2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * COPYRIGHT (C) 2006,2007 2N/A * THE REGENTS OF THE UNIVERSITY OF MICHIGAN 2N/A * ALL RIGHTS RESERVED 2N/A * Permission is granted to use, copy, create derivative works 2N/A * and redistribute this software and such derivative works 2N/A * for any purpose, so long as the name of The University of 2N/A * Michigan is not used in any advertising or publicity 2N/A * pertaining to the use of distribution of this software 2N/A * without specific, written prior authorization. If the 2N/A * above copyright notice or any other identification of the 2N/A * University of Michigan is included in any copy of any 2N/A * portion of this software, then the disclaimer below must 2N/A * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION 2N/A * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY 2N/A * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF 2N/A * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING 2N/A * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF 2N/A * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE 2N/A * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE 2N/A * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR 2N/A * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING 2N/A * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN 2N/A * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF 2N/A/* Remove when FAST PKINIT is settled. */ 2N/A * It is anticipated that all the special checks currently 2N/A * required when talking to a Longhorn server will go away 2N/A * by the time it is officially released and all references 2N/A * to the longhorn global can be removed and any code 2N/A * #ifdef'd with LONGHORN_BETA_COMPAT can be removed. 2N/A * Current testing (20070620) is against a patched Beta 3 2N/A * version of Longhorn. Most, if not all, problems should 2N/A * be fixed in SP1 of Longhorn. 2N/A /* If we don't have a client, we're done */ 2N/A /* checksum of the encoded KDC-REQ-BODY */ 2N/A /* XXX PKINIT RFC says that nonce in PKAuthenticator doesn't have be the 2N/A * same as in the AS_REQ. However, if we pick a different nonce, then we 2N/A * need to remember that info when AS_REP is returned. I'm choosing to 2N/A * reuse the AS_REQ nonce. 2N/A pkiDebug(
"error %d on pkinit_as_req_create; aborting PKINIT\n",
2N/A * The most we'll return is two pa_data, normally just one. 2N/A * We need to make room for the NULL terminator. 2N/A * LH Beta 3 requires the extra pa-data, even for RFC requests, 2N/A * in order to get the Checksum rather than a Nonce in the reply. 2N/A * This can be removed when LH SP1 is released. 2N/A /* Create the authpack */ 2N/A /* add List of CMS algorithms */ 2N/A /* create client-side DH keys */ 2N/A pkiDebug(
"as_req: unknown key transport protocol %d\n",
2N/A /* Encode the authpack */ 2N/A /* create PKCS7 object from authpack */ 2N/A /* For the new protocol, we support anonymous. */ 2N/A /* create a list of trusted CAs */ 2N/A /* Encode the as-req */ 2N/A /* W2K3 KDC doesn't like this */ 2N/A /* Encode the as-req */ 2N/A * One way or the other - success or failure - no other PA systems can 2N/A * work if the server sent us a PKINIT reply, since only we know how to 2N/A pkiDebug(
"%s: No pkinit_kdc_hostname values found in config file\n",
2N/A pkiDebug(
"%s: pkinit_kdc_hostname values found in config file\n",
2N/A pkiDebug(
"%s: call_san_checking_plugins() returned retval %d\n",
2N/A pkiDebug(
"%s: call_san_checking_plugins() returned decision %d and " 2N/A "need_eku_checking %d\n",
2N/A pkiDebug(
"%s: no certhosts (or we wouldn't accept them anyway)\n",
2N/A pkiDebug(
"%s: comparing cert name '%s' with config name '%s'\n",
2N/A /* Solaris Kerberos */ 2N/A /* We found no match */ 2N/A pkiDebug(
"%s: returning retval %d, valid_san %d, need_eku_checking %d\n",
2N/A pkiDebug(
"%s: Error from crypto_check_cert_eku %d (%s)\n",
2N/A * Parse PA-PK-AS-REP message. Optionally evaluates the message's 2N/A * certificate chain. 2N/A * Optionally returns various components. 2N/A pkiDebug(
"%s: did not find an acceptable SAN in KDC certificate\n",
2N/A pkiDebug(
"%s: did not find an acceptable EKU in KDC certificate\n",
2N/A /* client after KDC reply */ 2N/A pkiDebug(
"failed to create key pkinit_octetstring2key %s\n",
2N/A * LH Beta 3 requires the extra pa-data, even for RFC requests, 2N/A * in order to get the Checksum rather than a Nonce in the reply. 2N/A * This can be removed when LH SP1 is released. 2N/A * This is hack but Windows sends back SHA1 checksum 2N/A * with checksum type of 14. There is currently no 2N/A * checksum type of 14 defined. 2N/A pkiDebug(
"%s: invalid value (%d) for pkinit_dh_min_bits, " 2N/A pkiDebug(
"%s: Invalid value for pkinit_eku_checking: '%s'\n",
2N/A /* Temporarily just set global flag from config file */ 2N/A /* Only process anchors here if they were not specified on command line */ 2N/A /* Remove (along with armor_key) when FAST PKINIT is settled. */ 2N/A /* Don't use PKINIT if also using FAST. */ 2N/A /* Solaris Kerberos - check return value */ 2N/A pkiDebug(
"pkinit_identity_set_prompter returned %d (%s)\n",
2N/A pkiDebug(
"pkinit_identity_initialize returned %d (%s)\n",
2N/A * Get the enctype of the reply. 2N/A pkiDebug(
"failed to decode sequence of trusted certifiers\n");
2N/A pkiDebug(
"pkinit_client_tryagain: returning %d (%s)\n",
2N/A "X509_user_identity can not be given twice\n");
2N/A "Could not duplicate X509_user_identity value\n");
2N/A /* Solaris Kerberos: handle our PIN attr */ 2N/A/* Only necessary for static plugin linking support. */ 2N/A "pkinit",
/* name */