_certs_find(context->hx509ctx,
1188 if (ret)
1191 ret = hx509_cms_create_signed_1(context->hx509ctx,
1202 if (ret) {
1203 kdc_log(context, config, 0, "Failed signing the DH* reply: %d", ret);
1208 ret = _krb5_pk_mk_ContentInfo(context,
1212 if (ret)
1216 if (ret && *kdc_cert) {
1225 return ret;
1244 krb5_error_code ret;
1262 ret = KRB5KRB_ERR_GENERIC;
1263 krb5_set_error_message(context, ret,
1286 ret = krb5_generate_random_keyblock(context, enctype,
1288 if (ret) {
1292 ret = pk_mk_pa_reply_enckey(context,
1300 if (ret) {
1306 ret);
1308 if (ret) {
1309 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1310 "failed %d", ret);
1317 ret = krb5_generate_random_keyblock(context, sessionetype,
1319 if (ret) {
1340 ret = generate_dh_keyblock(context, cp, enctype);
1341 if (ret)
1342 return ret;
1344 ret = pk_mk_pa_reply_dh(context, config,
1348 if (ret) {
1350 krb5_set_error_message(context, ret,
1352 "failed %d", ret);
1358 ret);
1360 if (ret) {
1361 krb5_set_error_message(context, ret,
1363 "failed %d", ret);
1371 ret = krb5_generate_random_keyblock(context, sessionetype,
1373 if (ret) {
1393 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret);
1395 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
1399 if (ret) {
1400 krb5_set_error_message(context, ret,
1401 "encode PA-PK-AS-REP failed %d", ret);
1414 ret = KRB5KRB_ERR_GENERIC;
1415 krb5_set_error_message(context, ret,
1425 ret = krb5_generate_random_keyblock(context, enctype,
1427 if (ret) {
1431 ret = pk_mk_pa_reply_enckey(context,
1439 if (ret) {
1445 ret);
1447 if (ret) {
1448 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1449 "failed %d", ret);
1456 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
1458 if (ret) {
1459 krb5_set_error_message(context, ret,
1460 "encode PA-PK-AS-REP-Win2k failed %d", ret);
1466 ret = krb5_generate_random_keyblock(context, sessionetype,
1468 if (ret) {
1477 ret = krb5_padata_add(context, md, pa_type, buf, len);
1478 if (ret) {
1479 krb5_set_error_message(context, ret,
1480 "Failed adding PA-PK-AS-REP %d", ret);
1502 ret = fstat(fd, &sb);
1503 if (ret) {
1504 ret = errno;
1507 "PK-INIT failed to stat ocsp data %d", ret);
1511 ret = krb5_data_alloc(&ocsp.data, sb.st_size);
1512 if (ret) {
1515 "PK-INIT failed to stat ocsp data %d", ret);
1519 ret = read(fd, ocsp.data.data, sb.st_size);
1521 if (ret != sb.st_size) {
1527 ret = hx509_ocsp_verify(context->hx509ctx,
1533 if (ret) {
1535 "PK-INIT failed to verify ocsp data %d", ret);
1545 ret = 0;
1550 ret = krb5_padata_add(context, md,
1553 if (ret) {
1554 krb5_set_error_message(context, ret,
1555 "Failed adding OCSP response %d", ret);
1565 if (ret == 0)
1567 return ret;
1578 int ret, found = 0;
1583 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1587 if (ret)
1595 ret = decode_KRB5PrincipalName(list.val[i].data,
1598 if (ret) {
1599 const char *msg = krb5_get_error_message(context, ret);
1621 if (ret)
1622 return ret;
1640 int ret;
1646 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1650 if (ret)
1659 ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
1660 if (ret) {
1667 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1673 ret = krb5_parse_name(context, upn, &principal);
1675 if (ret) {
1681 ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
1690 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1698 return ret;
1711 krb5_error_code ret;
1723 ret = hx509_cert_get_base_subject(context->hx509ctx,
1726 if (ret)
1727 return ret;
1729 ret = hx509_name_to_string(name, subject_name);
1731 if (ret)
1732 return ret;
1738 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
1739 if (ret == 0 && pc) {
1744 ret = hx509_cert_init_data(context->hx509ctx,
1748 if (ret)
1750 ret = hx509_cert_cmp(cert, cp->cert);
1752 if (ret == 0) {
1762 ret = match_rfc_san(context, config,
1766 if (ret == 0) {
1771 ret = match_ms_upn_san(context, config,
1776 if (ret == 0) {
1783 ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
1784 if (ret == 0 && acl != NULL) {
1820 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1821 krb5_set_error_message(context, ret,
1832 return ret;
1842 krb5_error_code ret;
1850 ret = krb5_parse_name(context, principal_name, &principal);
1851 if (ret)
1852 return ret;
1873 krb5_error_code ret;
1882 &cas, &size, ret);
1883 if (ret)
1884 return ret;
1888 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
1892 return ret;
1902 krb5_error_code ret;
1931 ret = add_principal_mapping(context, p, subject_name);
1932 if (ret) {
1933 krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
1956 krb5_error_code ret;
1961 ret = _krb5_parse_moduli(context, file, &moduli);
1962 if (ret)
1963 krb5_err(context, 1, ret, "PKINIT: failed to load modidi file");
1968 ret = _krb5_pk_load_id(context,
1977 if (ret) {
1978 krb5_warn(context, ret, "PKINIT: ");
1980 return ret;
1987 ret = hx509_query_alloc(context->hx509ctx, &q);
1988 if (ret) {
1997 ret = hx509_certs_find(context->hx509ctx,
2002 if (ret == 0) {
2007 ret = hx509_cert_get_subject(cert, &name);
2008 if (ret == 0) {