62 verify_req_hash(krb5_context context,
70 	krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
78 	krb5_set_error_message(context, ENOMEM,
79 			       "HMAC context malloc failed");
86 	krb5_abortx(context, "runtime error, hmac buffer wrong size in kx509");
93 	krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
101 calculate_reply_hash(krb5_context context,
110 	krb5_set_error_message(context, ENOMEM,
111 			       "HMAC context malloc failed");
120 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
149 build_certificate(krb5_context context,
162     if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
163 	kdc_log(context, config, 0, "Principal is not a user");
167     ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
168 			krb5_principal_get_comp_string(context, principal, 0));
176 	ret = hx509_certs_init(context->hx509ctx, config->kx509_ca, 0,
179 	    kdc_log(context, config, 0, "Failed to load CA %s",
183 	ret = hx509_query_alloc(context->hx509ctx, &q);
192 	ret = hx509_certs_find(context->hx509ctx, certs, q, &signer);
193 	hx509_query_free(context->hx509ctx, q);
196 	    kdc_log(context, config, 0, "Failed to find a CA in %s",
202     ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
222 	ret = hx509_ca_tbs_set_spki(context->hx509ctx, tbs, &spki);
232 	ret = hx509_certs_init(context->hx509ctx, config->kx509_template, 0,
235 	    kdc_log(context, config, 0, "Failed to load template %s",
239 	ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
242 	    kdc_log(context, config, 0, "Failed to find template in %s",
246 	ret = hx509_ca_tbs_set_template(context->hx509ctx, tbs,
256     hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime);
258     hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env);
261     ret = hx509_ca_sign(context->hx509ctx, tbs, signer, &cert);
268     ret = hx509_cert_binary(context->hx509ctx, cert, certificate);
281     krb5_set_error_message(context, ret, "cert creation failed");
290 _kdc_do_kx509(krb5_context context,
310 	kdc_log(context, config, 0,
315     kdc_log(context, config, 0, "Kx509 request from %s", from);
317     ret = krb5_kt_resolve(context, "HDB:", &id);
319 	kdc_log(context, config, 0, "Can't open database for digest");
323     ret = krb5_rd_req(context,
333     ret = krb5_ticket_get_client(context, ticket, &cprincipal);
337     ret = krb5_unparse_name(context, cprincipal, &cname);
343     ret = krb5_sname_to_principal(context, NULL, "kca_service",
351 	ret = krb5_ticket_get_server(context, ticket, &principal);
355 	ret = krb5_principal_compare(context, sprincipal, principal);
356 	krb5_free_principal(context, principal);
360 	    ret = krb5_unparse_name(context, sprincipal, &expected);
363 	    ret = krb5_unparse_name(context, principal, &used);
370 	    krb5_set_error_message(context, ret,
380     ret = krb5_auth_con_getkey(context, ac, &key);
384 	krb5_set_error_message(context, ret, "Kx509 can't get session key");
388     ret = verify_req_hash(context, req, key);
417     ret = build_certificate(context, config, &req->pk_key,
418 			    krb5_ticket_get_endtime(context, ticket),
423     ret = calculate_reply_hash(context, key, &rep);
437 	    krb5_set_error_message(context, ret, "Failed to encode kx509 reply");
441 	    krb5_abortx(context, "ASN1 internal error");
454     kdc_log(context, config, 0, "Successful Kx509 request for %s", cname);
458 	krb5_auth_con_free(context, ac);
460 	krb5_warn(context, ret, "Kx509 request from %s failed", from);
462 	krb5_free_ticket(context, ticket);
464 	krb5_kt_close(context, id);
466 	krb5_free_principal(context, sprincipal);
468 	krb5_free_principal(context, cprincipal);
470 	krb5_free_keyblock (context, key);

Indexes created Wed Jun 26 11:41:58 MDT 2024