2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2N/A/*
2N/A * COPYRIGHT (C) 2006,2007
2N/A * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
2N/A * ALL RIGHTS RESERVED
2N/A *
2N/A * Permission is granted to use, copy, create derivative works
2N/A * and redistribute this software and such derivative works
2N/A * for any purpose, so long as the name of The University of
2N/A * Michigan is not used in any advertising or publicity
2N/A * pertaining to the use of distribution of this software
2N/A * without specific, written prior authorization. If the
2N/A * above copyright notice or any other identification of the
2N/A * University of Michigan is included in any copy of any
2N/A * portion of this software, then the disclaimer below must
2N/A * also be included.
2N/A *
2N/A * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
2N/A * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
2N/A * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
2N/A * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
2N/A * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
2N/A * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
2N/A * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
2N/A * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
2N/A * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
2N/A * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
2N/A * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
2N/A * SUCH DAMAGES.
2N/A */
2N/A
2N/A#include <stdio.h>
2N/A#include <stdlib.h>
2N/A#include <errno.h>
2N/A#include <unistd.h>
2N/A#include <string.h>
2N/A#include <ctype.h>
2N/A#include <assert.h>
2N/A
2N/A#include "k5-platform.h"
2N/A
2N/A#include "pkinit.h"
2N/A
2N/A#define FAKECERT
2N/A
2N/Aconst krb5_octet_data
2N/Adh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" };
2N/A
2N/A
2N/Akrb5_error_code
2N/Apkinit_init_req_opts(pkinit_req_opts **reqopts)
2N/A{
2N/A krb5_error_code retval = ENOMEM;
2N/A pkinit_req_opts *opts = NULL;
2N/A
2N/A *reqopts = NULL;
2N/A opts = calloc(1, sizeof(*opts));
2N/A if (opts == NULL)
2N/A return retval;
2N/A
2N/A opts->require_eku = 1;
2N/A opts->accept_secondary_eku = 0;
2N/A opts->allow_upn = 0;
2N/A opts->dh_or_rsa = DH_PROTOCOL;
2N/A opts->require_crl_checking = 0;
2N/A opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS;
2N/A opts->win2k_target = 0;
2N/A opts->win2k_require_cksum = 0;
2N/A
2N/A *reqopts = opts;
2N/A
2N/A return 0;
2N/A}
2N/A
2N/Avoid
2N/Apkinit_fini_req_opts(pkinit_req_opts *opts)
2N/A{
2N/A free(opts);
2N/A return;
2N/A}
2N/A
2N/Akrb5_error_code
2N/Apkinit_init_plg_opts(pkinit_plg_opts **plgopts)
2N/A{
2N/A krb5_error_code retval = ENOMEM;
2N/A pkinit_plg_opts *opts = NULL;
2N/A
2N/A *plgopts = NULL;
2N/A opts = calloc(1, sizeof(pkinit_plg_opts));
2N/A if (opts == NULL)
2N/A return retval;
2N/A
2N/A opts->require_eku = 1;
2N/A opts->accept_secondary_eku = 0;
2N/A opts->dh_or_rsa = DH_PROTOCOL;
2N/A opts->allow_upn = 0;
2N/A opts->require_crl_checking = 0;
2N/A
2N/A opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS;
2N/A
2N/A *plgopts = opts;
2N/A
2N/A return 0;
2N/A}
2N/A
2N/Avoid
2N/Apkinit_fini_plg_opts(pkinit_plg_opts *opts)
2N/A{
2N/A free(opts);
2N/A return;
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->signedAuthPack.data);
2N/A if ((*in)->trustedCertifiers != NULL)
2N/A free_krb5_external_principal_identifier(&(*in)->trustedCertifiers);
2N/A free((*in)->kdcPkId.data);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->signedAuthPack.data);
2N/A free((*in)->kdcCert.data);
2N/A free((*in)->encryptionCert.data);
2N/A if ((*in)->trustedCertifiers != NULL)
2N/A free_krb5_trusted_ca(&(*in)->trustedCertifiers);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_reply_key_pack(krb5_reply_key_pack **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->replyKey.contents);
2N/A free((*in)->asChecksum.contents);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->replyKey.contents);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_auth_pack(krb5_auth_pack **in)
2N/A{
2N/A if ((*in) == NULL) return;
2N/A if ((*in)->clientPublicValue != NULL) {
2N/A free((*in)->clientPublicValue->algorithm.algorithm.data);
2N/A free((*in)->clientPublicValue->algorithm.parameters.data);
2N/A free((*in)->clientPublicValue->subjectPublicKey.data);
2N/A free((*in)->clientPublicValue);
2N/A }
2N/A free((*in)->pkAuthenticator.paChecksum.contents);
2N/A if ((*in)->supportedCMSTypes != NULL)
2N/A free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_auth_pack_draft9(krb5_context context,
2N/A krb5_auth_pack_draft9 **in)
2N/A{
2N/A if ((*in) == NULL) return;
2N/A krb5_free_principal(context, (*in)->pkAuthenticator.kdcName);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A switch ((*in)->choice) {
2N/A case choice_pa_pk_as_rep_dhInfo:
2N/A free((*in)->u.dh_Info.dhSignedData.data);
2N/A break;
2N/A case choice_pa_pk_as_rep_encKeyPack:
2N/A free((*in)->u.encKeyPack.data);
2N/A break;
2N/A default:
2N/A break;
2N/A }
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->u.encKeyPack.data);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_external_principal_identifier(krb5_external_principal_identifier ***in)
2N/A{
2N/A int i = 0;
2N/A if (*in == NULL) return;
2N/A while ((*in)[i] != NULL) {
2N/A free((*in)[i]->subjectName.data);
2N/A free((*in)[i]->issuerAndSerialNumber.data);
2N/A free((*in)[i]->subjectKeyIdentifier.data);
2N/A free((*in)[i]);
2N/A i++;
2N/A }
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_trusted_ca(krb5_trusted_ca ***in)
2N/A{
2N/A int i = 0;
2N/A if (*in == NULL) return;
2N/A while ((*in)[i] != NULL) {
2N/A switch((*in)[i]->choice) {
2N/A case choice_trusted_cas_principalName:
2N/A break;
2N/A case choice_trusted_cas_caName:
2N/A free((*in)[i]->u.caName.data);
2N/A break;
2N/A case choice_trusted_cas_issuerAndSerial:
2N/A free((*in)[i]->u.issuerAndSerial.data);
2N/A break;
2N/A case choice_trusted_cas_UNKNOWN:
2N/A break;
2N/A }
2N/A free((*in)[i]);
2N/A i++;
2N/A }
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_typed_data(krb5_typed_data ***in)
2N/A{
2N/A int i = 0;
2N/A if (*in == NULL) return;
2N/A while ((*in)[i] != NULL) {
2N/A free((*in)[i]->data);
2N/A free((*in)[i]);
2N/A i++;
2N/A }
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_algorithm_identifier(krb5_algorithm_identifier *in)
2N/A{
2N/A if (in == NULL)
2N/A return;
2N/A free(in->algorithm.data);
2N/A free(in->parameters.data);
2N/A free(in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in)
2N/A{
2N/A int i;
2N/A if (in == NULL || *in == NULL)
2N/A return;
2N/A for (i = 0; (*in)[i] != NULL; i++) {
2N/A free_krb5_algorithm_identifier((*in)[i]);
2N/A }
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_subject_pk_info(krb5_subject_pk_info **in)
2N/A{
2N/A if ((*in) == NULL) return;
2N/A free((*in)->algorithm.parameters.data);
2N/A free((*in)->subjectPublicKey.data);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Afree_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in)
2N/A{
2N/A if (*in == NULL) return;
2N/A free((*in)->subjectPublicKey.data);
2N/A free(*in);
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_pa_pk_as_req));
2N/A if ((*in) == NULL) return;
2N/A (*in)->signedAuthPack.data = NULL;
2N/A (*in)->signedAuthPack.length = 0;
2N/A (*in)->trustedCertifiers = NULL;
2N/A (*in)->kdcPkId.data = NULL;
2N/A (*in)->kdcPkId.length = 0;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_pa_pk_as_req_draft9));
2N/A if ((*in) == NULL) return;
2N/A (*in)->signedAuthPack.data = NULL;
2N/A (*in)->signedAuthPack.length = 0;
2N/A (*in)->trustedCertifiers = NULL;
2N/A (*in)->kdcCert.data = NULL;
2N/A (*in)->kdcCert.length = 0;
2N/A (*in)->encryptionCert.data = NULL;
2N/A (*in)->encryptionCert.length = 0;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_reply_key_pack(krb5_reply_key_pack **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_reply_key_pack));
2N/A if ((*in) == NULL) return;
2N/A (*in)->replyKey.contents = NULL;
2N/A (*in)->replyKey.length = 0;
2N/A (*in)->asChecksum.contents = NULL;
2N/A (*in)->asChecksum.length = 0;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_reply_key_pack_draft9));
2N/A if ((*in) == NULL) return;
2N/A (*in)->replyKey.contents = NULL;
2N/A (*in)->replyKey.length = 0;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_auth_pack(krb5_auth_pack **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_auth_pack));
2N/A if ((*in) == NULL) return;
2N/A (*in)->clientPublicValue = NULL;
2N/A (*in)->supportedCMSTypes = NULL;
2N/A (*in)->clientDHNonce.length = 0;
2N/A (*in)->clientDHNonce.data = NULL;
2N/A (*in)->pkAuthenticator.paChecksum.contents = NULL;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_auth_pack_draft9));
2N/A if ((*in) == NULL) return;
2N/A (*in)->clientPublicValue = NULL;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_pa_pk_as_rep));
2N/A if ((*in) == NULL) return;
2N/A (*in)->u.dh_Info.serverDHNonce.length = 0;
2N/A (*in)->u.dh_Info.serverDHNonce.data = NULL;
2N/A (*in)->u.dh_Info.dhSignedData.length = 0;
2N/A (*in)->u.dh_Info.dhSignedData.data = NULL;
2N/A (*in)->u.encKeyPack.length = 0;
2N/A (*in)->u.encKeyPack.data = NULL;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_pa_pk_as_rep_draft9));
2N/A if ((*in) == NULL) return;
2N/A (*in)->u.dhSignedData.length = 0;
2N/A (*in)->u.dhSignedData.data = NULL;
2N/A (*in)->u.encKeyPack.length = 0;
2N/A (*in)->u.encKeyPack.data = NULL;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_typed_data(krb5_typed_data **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_typed_data));
2N/A if ((*in) == NULL) return;
2N/A (*in)->type = 0;
2N/A (*in)->length = 0;
2N/A (*in)->data = NULL;
2N/A}
2N/A
2N/Avoid
2N/Ainit_krb5_subject_pk_info(krb5_subject_pk_info **in)
2N/A{
2N/A (*in) = malloc(sizeof(krb5_subject_pk_info));
2N/A if ((*in) == NULL) return;
2N/A (*in)->algorithm.parameters.data = NULL;
2N/A (*in)->algorithm.parameters.length = 0;
2N/A (*in)->subjectPublicKey.data = NULL;
2N/A (*in)->subjectPublicKey.length = 0;
2N/A}
2N/A
2N/Akrb5_error_code
2N/Apkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src)
2N/A{
2N/A if (dst == NULL || src == NULL)
2N/A return EINVAL;
2N/A if (src->data == NULL) {
2N/A dst->data = NULL;
2N/A dst->length = 0;
2N/A return 0;
2N/A }
2N/A dst->data = malloc(src->length);
2N/A if (dst->data == NULL)
2N/A return ENOMEM;
2N/A memcpy(dst->data, src->data, src->length);
2N/A dst->length = src->length;
2N/A return 0;
2N/A}
2N/A
2N/A/* debugging functions */
2N/A/*
2N/A * Solaris Kerberos
2N/A * Make first argument const to work better with OpenSSL 1.0
2N/A */
2N/Avoid
2N/Aprint_buffer(const unsigned char *buf, unsigned int len)
2N/A{
2N/A unsigned i = 0;
2N/A if (len <= 0)
2N/A return;
2N/A
2N/A for (i = 0; i < len; i++)
2N/A pkiDebug("%02x ", buf[i]);
2N/A pkiDebug("\n");
2N/A}
2N/A
2N/Avoid
2N/Aprint_buffer_bin(const unsigned char *buf, unsigned int len, char *filename)
2N/A{
2N/A FILE *f = NULL;
2N/A unsigned int i = 0;
2N/A
2N/A if (len <= 0 || filename == NULL)
2N/A return;
2N/A
2N/A if ((f = fopen(filename, "w")) == NULL)
2N/A return;
2N/A
2N/A set_cloexec_file(f);
2N/A
2N/A for (i = 0; i < len; i++)
2N/A fputc(buf[i], f);
2N/A
2N/A fclose(f);
2N/A}