USAGE_BREAK_LONG
"[-p | -P" USAGE_LONG_PROXIABLE "] "
USAGE_BREAK_LONG
- "-n"
+ "-n "
"[-a | -A" USAGE_LONG_ADDRESSES "] "
USAGE_BREAK_LONG
"[-C" USAGE_LONG_CANONICALIZE "] "
fprintf(stderr, "\t-F not forwardable\n");
fprintf(stderr, "\t-p proxiable\n");
fprintf(stderr, "\t-P not proxiable\n");
- fprintf(stderr, "\t -n anonymous\n");
+ fprintf(stderr, "\t-n anonymous\n");
fprintf(stderr, "\t-a include addresses\n");
fprintf(stderr, "\t-A do not include addresses\n");
fprintf(stderr, "\t-v validate\n");
}
code = krb5_build_principal_ext(k5->ctx, &k5->me,
strlen(defrealm), defrealm,
- strlen(KRB5_WELLKNOWN_NAMESTR), KRB5_WELLKNOWN_NAMESTR,
- strlen(KRB5_ANONYMOUS_PRINCSTR), KRB5_ANONYMOUS_PRINCSTR,
+ strlen(KRB5_WELLKNOWN_NAMESTR),
+ KRB5_WELLKNOWN_NAMESTR,
+ strlen(KRB5_ANONYMOUS_PRINCSTR),
+ KRB5_ANONYMOUS_PRINCSTR,
0);
- krb5_free_default_realm( k5->ctx, defrealm);
+ krb5_free_default_realm(k5->ctx, defrealm);
if (code) {
com_err(progname, code, "while building principal");
return 0;
}
if (k5->me->realm.data[0] == 0) {
code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
- if (code == 0)
+ if (code == 0) {
com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
"(principal %s)", k5->name);
- else
+ } else {
com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
"for local services");
+ }
return 0;
}
} else {
/* Get default principal from cache if one exists */
code = krb5_cc_get_principal(k5->ctx, k5->cc,
&k5->me);
- if (code)
- {
+ if (code) {
char *name = get_name_from_os();
- if (!name)
- {
+ if (!name) {
fprintf(stderr, "Unable to identify user\n");
return 0;
}
if ((code = krb5_parse_name_flags(k5->ctx, name,
- flags, &k5->me)))
- {
+ flags, &k5->me))) {
com_err(progname, code, "when parsing name %s",
name);
return 0;
#define KRB5_NT_SMTP_NAME 7
/* Windows 2000 UPN */
#define KRB5_NT_ENTERPRISE_PRINCIPAL 10
-#define KRB5_NT_WELLKNOWN 11
-#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /*first component of NT_WELLKNOWN principals*/
+#define KRB5_NT_WELLKNOWN 11
+/* First component of NT_WELLKNOWN principals */
+#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN"
/* Windows 2000 UPN and SID */
#define KRB5_NT_MS_PRINCIPAL -128
/* NT 4 style name */
*/
krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *);
-/*Both these functions return constant storage that must not be freed*/
+/* Both these functions return constant storage that must not be freed. */
+const krb5_data *KRB5_CALLCONV krb5_anonymous_realm(void);
+krb5_const_principal KRB5_CALLCONV krb5_anonymous_principal(void);
-const krb5_data *KRB5_CALLCONV
-krb5_anonymous_realm(void);
-krb5_const_principal KRB5_CALLCONV
-krb5_anonymous_principal(void);
#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS"
-#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /*wellknown name type*/
+#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /* wellknown name type */
/*
* end "base-defs.h"
*/
#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 /* XXX note conflict with above */
#define KRB5_KEYUSAGE_AD_SIGNEDPATH -21
-#define KRB5_KEYUSAGE_PA_PKINIT_KX 44
+#define KRB5_KEYUSAGE_PA_PKINIT_KX 44
/* define in draft-ietf-krb-wg-preauth-framework*/
#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
#define KRB5_KEYUSAGE_FAST_ENC 51
#define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000
#define TKT_FLG_OK_AS_DELEGATE 0x00040000
#define TKT_FLG_ENC_PA_REP 0x00010000
-#define TKT_FLG_ANONYMOUS 0x00008000
+#define TKT_FLG_ANONYMOUS 0x00008000
/* #define TKT_FLG_RESERVED 0x00004000 */
/* #define TKT_FLG_RESERVED 0x00002000 */
/* #define TKT_FLG_RESERVED 0x00001000 */
exit(1);
}
- while ((optchar = getopt(argc, argv, "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
+ while ((optchar = getopt(argc, argv,
+ "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {
switch (optchar) {
case 'x':
db_args_size++;
}
}
if ((ccache_name && use_keytab) ||
- (keytab_name && !use_keytab)
- || (ccache_name && use_anonymous)
- || (use_anonymous &&use_keytab))
+ (keytab_name && !use_keytab) ||
+ (ccache_name && use_anonymous) ||
+ (use_anonymous && use_keytab))
usage();
if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
retval = kadm5_init_with_creds(context, princstr, cc, svcname, ¶ms,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_3, db_args, &handle);
- } else if ( use_anonymous) {
- printf("Authenticating as principal %s with password; anonymous requested.\n",
- princstr);
+ } else if (use_anonymous) {
+ printf("Authenticating as principal %s with password; "
+ "anonymous requested.\n", princstr);
retval = kadm5_init_anonymous(context, princstr, svcname, ¶ms,
KADM5_STRUCT_VERSION,
KADM5_API_VERSION_3, db_args, &handle);
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
- /* If anonymous requests are being used, adjust the realm of the client principal*/
+ /* If anonymous requests are being used, adjust the realm of the client
+ * principal. */
if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) {
if (!krb5_principal_compare_any_realm(kdc_context, request->client,
krb5_anonymous_principal())) {
int type;
#define AUTHDATA_FLAG_CRITICAL 0x1
#define AUTHDATA_FLAG_PRE_PLUGIN 0x2
-#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/
+#define AUTHDATA_FLAG_ANONYMOUS 0x4 /* Use plugin even for anonymous tickets */
int flags;
void *plugin_context;
init_proc init;
/* Propagate client-submitted authdata */
"tgs_req",
AUTHDATA_SYSTEM_V2,
- AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS,
+ AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN |
+ AUTHDATA_FLAG_ANONYMOUS,
NULL,
NULL,
NULL,
/* Propagate TGT authdata */
"tgt",
AUTHDATA_SYSTEM_V2,
- AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS,
+ AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_ANONYMOUS,
NULL,
NULL,
NULL,
}
} else if ((input_name_type != NULL) &&
g_OID_equal(input_name_type, GSS_C_NT_ANONYMOUS)) {
- code = krb5_copy_principal(context, krb5_anonymous_principal(), &princ);
+ code = krb5_copy_principal(context, krb5_anonymous_principal(),
+ &princ);
if (code != 0) {
krb5_free_context(context);
*minor_status = code;
#define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX"
-enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS , INIT_ANONYMOUS};
+enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS };
static kadm5_ret_t _kadm5_init_any(krb5_context context,
char *client_name,
* The RPC connection is open; establish the GSS-API
* authentication context.
*/
- code = kadm5_setup_gss(handle, params_in, (init_type == INIT_CREDS)?client_name:NULL,
+ code = kadm5_setup_gss(handle, params_in,
+ (init_type == INIT_CREDS) ? client_name : NULL,
full_svcname);
if (code)
goto error;
}
/*Anonymous and well known principals*/
-static const char anon_realm_str[]
-= KRB5_ANONYMOUS_REALMSTR;
+static const char anon_realm_str[] = KRB5_ANONYMOUS_REALMSTR;
static const krb5_data anon_realm_data = {
- KV5M_DATA, sizeof(anon_realm_str)-1,
- (char *) anon_realm_str};
+ KV5M_DATA, sizeof(anon_realm_str) - 1, (char *) anon_realm_str
+};
static const char wellknown_str[] = KRB5_WELLKNOWN_NAMESTR;
static const char anon_str[] = KRB5_ANONYMOUS_PRINCSTR;
static const krb5_data anon_princ_data[] = {
- {KV5M_DATA, sizeof(wellknown_str)-1, (char *) wellknown_str},
- {KV5M_DATA, sizeof(anon_str)-1, (char *)anon_str}
+ { KV5M_DATA, sizeof(wellknown_str) - 1, (char *) wellknown_str },
+ { KV5M_DATA, sizeof(anon_str) - 1, (char *) anon_str }
};
const krb5_principal_data anon_princ = {
KV5M_PRINCIPAL,
- {KV5M_DATA, sizeof(anon_realm_str)-1, (char *) anon_realm_str},
+ { KV5M_DATA, sizeof(anon_realm_str) - 1, (char *) anon_realm_str },
(krb5_data *) anon_princ_data, 2, KRB5_NT_WELLKNOWN
};
{
return &anon_realm_data;
}
+
krb5_const_principal KRB5_CALLCONV
krb5_anonymous_principal()
{
if (trans.length == 0)
return 0;
anonymous = krb5_anonymous_realm();
- if (crealm->length == anonymous->length
- && (memcmp(crealm->data, anonymous->data, anonymous->length) == 0))
- return 0; /*Nothing to check for anonymous*/
+ if (crealm->length == anonymous->length &&
+ (memcmp(crealm->data, anonymous->data, anonymous->length) == 0))
+ return 0; /* Nothing to check for anonymous */
r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs,
KRB5_REALM_BRANCH_CHAR);
krb5_keyblock *kdc_key = NULL, *expected = NULL;
krb5_enc_data *enc = NULL;
krb5_keyblock *session = reply->enc_part2->session;
+
if (!krb5_principal_compare_any_realm(context, request->client,
krb5_anonymous_principal()))
- return 0; /*Only applies to fully anonymous*/
+ return 0; /* Only applies to fully anonymous */
pa = krb5int_find_pa_data(context, reply->padata, KRB5_PADATA_PKINIT_KX);
if (pa == NULL)
goto verification_error;
scratch.length = pa->length;
- scratch.data = (char *) pa->contents;
+ scratch.data = (char *) pa->contents;
ret = decode_krb5_enc_data( &scratch, &enc);
if (ret)
goto cleanup;
ret = krb5_c_decrypt(context, as_key, KRB5_KEYUSAGE_PA_PKINIT_KX,
NULL /*cipherstate*/, enc, &scratch);
if (ret) {
- free( scratch.data);
+ free(scratch.data);
goto cleanup;
}
ret = decode_krb5_encryption_key( &scratch, &kdc_key);
free(scratch.data);
if (ret)
goto cleanup;
- ret = krb5_c_fx_cf2_simple( context, kdc_key, "PKINIT",
- as_key, "KEYEXCHANGE", &expected);
+ ret = krb5_c_fx_cf2_simple(context, kdc_key, "PKINIT",
+ as_key, "KEYEXCHANGE", &expected);
if (ret)
goto cleanup;
- if ((expected->enctype != session->enctype)
- || (expected->length != session->length)
- || (memcmp(expected->contents, session->contents, expected->length) != 0))
+ if ((expected->enctype != session->enctype) ||
+ (expected->length != session->length) ||
+ (memcmp(expected->contents, session->contents, expected->length) != 0))
goto verification_error;
cleanup:
if (kdc_key)
return ret;
verification_error:
ret = KRB5_KDCREP_MODIFIED;
- krb5_set_error_message(context, ret, "Reply has wrong form of session key for anonymous request");
+ krb5_set_error_message(context, ret, "Reply has wrong form of session key "
+ "for anonymous request");
goto cleanup;
}
* principal) and we requested (and received) a TGT.
*/
canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) ||
- (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
- || (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS);
+ (krb5_princ_type(context, request->client) ==
+ KRB5_NT_ENTERPRISE_PRINCIPAL) ||
+ (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS);
if (canon_req) {
canon_ok = IS_TGS_PRINC(context, request->server) &&
IS_TGS_PRINC(context, as_reply->enc_part2->server);
- if ((!canon_ok ) && (request->kdc_options &KDC_OPT_REQUEST_ANONYMOUS))
- canon_ok = krb5_principal_compare_any_realm(context, as_reply->client,
+ if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) {
+ canon_ok = krb5_principal_compare_any_realm(context,
+ as_reply->client,
krb5_anonymous_principal());
+ }
} else
canon_ok = 0;
ctx->salt.data = NULL;
}
- /*Anonymous*/
+ /* Anonymous. */
if(opte->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS) {
ctx->request->kdc_options |= KDC_OPT_REQUEST_ANONYMOUS;
- /*Remap @REALM to WELLKNOWN/ANONYMOUS@REALM*/
+ /* Remap @REALM to WELLKNOWN/ANONYMOUS@REALM. */
if (client->length == 1 && client->data[0].length ==0) {
krb5_principal new_client;
- code = krb5_build_principal_ext(context, &new_client, client->realm.length,
+ code = krb5_build_principal_ext(context, &new_client,
+ client->realm.length,
client->realm.data,
strlen(KRB5_WELLKNOWN_NAMESTR),
KRB5_WELLKNOWN_NAMESTR,
krb5_princ_type(context, ctx->request->client) = KRB5_NT_WELLKNOWN;
}
}
- /*We will also handle anonymous if the input principal is the anonymous principal*/
+ /* We will also handle anonymous if the input principal is the anonymous
+ * principal. */
if (krb5_principal_compare_any_realm(context, ctx->request->client,
krb5_anonymous_principal())) {
ctx->request->kdc_options |= KDC_OPT_REQUEST_ANONYMOUS;
ctx->request, ctx->reply);
if (code != 0)
goto cleanup;
- code = verify_anonymous( context, ctx->request, ctx->reply,
- &encrypting_key);
+ code = verify_anonymous(context, ctx->request, ctx->reply,
+ &encrypting_key);
if (code)
goto cleanup;
retval = ENOMEM;
goto cleanup;
}
- /*For the new protocol, we support anonymous*/
+ /* For the new protocol, we support anonymous. */
if (krb5_principal_compare_any_realm(context, client,
- krb5_anonymous_principal()))
+ krb5_anonymous_principal())) {
retval = cms_contentinfo_create(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT,
- (unsigned char *)coded_auth_pack->data, coded_auth_pack->length,
- &req->signedAuthPack.data, &req->signedAuthPack.length);
- else retval = cms_signeddata_create(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_CLIENT, 1,
- (unsigned char *)coded_auth_pack->data, coded_auth_pack->length,
- &req->signedAuthPack.data, &req->signedAuthPack.length);
+ reqctx->cryptoctx, reqctx->idctx,
+ CMS_SIGN_CLIENT, (unsigned char *)
+ coded_auth_pack->data,
+ coded_auth_pack->length,
+ &req->signedAuthPack.data,
+ &req->signedAuthPack.length);
+ } else {
+ retval = cms_signeddata_create(context, plgctx->cryptoctx,
+ reqctx->cryptoctx, reqctx->idctx,
+ CMS_SIGN_CLIENT, 1,
+ (unsigned char *)
+ coded_auth_pack->data,
+ coded_auth_pack->length,
+ &req->signedAuthPack.data,
+ &req->signedAuthPack.length);
+ }
#ifdef DEBUG_ASN1
print_buffer_bin((unsigned char *)req->signedAuthPack.data,
req->signedAuthPack.length,
reqctx->opts->require_crl_checking,
kdc_reply->u.dh_Info.dhSignedData.data,
kdc_reply->u.dh_Info.dhSignedData.length,
- &dh_data.data, &dh_data.length, NULL, NULL, NULL)) != 0) {
+ &dh_data.data, &dh_data.length,
+ NULL, NULL, NULL)) != 0) {
pkiDebug("failed to verify pkcs7 signed data\n");
goto cleanup;
}
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
int cms_msg_type,
- unsigned char *in_data, unsigned int in_length,
- unsigned char **out_data, unsigned int *out_data_len);
-
+ unsigned char *in_data, unsigned int in_length,
+ unsigned char **out_data, unsigned int *out_data_len);
/*
* this function creates a CMS message where eContentType is SignedData
receives required authorization data that
contains the verified certificate chain
(only used by the KDC) */
- unsigned int *authz_data_len, /* OUT
- receives length of authz_data */
- int *is_signed /*out: is message signed*/);
+ unsigned int *authz_data_len, /* OUT
+ receives length of authz_data */
+ int *is_signed); /* OUT
+ receives whether message is signed */
/*
* this function creates a CMS message where eContentType is EnvelopedData
}
/*helper function for creating pkinit ContentInfo*/
-static krb5_error_code create_contentinfo
-(krb5_context context, pkinit_plg_crypto_context plg_crypto_context,
- ASN1_OBJECT *oid,
- unsigned char *data, size_t data_len,
- PKCS7 **out_p7)
+static krb5_error_code
+create_contentinfo(krb5_context context,
+ pkinit_plg_crypto_context plg_crypto_context,
+ ASN1_OBJECT *oid, unsigned char *data, size_t data_len,
+ PKCS7 **out_p7)
{
krb5_error_code retval = EINVAL;
PKCS7 *inner_p7;
ASN1_TYPE *pkinit_data = NULL;
+
*out_p7 = NULL;
if ((inner_p7 = PKCS7_new()) == NULL)
goto cleanup;
pkinit_data->type = V_ASN1_OCTET_STRING;
if ((pkinit_data->value.octet_string = ASN1_OCTET_STRING_new()) == NULL)
goto cleanup;
- if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, (unsigned char *) data,
- data_len)) {
+ if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string,
+ (unsigned char *) data, data_len)) {
unsigned long err = ERR_peek_error();
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(context, retval, "%s\n",
return retval;
}
-krb5_error_code cms_contentinfo_create
-(krb5_context context, /* IN */
- pkinit_plg_crypto_context plg_cryptoctx, /* IN */
- pkinit_req_crypto_context req_cryptoctx, /* IN */
- pkinit_identity_crypto_context id_cryptoctx, /* IN */
- int cms_msg_type,
- unsigned char *data, unsigned int data_len,
- unsigned char **out_data, unsigned int *out_data_len)
+krb5_error_code
+cms_contentinfo_create(krb5_context context, /* IN */
+ pkinit_plg_crypto_context plg_cryptoctx, /* IN */
+ pkinit_req_crypto_context req_cryptoctx, /* IN */
+ pkinit_identity_crypto_context id_cryptoctx, /* IN */
+ int cms_msg_type,
+ unsigned char *data, unsigned int data_len,
+ unsigned char **out_data, unsigned int *out_data_len)
{
krb5_error_code retval = ENOMEM;
ASN1_OBJECT *oid = NULL;
PKCS7 *p7 = NULL;
unsigned char *p;
- /* pick the correct oid for the eContentInfo */
+
+ /* Pick the correct oid for the eContentInfo. */
oid = pkinit_pkcs7type2oid(plg_cryptoctx, cms_msg_type);
if (oid == NULL)
goto cleanup;
ASN1_OBJECT *oid = NULL;
if (id_cryptoctx->my_certs == NULL) {
- krb5_set_error_message(context, EINVAL, "cms_signdata_create called with no certificates");
+ krb5_set_error_message(context, EINVAL, "cms_signdata_create called "
+ "with no certificates");
return EINVAL;
}
-/* start creating PKCS7 data */
+ /* Start creating PKCS7 data. */
if ((p7 = PKCS7_new()) == NULL)
goto cleanup;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
goto cleanup;
}
-/*Handle the case in pkinit anonymous where we get unsigned data.*/
- if (is_signed && !OBJ_cmp( p7->type, oid)) {
+ /* Handle the case in pkinit anonymous where we get unsigned data. */
+ if (is_signed && !OBJ_cmp(p7->type, oid)) {
unsigned char *d;
*is_signed = 0;
if (p7->d.other->type != V_ASN1_OCTET_STRING) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
- krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Invalid pkinit packet: octet string expected");
+ krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+ "Invalid pkinit packet: octet string "
+ "expected");
goto cleanup;
}
*data_len = ASN1_STRING_length(p7->d.other->value.octet_string);
*data_len);
*data = d;
goto out;
- } else /* verify that the received message is PKCS7 SignedData message */
+ } else {
+ /* Verify that the received message is PKCS7 SignedData message. */
if (OBJ_obj2nid(p7->type) != NID_pkcs7_signed) {
-
pkiDebug("Expected id-signedData PKCS7 msg (received type = %d)\n",
OBJ_obj2nid(p7->type));
krb5_set_error_message(context, retval, "wrong oid\n");
goto cleanup;
}
+ }
/* setup to verify X509 certificate used to sign PKCS7 message */
if (!(store = X509_STORE_new()))
rv = id_cryptoctx->p11->C_Decrypt(id_cryptoctx->session, pEncryptedData,
ulEncryptedDataLen, pData, pulDataLen);
if (rv == CKR_OK) {
- pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData, (int) *pulDataLen);
+ pkiDebug("pData %x *pulDataLen %d\n", (unsigned int) pData,
+ (int) *pulDataLen);
}
return rv;
}
* in the config file.
*/
if (idopts->identity != NULL) {
- retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx,
- idopts->identity);
+ retval = process_option_identity(context, plg_cryptoctx,
+ req_cryptoctx, idopts,
+ id_cryptoctx, idopts->identity);
} else if (idopts->identity_alt != NULL) {
- for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
+ for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) {
retval = process_option_identity(context, plg_cryptoctx,
req_cryptoctx, idopts,
id_cryptoctx,
idopts->identity_alt[i]);
+ }
} else {
pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
goto errout;
goto errout;
if (do_matching) {
- retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx, princ);
+ retval = pkinit_cert_matching(context, plg_cryptoctx,
+ req_cryptoctx, id_cryptoctx, princ);
if (retval) {
pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
id_cryptoctx);
if (retval)
goto errout;
- } /*not anonymous principal*/
+ } /* Not anonymous principal */
for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
if (retval)
goto cleanup;
if (!valid_san) {
- pkiDebug("%s: did not find an acceptable SAN in user certificate\n",
- __FUNCTION__);
+ pkiDebug("%s: did not find an acceptable SAN in user "
+ "certificate\n", __FUNCTION__);
retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
goto cleanup;
}
goto cleanup;
if (!valid_eku) {
- pkiDebug("%s: did not find an acceptable EKU in user certificate\n",
- __FUNCTION__);
+ pkiDebug("%s: did not find an acceptable EKU in user "
+ "certificate\n", __FUNCTION__);
retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
goto cleanup;
}
- } else { /*!is_signed*/
- if (!krb5_principal_compare( context, request->client, krb5_anonymous_principal())) {
+ } else { /* !is_signed */
+ if (!krb5_principal_compare(context, request->client,
+ krb5_anonymous_principal())) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
- krb5_set_error_message(context, retval, "Pkinit request not signed, but client not anonymous.");
+ krb5_set_error_message(context, retval, "Pkinit request not "
+ "signed, but client not anonymous.");
goto cleanup;
}
}
break;
}
+ /*
+ * This code used to generate ad-initial-verified-cas authorization data.
+ * However that has been removed until the ad-kdc-issued discussion can
+ * happen in the working group. Dec 2009
+ */
/* return authorization data to be included in the ticket */
switch ((int)data->pa_type) {
-/*
- * This code used to generate ad-initial-verified-cas authorization data.
- * However that has been removed until the ad-kdc-issued discussion can happen
- * in the working group. Dec 2009
- */
default:
*authz_data = NULL;
}
return retval;
}
static krb5_error_code
-return_pkinit_kx( krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **out_padata)
+return_pkinit_kx(krb5_context context, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **out_padata)
{
krb5_error_code ret = 0;
krb5_keyblock *session = reply->ticket->enc_part2->session;
krb5_pa_data *pa = NULL;
krb5_enc_data enc;
krb5_data *scratch = NULL;
+
*out_padata = NULL;
enc.ciphertext.data = NULL;
if (!krb5_principal_compare(context, request->client,
krb5_anonymous_principal()))
return 0;
/*
- *The KDC contribution key needs to be a fresh key of an
- *enctype supported by the client and server. The existing
- *session key meets these requirements so we use itt.
+ * The KDC contribution key needs to be a fresh key of an enctype supported
+ * by the client and server. The existing session key meets these
+ * requirements so we use it.
*/
ret = krb5_c_fx_cf2_simple(context, session, "PKINIT",
encrypting_key, "KEYEXCHANGE",
ret = encode_krb5_encryption_key( session, &scratch);
if (ret)
goto cleanup;
- ret = krb5_encrypt_helper( context, encrypting_key, KRB5_KEYUSAGE_PA_PKINIT_KX,
- scratch, &enc);
+ ret = krb5_encrypt_helper(context, encrypting_key,
+ KRB5_KEYUSAGE_PA_PKINIT_KX, scratch, &enc);
if (ret)
goto cleanup;
memset(scratch->data, 0, scratch->length);
int fixed_keypack = 0;
*send_pa = NULL;
- if (padata->pa_type == KRB5_PADATA_PKINIT_KX)
+ if (padata->pa_type == KRB5_PADATA_PKINIT_KX) {
return return_pkinit_kx(context, request, reply,
encrypting_key, send_pa);
+ }
if (padata == NULL || padata->length <= 0 || padata->contents == NULL)
return 0;
projects / thirdparty / krb5.git / commitdiff
