Lines Matching refs:ret
118 krb5_error_code ret;
131 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
132 if (ret) {
134 return ret;
139 ret = krb5_create_checksum(context,
147 if (ret) {
149 return ret;
154 ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
160 ret = KRB5KRB_ERR_GENERIC;
166 return ret;
210 krb5_error_code ret;
218 ret = KRB5KRB_ERR_GENERIC;
219 krb5_set_error_message(context, ret, "public_key");
224 ret = KRB5KRB_ERR_GENERIC;
225 krb5_set_error_message(context, ret,
234 ret = ENOMEM;
235 krb5_set_error_message(context, ret, "malloc: out of memory");
241 ret = KRB5KRB_ERR_GENERIC;
242 krb5_set_error_message(context, ret,
252 ret = 0;
257 ret = KRB5KRB_ERR_GENERIC;
258 krb5_set_error_message(context, ret, "public_key");
264 ret = ENOMEM;
271 ret = ENOMEM;
278 ret = ENOMEM;
279 krb5_set_error_message(context, ret,
290 ret = KRB5KRB_ERR_GENERIC;
291 krb5_set_error_message(context, ret,
296 ret = _krb5_pk_octetstring2key(context,
308 return ret;
335 krb5_error_code ret;
340 ret = KRB5_BADMSGTYPE;
341 krb5_set_error_message(context, ret,
354 ret = decode_DomainParameters(dh_key_info->algorithm.parameters->data,
358 if (ret) {
359 krb5_set_error_message(context, ret, "Can't decode algorithm "
364 ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
367 if (ret) {
374 ret = ENOMEM;
375 krb5_set_error_message(context, ret, "Cannot create DH structure");
378 ret = KRB5_BADMSGTYPE;
399 ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data,
403 if (ret) {
405 return ret;
413 ret = KRB5_BADMSGTYPE;
420 ret = 0;
426 return ret;
439 krb5_error_code ret;
453 ret = decode_ECParameters(dh_key_info->algorithm.parameters->data,
455 if (ret)
459 ret = KRB5_BADMSGTYPE;
466 ret = KRB5_BADMSGTYPE;
477 ret = KRB5_BADMSGTYPE;
478 krb5_set_error_message(context, ret,
489 return ret;
503 krb5_error_code ret;
523 ret = ENOMEM;
527 ret = hx509_certs_init(context->hx509ctx,
530 if (ret) {
531 krb5_set_error_message(context, ret, "failed to create trust anchors");
535 ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
537 if (ret) {
539 krb5_set_error_message(context, ret, "failed to create verify context");
544 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
545 if (ret == 0 && pc != NULL) {
550 ret = hx509_cert_init_data(context->hx509ctx,
554 if (ret)
561 ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
562 if (ret) {
564 krb5_set_error_message(context, ret, "failed to create verify context");
581 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
582 krb5_set_error_message(context, ret,
587 ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
591 if (ret) {
592 krb5_set_error_message(context, ret, "Can't decode "
593 "PK-AS-REQ-Win2k: %d", ret);
597 ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
602 if (ret) {
603 krb5_set_error_message(context, ret,
604 "Can't unwrap ContentInfo(win): %d", ret);
613 ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
617 if (ret) {
618 krb5_set_error_message(context, ret,
619 "Can't decode PK-AS-REQ: %d", ret);
628 ret = hx509_certs_init(context->hx509ctx,
632 if (ret) {
633 krb5_set_error_message(context, ret,
635 ret);
655 ret = hx509_query_alloc(context->hx509ctx, &q);
656 if (ret) {
657 krb5_set_error_message(context, ret,
662 ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
666 if (ret) {
670 ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
672 if (ret) {
677 ret = hx509_certs_find(context->hx509ctx,
682 if (ret)
690 ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
695 if (ret) {
696 krb5_set_error_message(context, ret,
697 "Can't unwrap ContentInfo: %d", ret);
703 ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
707 ret = der_heim_oid_cmp(&contentInfoOid, &asn1_oid_id_pkcs7_signedData);
708 if (ret != 0) {
709 ret = KRB5KRB_ERR_GENERIC;
710 krb5_set_error_message(context, ret,
716 ret = KRB5KRB_ERR_GENERIC;
717 krb5_set_error_message(context, ret,
729 ret = hx509_cms_verify_signed(context->hx509ctx,
739 if (ret) {
740 char *s = hx509_get_error_string(context->hx509ctx, ret);
742 s, ret);
748 ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
752 if (ret)
760 ret = KRB5_BADMSGTYPE;
761 krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
768 ret = decode_AuthPack_Win2k(eContent.data,
772 if (ret) {
773 krb5_set_error_message(context, ret,
774 "Can't decode AuthPack: %d", ret);
778 ret = pk_check_pkauthenticator_win2k(context,
781 if (ret) {
790 ret = KRB5KRB_ERR_GENERIC;
791 krb5_set_error_message(context, ret,
800 ret = decode_AuthPack(eContent.data,
804 if (ret) {
805 krb5_set_error_message(context, ret,
806 "Can't decode AuthPack: %d", ret);
814 ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
815 krb5_set_error_message(context, ret,
820 ret = pk_check_pkauthenticator(context,
823 if (ret) {
834 ret = get_dh_param(context, config,
839 ret = get_ecdh_param(context, config,
843 ret = KRB5_BADMSGTYPE;
844 krb5_set_error_message(context, ret, "PKINIT unknown DH mechanism");
846 if (ret) {
853 ret = hx509_peer_info_alloc(context->hx509ctx,
855 if (ret) {
861 ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
865 if (ret) {
885 if (ret)
886 krb5_warn(context, ret, "PKINIT");
893 if (ret) {
897 return ret;
929 krb5_error_code ret;
970 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
971 if (ret) {
979 &kp, &size,ret);
986 ret = copy_EncryptionKey(reply_key, &kp.replyKey);
987 if (ret) {
992 ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
993 if (ret) {
998 ret = krb5_create_checksum(context, ascrypto, 6, 0,
1001 if (ret) {
1006 ret = krb5_crypto_destroy(context, ascrypto);
1007 if (ret) {
1011 ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
1014 if (ret) {
1015 krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
1016 "failed (%d)", ret);
1026 ret = hx509_query_alloc(context->hx509ctx, &q);
1027 if (ret)
1034 ret = hx509_certs_find(context->hx509ctx,
1039 if (ret)
1042 ret = hx509_cms_create_signed_1(context->hx509ctx,
1057 if (ret)
1061 ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData,
1064 if (ret)
1070 ret = hx509_cms_envelope_1(context->hx509ctx,
1076 if (ret)
1079 ret = _krb5_pk_mk_ContentInfo(context,
1084 if (ret && *kdc_cert) {
1091 return ret;
1108 krb5_error_code ret;
1126 ret = BN_to_integer(context, pub_key, &i);
1127 if (ret)
1128 return ret;
1130 ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
1132 if (ret) {
1133 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1134 "DHPublicKey failed (%d)", ret);
1135 return ret;
1170 ret);
1171 if (ret) {
1172 krb5_set_error_message(context, ret, "ASN.1 encoding of "
1173 "KdcDHKeyInfo failed (%d)", ret);
1184 ret = hx509_query_alloc(context->hx509ctx, &q);
1185 if (ret)
1192 ret = hx509_certs_find(context->hx509ctx,
1197 if (ret)
1200 ret = hx509_cms_create_signed_1(context->hx509ctx,
1211 if (ret) {
1212 kdc_log(context, config, 0, "Failed signing the DH* reply: %d", ret);
1217 ret = _krb5_pk_mk_ContentInfo(context,
1221 if (ret)
1225 if (ret && *kdc_cert) {
1234 return ret;
1253 krb5_error_code ret;
1271 ret = KRB5KRB_ERR_GENERIC;
1272 krb5_set_error_message(context, ret,
1295 ret = krb5_generate_random_keyblock(context, enctype,
1297 if (ret) {
1301 ret = pk_mk_pa_reply_enckey(context,
1309 if (ret) {
1315 ret);
1317 if (ret) {
1318 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1319 "failed %d", ret);
1326 ret = krb5_generate_random_keyblock(context, sessionetype,
1328 if (ret) {
1349 ret = generate_dh_keyblock(context, cp, enctype);
1350 if (ret)
1351 return ret;
1353 ret = pk_mk_pa_reply_dh(context, config,
1357 if (ret) {
1359 krb5_set_error_message(context, ret,
1361 "failed %d", ret);
1367 ret);
1369 if (ret) {
1370 krb5_set_error_message(context, ret,
1372 "failed %d", ret);
1380 ret = krb5_generate_random_keyblock(context, sessionetype,
1382 if (ret) {
1402 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret);
1404 ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
1408 if (ret) {
1409 krb5_set_error_message(context, ret,
1410 "encode PA-PK-AS-REP failed %d", ret);
1423 ret = KRB5KRB_ERR_GENERIC;
1424 krb5_set_error_message(context, ret,
1434 ret = krb5_generate_random_keyblock(context, enctype,
1436 if (ret) {
1440 ret = pk_mk_pa_reply_enckey(context,
1448 if (ret) {
1454 ret);
1456 if (ret) {
1457 krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
1458 "failed %d", ret);
1465 ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
1467 if (ret) {
1468 krb5_set_error_message(context, ret,
1469 "encode PA-PK-AS-REP-Win2k failed %d", ret);
1475 ret = krb5_generate_random_keyblock(context, sessionetype,
1477 if (ret) {
1486 ret = krb5_padata_add(context, md, pa_type, buf, len);
1487 if (ret) {
1488 krb5_set_error_message(context, ret,
1489 "Failed adding PA-PK-AS-REP %d", ret);
1511 ret = fstat(fd, &sb);
1512 if (ret) {
1513 ret = errno;
1516 "PK-INIT failed to stat ocsp data %d", ret);
1520 ret = krb5_data_alloc(&ocsp.data, sb.st_size);
1521 if (ret) {
1524 "PK-INIT failed to stat ocsp data %d", ret);
1528 ret = read(fd, ocsp.data.data, sb.st_size);
1530 if (ret != sb.st_size) {
1536 ret = hx509_ocsp_verify(context->hx509ctx,
1542 if (ret) {
1544 "PK-INIT failed to verify ocsp data %d", ret);
1554 ret = 0;
1559 ret = krb5_padata_add(context, md,
1562 if (ret) {
1563 krb5_set_error_message(context, ret,
1564 "Failed adding OCSP response %d", ret);
1574 if (ret == 0)
1576 return ret;
1587 int ret, found = 0;
1592 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1596 if (ret)
1604 ret = decode_KRB5PrincipalName(list.val[i].data,
1607 if (ret) {
1608 const char *msg = krb5_get_error_message(context, ret);
1630 if (ret)
1631 return ret;
1649 int ret;
1655 ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
1659 if (ret)
1668 ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
1669 if (ret) {
1676 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1682 ret = krb5_parse_name(context, upn, &principal);
1684 if (ret) {
1690 ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
1699 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1707 return ret;
1720 krb5_error_code ret;
1732 ret = hx509_cert_get_base_subject(context->hx509ctx,
1735 if (ret)
1736 return ret;
1738 ret = hx509_name_to_string(name, subject_name);
1740 if (ret)
1741 return ret;
1747 ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
1748 if (ret == 0 && pc) {
1753 ret = hx509_cert_init_data(context->hx509ctx,
1757 if (ret)
1759 ret = hx509_cert_cmp(cert, cp->cert);
1761 if (ret == 0) {
1771 ret = match_rfc_san(context, config,
1775 if (ret == 0) {
1780 ret = match_ms_upn_san(context, config,
1785 if (ret == 0) {
1792 ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
1793 if (ret == 0 && acl != NULL) {
1829 ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1830 krb5_set_error_message(context, ret,
1841 return ret;
1851 krb5_error_code ret;
1859 ret = krb5_parse_name(context, principal_name, &principal);
1860 if (ret)
1861 return ret;
1882 krb5_error_code ret;
1891 &cas, &size, ret);
1892 if (ret)
1893 return ret;
1897 ret = _kdc_tkt_add_if_relevant_ad(context, tkt,
1901 return ret;
1911 krb5_error_code ret;
1940 ret = add_principal_mapping(context, p, subject_name);
1941 if (ret) {
1942 krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
1965 krb5_error_code ret;
1970 ret = _krb5_parse_moduli(context, file, &moduli);
1971 if (ret)
1972 krb5_err(context, 1, ret, "PKINIT: failed to load modidi file");
1977 ret = _krb5_pk_load_id(context,
1986 if (ret) {
1987 krb5_warn(context, ret, "PKINIT: ");
1989 return ret;
1996 ret = hx509_query_alloc(context->hx509ctx, &q);
1997 if (ret) {
2006 ret = hx509_certs_find(context->hx509ctx,
2011 if (ret == 0) {
2016 ret = hx509_cert_get_subject(cert, &name);
2017 if (ret == 0) {