From: Greg Hudson Date: Sat, 23 Oct 2021 20:40:23 +0000 (-0400) Subject: Use pre-encoded DH parameter constants in PKINIT X-Git-Tag: krb5-1.20-beta1~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1226%2Fhead;p=thirdparty%2Fkrb5.git Use pre-encoded DH parameter constants in PKINIT Rename pkinit_kdf_constants.c to pkinit_constants.c and add encodings of the three well-known Oakley groups. Use them to greatly simplify pkinit_create_td_dh_parameters() and eliminate make_oakley_dh(). Change the interface for decoding parameters to take a krb5_data pointer for caller convenience. --- diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in index 15ca0eb487..86f143d72d 100644 --- a/src/plugins/preauth/pkinit/Makefile.in +++ b/src/plugins/preauth/pkinit/Makefile.in @@ -17,7 +17,7 @@ STLIBOBJS= \ pkinit_srv.o \ pkinit_lib.o \ pkinit_clnt.o \ - pkinit_kdf_constants.o \ + pkinit_constants.o \ pkinit_profile.o \ pkinit_identity.o \ pkinit_matching.o \ @@ -28,7 +28,7 @@ SRCS= \ $(srcdir)/pkinit_srv.c \ $(srcdir)/pkinit_lib.c \ $(srcdir)/pkinit_kdf_test.c \ - $(srcdir)/pkinit_kdf_constants.c \ + $(srcdir)/pkinit_constants.c \ $(srcdir)/pkinit_clnt.c \ $(srcdir)/pkinit_profile.c \ $(srcdir)/pkinit_identity.c \ diff --git a/src/plugins/preauth/pkinit/pkinit_constants.c b/src/plugins/preauth/pkinit/pkinit_constants.c new file mode 100644 index 0000000000..4d29efca4a --- /dev/null +++ b/src/plugins/preauth/pkinit/pkinit_constants.c @@ -0,0 +1,306 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/pkinit/pkinit_constants.c */ +/* + * Copyright (C) 2011,2021 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pkinit.h" + +/* statically declare OID constants for all three algorithms */ +const krb5_octet krb5_pkinit_sha1_oid[8] = +{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x01}; +const size_t krb5_pkinit_sha1_oid_len = 8; +const krb5_octet krb5_pkinit_sha256_oid[8] = +{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x02}; +const size_t krb5_pkinit_sha256_oid_len = 8; +const krb5_octet krb5_pkinit_sha512_oid [8] = +{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x03}; +const size_t krb5_pkinit_sha512_oid_len = 8; + +#define oid_as_data(var, oid_base) \ + const krb5_data var = \ + {0, sizeof oid_base, (char *)oid_base} +oid_as_data(sha1_id, krb5_pkinit_sha1_oid); +oid_as_data(sha256_id, krb5_pkinit_sha256_oid); +oid_as_data(sha512_id, krb5_pkinit_sha512_oid); +#undef oid_as_data + +krb5_data const * const supported_kdf_alg_ids[] = { + &sha256_id, + &sha1_id, + &sha512_id, + NULL +}; + +/* RFC 2412 section E.2 (well-known group 2) parameters, DER-encoded as + * DomainParameters (RFC 3279 section 2.3.3). */ +static const uint8_t o1024[] = { + 0x30, 0x82, 0x01, 0x0A, 0x02, 0x81, 0x81, 0x00, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0x02, 0x01, 0x02, 0x02, 0x81, 0x80, 0x7F, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE4, 0x87, + 0xED, 0x51, 0x10, 0xB4, 0x61, 0x1A, 0x62, 0x63, + 0x31, 0x45, 0xC0, 0x6E, 0x0E, 0x68, 0x94, 0x81, + 0x27, 0x04, 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, + 0xDF, 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, + 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, 0xCA, + 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, 0x98, 0x15, + 0x85, 0x36, 0xF9, 0x2F, 0x8A, 0x1B, 0xA7, 0xF0, + 0x9A, 0xB6, 0xB6, 0xA8, 0xE1, 0x22, 0xF2, 0x42, + 0xDA, 0xBB, 0x31, 0x2F, 0x3F, 0x63, 0x7A, 0x26, + 0x21, 0x74, 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, + 0xAE, 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, + 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, 0x4F, + 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, 0x24, 0x94, + 0x33, 0x28, 0xF6, 0x73, 0x29, 0xC0, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* RFC 3526 section 3 (2048-bit MODP Group), RFC 3279 encoding */ +static const uint8_t o2048[] = { + 0x30, 0x82, 0x02, 0x0C, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, + 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, + 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, + 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, + 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, + 0xDD, 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, + 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, + 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, + 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, + 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, + 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, + 0xED, 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, + 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, + 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, + 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, + 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, + 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, + 0x5F, 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, + 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, + 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, + 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, + 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, + 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, + 0x3B, 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, + 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, + 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, + 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, + 0x18, 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, + 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, + 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, + 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0x02, 0x01, 0x02, 0x02, 0x82, 0x01, 0x00, + 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, 0x61, 0x1A, + 0x62, 0x63, 0x31, 0x45, 0xC0, 0x6E, 0x0E, 0x68, + 0x94, 0x81, 0x27, 0x04, 0x45, 0x33, 0xE6, 0x3A, + 0x01, 0x05, 0xDF, 0x53, 0x1D, 0x89, 0xCD, 0x91, + 0x28, 0xA5, 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, + 0xF7, 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, + 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, 0x1B, + 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, 0xE1, 0x22, + 0xF2, 0x42, 0xDA, 0xBB, 0x31, 0x2F, 0x3F, 0x63, + 0x7A, 0x26, 0x21, 0x74, 0xD3, 0x1B, 0xF6, 0xB5, + 0x85, 0xFF, 0xAE, 0x5B, 0x7A, 0x03, 0x5B, 0xF6, + 0xF7, 0x1C, 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, + 0xD7, 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, + 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, 0x9E, + 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, 0xDF, 0x82, + 0xCC, 0x6D, 0x24, 0x1B, 0x0E, 0x2A, 0xE9, 0xCD, + 0x34, 0x8B, 0x1F, 0xD4, 0x7E, 0x92, 0x67, 0xAF, + 0xC1, 0xB2, 0xAE, 0x91, 0xEE, 0x51, 0xD6, 0xCB, + 0x0E, 0x31, 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, + 0xCF, 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, + 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, 0x02, + 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, 0x10, 0xBE, + 0x19, 0x48, 0x2F, 0x23, 0x17, 0x1B, 0x67, 0x1D, + 0xF1, 0xCF, 0x3B, 0x96, 0x0C, 0x07, 0x43, 0x01, + 0xCD, 0x93, 0xC1, 0xD1, 0x76, 0x03, 0xD1, 0x47, + 0xDA, 0xE2, 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, + 0xEF, 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, + 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, 0x72, + 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, 0x02, 0x88, + 0x0A, 0xB9, 0x47, 0x2D, 0x45, 0x56, 0x55, 0x34, + 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* RFC 3526 section 5 (4096-bit MODP Group), RFC 3279 encoding */ +static const uint8_t o4096[] = { + 0x30, 0x82, 0x04, 0x0C, 0x02, 0x82, 0x02, 0x01, + 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, + 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, + 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, + 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, + 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, + 0xDD, 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, + 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, + 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, + 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, + 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, + 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, + 0xED, 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, + 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, + 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, + 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, + 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, + 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, + 0x5F, 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, + 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, + 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, + 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, + 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, + 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, + 0x3B, 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, + 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, + 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, + 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, + 0x18, 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, + 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, + 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, + 0x2D, 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, + 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, + 0x64, 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, + 0x0A, 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, + 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, + 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, + 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, + 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, + 0x6B, 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, + 0x64, 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, + 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, + 0x0C, 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, + 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, + 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, + 0x31, 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, + 0x8E, 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, + 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, + 0xD7, 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, + 0x26, 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, + 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, + 0xDA, 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, + 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, + 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, + 0xA6, 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, + 0x5D, 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, + 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, + 0xED, 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, + 0xAF, 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, + 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, + 0xA9, 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, + 0xC1, 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, + 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, + 0x99, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0x02, 0x01, 0x02, 0x02, 0x82, 0x02, 0x00, + 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, 0x61, 0x1A, + 0x62, 0x63, 0x31, 0x45, 0xC0, 0x6E, 0x0E, 0x68, + 0x94, 0x81, 0x27, 0x04, 0x45, 0x33, 0xE6, 0x3A, + 0x01, 0x05, 0xDF, 0x53, 0x1D, 0x89, 0xCD, 0x91, + 0x28, 0xA5, 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, + 0xF7, 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, + 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, 0x1B, + 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, 0xE1, 0x22, + 0xF2, 0x42, 0xDA, 0xBB, 0x31, 0x2F, 0x3F, 0x63, + 0x7A, 0x26, 0x21, 0x74, 0xD3, 0x1B, 0xF6, 0xB5, + 0x85, 0xFF, 0xAE, 0x5B, 0x7A, 0x03, 0x5B, 0xF6, + 0xF7, 0x1C, 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, + 0xD7, 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, + 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, 0x9E, + 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, 0xDF, 0x82, + 0xCC, 0x6D, 0x24, 0x1B, 0x0E, 0x2A, 0xE9, 0xCD, + 0x34, 0x8B, 0x1F, 0xD4, 0x7E, 0x92, 0x67, 0xAF, + 0xC1, 0xB2, 0xAE, 0x91, 0xEE, 0x51, 0xD6, 0xCB, + 0x0E, 0x31, 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, + 0xCF, 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, + 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, 0x02, + 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, 0x10, 0xBE, + 0x19, 0x48, 0x2F, 0x23, 0x17, 0x1B, 0x67, 0x1D, + 0xF1, 0xCF, 0x3B, 0x96, 0x0C, 0x07, 0x43, 0x01, + 0xCD, 0x93, 0xC1, 0xD1, 0x76, 0x03, 0xD1, 0x47, + 0xDA, 0xE2, 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, + 0xEF, 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, + 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, 0x72, + 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, 0x02, 0x88, + 0x0A, 0xB9, 0x47, 0x2D, 0x45, 0x55, 0x62, 0x16, + 0xD6, 0x99, 0x8B, 0x86, 0x82, 0x28, 0x3D, 0x19, + 0xD4, 0x2A, 0x90, 0xD5, 0xEF, 0x8E, 0x5D, 0x32, + 0x76, 0x7D, 0xC2, 0x82, 0x2C, 0x6D, 0xF7, 0x85, + 0x45, 0x75, 0x38, 0xAB, 0xAE, 0x83, 0x06, 0x3E, + 0xD9, 0xCB, 0x87, 0xC2, 0xD3, 0x70, 0xF2, 0x63, + 0xD5, 0xFA, 0xD7, 0x46, 0x6D, 0x84, 0x99, 0xEB, + 0x8F, 0x46, 0x4A, 0x70, 0x25, 0x12, 0xB0, 0xCE, + 0xE7, 0x71, 0xE9, 0x13, 0x0D, 0x69, 0x77, 0x35, + 0xF8, 0x97, 0xFD, 0x03, 0x6C, 0xC5, 0x04, 0x32, + 0x6C, 0x3B, 0x01, 0x39, 0x9F, 0x64, 0x35, 0x32, + 0x29, 0x0F, 0x95, 0x8C, 0x0B, 0xBD, 0x90, 0x06, + 0x5D, 0xF0, 0x8B, 0xAB, 0xBD, 0x30, 0xAE, 0xB6, + 0x3B, 0x84, 0xC4, 0x60, 0x5D, 0x6C, 0xA3, 0x71, + 0x04, 0x71, 0x27, 0xD0, 0x3A, 0x72, 0xD5, 0x98, + 0xA1, 0xED, 0xAD, 0xFE, 0x70, 0x7E, 0x88, 0x47, + 0x25, 0xC1, 0x68, 0x90, 0x54, 0x90, 0x84, 0x00, + 0x8D, 0x39, 0x1E, 0x09, 0x53, 0xC3, 0xF3, 0x6B, + 0xC4, 0x38, 0xCD, 0x08, 0x5E, 0xDD, 0x2D, 0x93, + 0x4C, 0xE1, 0x93, 0x8C, 0x35, 0x7A, 0x71, 0x1E, + 0x0D, 0x4A, 0x34, 0x1A, 0x5B, 0x0A, 0x85, 0xED, + 0x12, 0xC1, 0xF4, 0xE5, 0x15, 0x6A, 0x26, 0x74, + 0x6D, 0xDD, 0xE1, 0x6D, 0x82, 0x6F, 0x47, 0x7C, + 0x97, 0x47, 0x7E, 0x0A, 0x0F, 0xDF, 0x65, 0x53, + 0x14, 0x3E, 0x2C, 0xA3, 0xA7, 0x35, 0xE0, 0x2E, + 0xCC, 0xD9, 0x4B, 0x27, 0xD0, 0x48, 0x61, 0xD1, + 0x11, 0x9D, 0xD0, 0xC3, 0x28, 0xAD, 0xF3, 0xF6, + 0x8F, 0xB0, 0x94, 0xB8, 0x67, 0x71, 0x6B, 0xD7, + 0xDC, 0x0D, 0xEE, 0xBB, 0x10, 0xB8, 0x24, 0x0E, + 0x68, 0x03, 0x48, 0x93, 0xEA, 0xD8, 0x2D, 0x54, + 0xC9, 0xDA, 0x75, 0x4C, 0x46, 0xC7, 0xEE, 0xE0, + 0xC3, 0x7F, 0xDB, 0xEE, 0x48, 0x53, 0x60, 0x47, + 0xA6, 0xFA, 0x1A, 0xE4, 0x9A, 0x03, 0x18, 0xCC, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +const krb5_data oakley_1024 = { KV5M_DATA, sizeof(o1024), (char *)o1024 }; +const krb5_data oakley_2048 = { KV5M_DATA, sizeof(o2048), (char *)o2048 }; +const krb5_data oakley_4096 = { KV5M_DATA, sizeof(o4096), (char *)o4096 }; diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index 77d5c61fe2..577958313d 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -622,6 +622,10 @@ extern const krb5_octet krb5_pkinit_sha256_oid[]; extern const size_t krb5_pkinit_sha256_oid_len; extern const krb5_octet krb5_pkinit_sha512_oid[]; extern const size_t krb5_pkinit_sha512_oid_len; +extern const krb5_data oakley_1024; +extern const krb5_data oakley_2048; +extern const krb5_data oakley_4096; + /** * An ordered set of OIDs, stored as krb5_data, of KDF algorithms * supported by this implementation. The order of this array controls diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 0204ad8bab..276adacb43 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -52,7 +52,7 @@ static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx); static krb5_error_code pkinit_encode_dh_params (const BIGNUM *, const BIGNUM *, const BIGNUM *, uint8_t **, unsigned int *); -static DH *decode_dh_params(const uint8_t *, unsigned int ); +static DH *decode_dh_params(const krb5_data *); static int pkinit_check_dh_params(DH *dh1, DH *dh2); static krb5_error_code pkinit_sign_data @@ -335,128 +335,6 @@ static struct pkcs11_errstrings { { -1, NULL } }; -/* DH parameters */ -static uint8_t oakley_1024[128] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, - 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, - 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, - 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, - 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, - 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, - 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, - 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, - 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF -}; - -static uint8_t oakley_2048[2048/8] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, - 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, - 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, - 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, - 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, - 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, - 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, - 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, - 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, - 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, - 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, - 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, - 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, - 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, - 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, - 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, - 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, - 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, - 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF -}; - -static uint8_t oakley_4096[4096/8] = { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, - 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, - 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, - 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, - 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, - 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, - 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, - 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, - 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, - 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, - 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, - 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, - 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, - 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, - 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, - 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, - 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, - 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, - 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, - 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, - 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, - 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, - 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, - 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, - 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, - 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, - 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, - 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, - 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, - 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, - 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, - 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, - 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, - 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, - 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, - 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, - 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, - 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, - 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, - 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, - 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, - 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, - 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, - 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, - 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, - 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, - 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, - 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, - 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, - 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, - 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, - 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, - 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, - 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, - 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, - 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, - 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, - 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, - 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF -}; - MAKE_INIT_FUNCTION(pkinit_openssl_init); static krb5_error_code oerr(krb5_context context, krb5_error_code code, @@ -852,54 +730,20 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) ASN1_OBJECT_free(ctx->id_kp_serverAuth); } -/* Construct an OpenSSL DH object for an Oakley group. */ -static DH * -make_oakley_dh(uint8_t *prime, size_t len) -{ - DH *dh = NULL; - BIGNUM *p = NULL, *q = NULL, *g = NULL; - - p = BN_bin2bn(prime, len, NULL); - if (p == NULL) - goto cleanup; - q = BN_new(); - if (q == NULL) - goto cleanup; - if (!BN_rshift1(q, p)) - goto cleanup; - g = BN_new(); - if (g == NULL) - goto cleanup; - if (!BN_set_word(g, DH_GENERATOR_2)) - goto cleanup; - - dh = DH_new(); - if (dh == NULL) - goto cleanup; - DH_set0_pqg(dh, p, q, g); - p = g = q = NULL; - -cleanup: - BN_free(p); - BN_free(q); - BN_free(g); - return dh; -} - static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context plgctx) { krb5_error_code retval = ENOMEM; - plgctx->dh_1024 = make_oakley_dh(oakley_1024, sizeof(oakley_1024)); + plgctx->dh_1024 = decode_dh_params(&oakley_1024); if (plgctx->dh_1024 == NULL) goto cleanup; - plgctx->dh_2048 = make_oakley_dh(oakley_2048, sizeof(oakley_2048)); + plgctx->dh_2048 = decode_dh_params(&oakley_2048); if (plgctx->dh_2048 == NULL) goto cleanup; - plgctx->dh_4096 = make_oakley_dh(oakley_4096, sizeof(oakley_4096)); + plgctx->dh_4096 = decode_dh_params(&oakley_4096); if (plgctx->dh_4096 == NULL) goto cleanup; @@ -2539,11 +2383,11 @@ client_create_dh(krb5_context context, if (cryptoctx->dh == NULL) { if (dh_size == 1024) - cryptoctx->dh = make_oakley_dh(oakley_1024, sizeof(oakley_1024)); + cryptoctx->dh = decode_dh_params(&oakley_1024); else if (dh_size == 2048) - cryptoctx->dh = make_oakley_dh(oakley_2048, sizeof(oakley_2048)); + cryptoctx->dh = decode_dh_params(&oakley_2048); else if (dh_size == 4096) - cryptoctx->dh = make_oakley_dh(oakley_4096, sizeof(oakley_4096)); + cryptoctx->dh = decode_dh_params(&oakley_4096); if (cryptoctx->dh == NULL) goto cleanup; } @@ -2717,7 +2561,7 @@ server_check_dh(krb5_context context, int dh_prime_bits; krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - dh = decode_dh_params((uint8_t *)dh_params->data, dh_params->length); + dh = decode_dh_params(dh_params); if (dh == NULL) { pkiDebug("failed to decode dhparams\n"); goto cleanup; @@ -2955,8 +2799,9 @@ ASN1_SEQUENCE(DHxparams) = { } static_ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams) static DH * -decode_dh_params(const uint8_t *p, unsigned int len) +decode_dh_params(const krb5_data *params_der) { + const uint8_t *p; int_dhx942_dh *params; DH *dh; @@ -2964,7 +2809,8 @@ decode_dh_params(const uint8_t *p, unsigned int len) if (dh == NULL) return NULL; - params = (int_dhx942_dh *)ASN1_item_d2i(NULL, &p, len, + p = (uint8_t *)params_der->data; + params = (int_dhx942_dh *)ASN1_item_d2i(NULL, &p, params_der->length, ASN1_ITEM_rptr(DHxparams)); if (params == NULL) { DH_free(dh); @@ -3048,11 +2894,11 @@ decode_dh_params_int(DH ** a, uint8_t **pp, unsigned int len) } static DH * -decode_dh_params(const uint8_t *p, unsigned int len) +decode_dh_params(const krb5_data *params_der) { - uint8_t *ptr = (uint8_t *)p; + uint8_t *p = (uint8_t *)params_der->data; - return decode_dh_params_int(NULL, &ptr, len); + return decode_dh_params_int(NULL, &p, params_der->length); } #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ @@ -3168,151 +3014,50 @@ pkinit_create_td_dh_parameters(krb5_context context, pkinit_plg_opts *opts, krb5_pa_data ***e_data_out) { - krb5_error_code retval = ENOMEM; - unsigned int buf1_len = 0, buf2_len = 0, buf3_len = 0, i = 0; - unsigned char *buf1 = NULL, *buf2 = NULL, *buf3 = NULL; + krb5_error_code ret; + int i; krb5_pa_data **pa_data = NULL; - krb5_data *encoded_algId = NULL; - krb5_algorithm_identifier **algId = NULL; - const BIGNUM *p, *q, *g; - - if (opts->dh_min_bits > 4096) + krb5_data *der_alglist = NULL; + krb5_algorithm_identifier alg_1024 = { dh_oid, oakley_1024 }; + krb5_algorithm_identifier alg_2048 = { dh_oid, oakley_2048 }; + krb5_algorithm_identifier alg_4096 = { dh_oid, oakley_4096 }; + krb5_algorithm_identifier *alglist[4]; + + if (opts->dh_min_bits > 4096) { + ret = KRB5KRB_ERR_GENERIC; goto cleanup; - - if (opts->dh_min_bits <= 1024) { - DH_get0_pqg(plg_cryptoctx->dh_1024, &p, &q, &g); - retval = pkinit_encode_dh_params(p, g, q, &buf1, &buf1_len); - if (retval) - goto cleanup; - } - if (opts->dh_min_bits <= 2048) { - DH_get0_pqg(plg_cryptoctx->dh_2048, &p, &q, &g); - retval = pkinit_encode_dh_params(p, g, q, &buf2, &buf2_len); - if (retval) - goto cleanup; } - DH_get0_pqg(plg_cryptoctx->dh_4096, &p, &q, &g); - retval = pkinit_encode_dh_params(p, g, q, &buf3, &buf3_len); - if (retval) - goto cleanup; - - if (opts->dh_min_bits <= 1024) { - algId = malloc(4 * sizeof(krb5_algorithm_identifier *)); - if (algId == NULL) - goto cleanup; - algId[3] = NULL; - algId[0] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[0] == NULL) - goto cleanup; - algId[0]->parameters.data = malloc(buf2_len); - if (algId[0]->parameters.data == NULL) - goto cleanup; - memcpy(algId[0]->parameters.data, buf2, buf2_len); - algId[0]->parameters.length = buf2_len; - algId[0]->algorithm = dh_oid; - - algId[1] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[1] == NULL) - goto cleanup; - algId[1]->parameters.data = malloc(buf3_len); - if (algId[1]->parameters.data == NULL) - goto cleanup; - memcpy(algId[1]->parameters.data, buf3, buf3_len); - algId[1]->parameters.length = buf3_len; - algId[1]->algorithm = dh_oid; - - algId[2] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[2] == NULL) - goto cleanup; - algId[2]->parameters.data = malloc(buf1_len); - if (algId[2]->parameters.data == NULL) - goto cleanup; - memcpy(algId[2]->parameters.data, buf1, buf1_len); - algId[2]->parameters.length = buf1_len; - algId[2]->algorithm = dh_oid; - - } else if (opts->dh_min_bits <= 2048) { - algId = malloc(3 * sizeof(krb5_algorithm_identifier *)); - if (algId == NULL) - goto cleanup; - algId[2] = NULL; - algId[0] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[0] == NULL) - goto cleanup; - algId[0]->parameters.data = malloc(buf2_len); - if (algId[0]->parameters.data == NULL) - goto cleanup; - memcpy(algId[0]->parameters.data, buf2, buf2_len); - algId[0]->parameters.length = buf2_len; - algId[0]->algorithm = dh_oid; - - algId[1] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[1] == NULL) - goto cleanup; - algId[1]->parameters.data = malloc(buf3_len); - if (algId[1]->parameters.data == NULL) - goto cleanup; - memcpy(algId[1]->parameters.data, buf3, buf3_len); - algId[1]->parameters.length = buf3_len; - algId[1]->algorithm = dh_oid; - } else if (opts->dh_min_bits <= 4096) { - algId = malloc(2 * sizeof(krb5_algorithm_identifier *)); - if (algId == NULL) - goto cleanup; - algId[1] = NULL; - algId[0] = malloc(sizeof(krb5_algorithm_identifier)); - if (algId[0] == NULL) - goto cleanup; - algId[0]->parameters.data = malloc(buf3_len); - if (algId[0]->parameters.data == NULL) - goto cleanup; - memcpy(algId[0]->parameters.data, buf3, buf3_len); - algId[0]->parameters.length = buf3_len; - algId[0]->algorithm = dh_oid; + i = 0; + if (opts->dh_min_bits <= 2048) + alglist[i++] = &alg_2048; + alglist[i++] = &alg_4096; + if (opts->dh_min_bits <= 1024) + alglist[i++] = &alg_1024; + alglist[i] = NULL; - } - retval = k5int_encode_krb5_td_dh_parameters((krb5_algorithm_identifier *const *)algId, &encoded_algId); - if (retval) + ret = k5int_encode_krb5_td_dh_parameters(alglist, &der_alglist); + if (ret) goto cleanup; -#ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)encoded_algId->data, - encoded_algId->length, "/tmp/kdc_td_dh_params"); -#endif - pa_data = malloc(2 * sizeof(krb5_pa_data *)); - if (pa_data == NULL) { - retval = ENOMEM; + + pa_data = k5calloc(2, sizeof(*pa_data), &ret); + if (pa_data == NULL) goto cleanup; - } pa_data[1] = NULL; - pa_data[0] = malloc(sizeof(krb5_pa_data)); + pa_data[0] = k5alloc(sizeof(*pa_data[0]), &ret); if (pa_data[0] == NULL) { free(pa_data); - retval = ENOMEM; goto cleanup; } pa_data[0]->pa_type = TD_DH_PARAMETERS; - pa_data[0]->length = encoded_algId->length; - pa_data[0]->contents = (krb5_octet *)encoded_algId->data; + pa_data[0]->length = der_alglist->length; + pa_data[0]->contents = (krb5_octet *)der_alglist->data; + der_alglist->data = NULL; *e_data_out = pa_data; - retval = 0; -cleanup: - - free(buf1); - free(buf2); - free(buf3); - free(encoded_algId); - - if (algId != NULL) { - while(algId[i] != NULL) { - free(algId[i]->parameters.data); - free(algId[i]); - i++; - } - free(algId); - } - return retval; +cleanup: + krb5_free_data(context, der_alglist); + return ret; } krb5_error_code @@ -3391,8 +3136,7 @@ pkinit_process_td_dh_params(krb5_context context, memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length)) goto cleanup; - dh = decode_dh_params((uint8_t *)algId[i]->parameters.data, - algId[i]->parameters.length); + dh = decode_dh_params(&algId[i]->parameters); if (dh == NULL) goto cleanup; DH_get0_pqg(dh, &p, NULL, NULL);