/*
- * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include "krb5_locl.h"
integer->length = BN_num_bytes(bn);
integer->data = malloc(integer->length);
if (integer->data == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
return ENOMEM;
}
BN_bn2bin(bn, integer->data);
bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
if (bn == NULL) {
- krb5_set_error_message(context, ENOMEM, "PKINIT: parsing BN failed %s", field);
+ krb5_set_error_message(context, ENOMEM,
+ N_("PKINIT: parsing BN failed %s", ""), field);
return NULL;
}
BN_set_negative(bn, f->negative);
*/
static krb5_error_code
-find_cert(krb5_context context, struct krb5_pk_identity *id,
+find_cert(krb5_context context, struct krb5_pk_identity *id,
hx509_query *q, hx509_cert *cert)
{
- struct certfind cf[3] = {
+ struct certfind cf[3] = {
{ "PKINIT EKU" },
{ "MS EKU" },
{ "no" }
for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) {
ret = hx509_query_match_eku(q, cf[i].oid);
if (ret) {
- pk_copy_error(context, id->hx509ctx, ret,
+ pk_copy_error(context, id->hx509ctx, ret,
"Failed setting %s OID", cf[i].type);
return ret;
}
ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert);
if (ret == 0)
break;
- pk_copy_error(context, id->hx509ctx, ret,
+ pk_copy_error(context, id->hx509ctx, ret,
"Failed cert for finding %s OID", cf[i].type);
}
return ret;
ret = hx509_query_alloc(id->hx509ctx, &q);
if (ret) {
- pk_copy_error(context, id->hx509ctx, ret,
+ pk_copy_error(context, id->hx509ctx, ret,
"Allocate query to find signing certificate");
return ret;
}
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
}
-
+
ret = hx509_name_binary(subject, id.subjectName);
if (ret) {
hx509_name_free(&subject);
}
ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
- id.issuerAndSerialNumber->data,
+ id.issuerAndSerialNumber->data,
id.issuerAndSerialNumber->length,
&iasn, &size, ret);
free_IssuerAndSerialNumber(&iasn);
id.subjectKeyIdentifier = NULL;
- p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
+ p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
if (p == NULL) {
free_ExternalPrincipalIdentifier(&id);
return ENOMEM;
int32_t usec;
Checksum checksum;
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
memset(&checksum, 0, sizeof(checksum));
len,
&checksum);
free(buf);
- if (ret)
+ if (ret)
return ret;
ALLOC(a->pkAuthenticator.paChecksum, 1);
if (a->pkAuthenticator.paChecksum == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
if (1 /* support_cached_dh */) {
ALLOC(a->clientDHNonce, 1);
if (a->clientDHNonce == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
return ENOMEM;
}
ret = krb5_data_alloc(a->clientDHNonce, 40);
if (a->clientDHNonce == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
return ret;
}
memset(a->clientDHNonce->data, 0, a->clientDHNonce->length);
- ret = krb5_copy_data(context, a->clientDHNonce,
+ ret = krb5_copy_data(context, a->clientDHNonce,
&ctx->clientDHNonce);
if (ret)
return ret;
dp.j = NULL;
dp.validationParms = NULL;
- a->clientPublicValue->algorithm.parameters =
+ a->clientPublicValue->algorithm.parameters =
malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
if (a->clientPublicValue->algorithm.parameters == NULL) {
free_DomainParameters(&dp);
krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_mk_ContentInfo(krb5_context context,
- const krb5_data *buf,
+ const krb5_data *buf,
const heim_oid *oid,
struct ContentInfo *content_info)
{
ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName);
if (ret) {
free_AuthPack_Win2k(&ap);
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
goto out;
}
ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm);
if (ret) {
free_AuthPack_Win2k(&ap);
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
goto out;
}
&ap, &size, ret);
free_AuthPack_Win2k(&ap);
if (ret) {
- krb5_set_error_message(context, ret, "AuthPack_Win2k: %d",
+ krb5_set_error_message(context, ret,
+ N_("Failed encoding AuthPackWin: %d", ""),
(int)ret);
goto out;
}
ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
free_AuthPack(&ap);
if (ret) {
- krb5_set_error_message(context, ret, "AuthPack: %d", (int)ret);
+ krb5_set_error_message(context, ret,
+ N_("Failed encoding AuthPack: %d", ""),
+ (int)ret);
goto out;
}
if (buf.length != size)
krb5_data_free(&sd_buf);
if (ret) {
krb5_set_error_message(context, ret,
- "ContentInfo wrapping of signedData failed");
+ N_("ContentInfo wrapping of signedData failed",""));
goto out;
}
req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
if (req.trustedCertifiers == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
free_PA_PK_AS_REQ(&req);
goto out;
}
- ret = build_edi(context, ctx->id->hx509ctx,
+ ret = build_edi(context, ctx->id->hx509ctx,
ctx->id->anchors, req.trustedCertifiers);
if (ret) {
- krb5_set_error_message(context, ret, "pk-init: failed to build trustedCertifiers");
+ krb5_set_error_message(context, ret,
+ N_("pk-init: failed to build "
+ "trustedCertifiers", ""));
free_PA_PK_AS_REQ(&req);
goto out;
}
}
-krb5_error_code KRB5_LIB_FUNCTION
+krb5_error_code KRB5_LIB_FUNCTION
_krb5_pk_mk_padata(krb5_context context,
void *c,
const KDC_REQ_BODY *req_body,
NULL);
if (win2k_compat) {
- ctx->require_binding =
+ ctx->require_binding =
krb5_config_get_bool_default(context, NULL,
FALSE,
"realms",
} else
ctx->type = PKINIT_27;
- ctx->require_eku =
+ ctx->require_eku =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
req_body->realm,
"pkinit_require_eku",
NULL);
- ctx->require_krbtgt_otherName =
+ ctx->require_krbtgt_otherName =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
"pkinit_require_krbtgt_otherName",
NULL);
- ctx->require_hostname_match =
+ ctx->require_hostname_match =
krb5_config_get_bool_default(context, NULL,
FALSE,
"realms",
"pkinit_require_hostname_match",
NULL);
- ctx->trustedCertifiers =
+ ctx->trustedCertifiers =
krb5_config_get_bool_default(context, NULL,
TRUE,
"realms",
*signer = calloc(1, sizeof(**signer));
if (*signer == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
ret = ENOMEM;
goto out;
}
&key_pack,
&size);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT decoding reply key failed");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT decoding reply key failed", ""));
free_ReplyKeyPack_Win2k(&key_pack);
return ret;
}
-
+
if (key_pack.nonce != nonce) {
- krb5_set_error_message(context, ret, "PKINIT enckey nonce is wrong");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT enckey nonce is wrong", ""));
free_ReplyKeyPack_Win2k(&key_pack);
return KRB5KRB_AP_ERR_MODIFIED;
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
free_ReplyKeyPack_Win2k(&key_pack);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack_Win2k(&key_pack);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT failed copying reply key");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT failed copying reply key", ""));
free(*key);
*key = NULL;
}
&key_pack,
&size);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT decoding reply key failed");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT decoding reply key failed", ""));
free_ReplyKeyPack(&key_pack);
return ret;
}
-
+
{
krb5_crypto crypto;
- /*
+ /*
* XXX Verify kp.replyKey is a allowed enctype in the
* configuration file
*/
*key = malloc (sizeof (**key));
if (*key == NULL) {
free_ReplyKeyPack(&key_pack);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack(&key_pack);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT failed copying reply key");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT failed copying reply key", ""));
free(*key);
*key = NULL;
}
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
- krb5_set_error_message(context, ret, "No PK-INIT KDC EKU in kdc certificate");
+ krb5_set_error_message(context, ret,
+ N_("No PK-INIT KDC EKU in kdc certificate", ""));
return ret;
}
}
oid_id_pkinit_san(),
&list);
if (ret) {
- krb5_set_error_message(context, ret, "Failed to find the PK-INIT "
- "subjectAltName in the KDC certificate");
+ krb5_set_error_message(context, ret,
+ N_("Failed to find the PK-INIT "
+ "subjectAltName in the KDC "
+ "certificate", ""));
return ret;
}
&r,
NULL);
if (ret) {
- krb5_set_error_message(context, ret, "Failed to decode the PK-INIT "
- "subjectAltName in the KDC certificate");
+ krb5_set_error_message(context, ret,
+ N_("Failed to decode the PK-INIT "
+ "subjectAltName in the "
+ "KDC certificate", ""));
break;
}
strcmp(r.realm, realm) != 0)
{
ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
- krb5_set_error_message(context, ret, "KDC have wrong realm name in "
- "the certificate");
+ krb5_set_error_message(context, ret,
+ N_("KDC have wrong realm name in "
+ "the certificate", ""));
}
free_KRB5PrincipalName(&r);
}
if (ret)
return ret;
-
+
if (hi) {
- ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
+ ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
ctx->require_hostname_match,
HX509_HN_HOSTNAME,
hi->hostname,
hi->ai->ai_addr, hi->ai->ai_addrlen);
if (ret)
- krb5_set_error_message(context, ret, "Address mismatch in "
- "the KDC certificate");
+ krb5_set_error_message(context, ret,
+ N_("Address mismatch in "
+ "the KDC certificate", ""));
}
return ret;
}
unsigned nonce,
const krb5_data *req_buffer,
PA_DATA *pa,
- krb5_keyblock **key)
+ krb5_keyblock **key)
{
krb5_error_code ret;
struct krb5_pk_cert *host = NULL;
heim_oid contentType = { 0, NULL };
if (der_heim_oid_cmp(oid_id_pkcs7_envelopedData(), dataType)) {
- krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type");
+ krb5_set_error_message(context, EINVAL,
+ N_("PKINIT: Invalid content type", ""));
return EINVAL;
}
ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL);
if (der_heim_oid_cmp(&type, oid_id_pkcs7_signedData())) {
ret = EINVAL; /* XXX */
- krb5_set_error_message(context, ret, "PKINIT: Invalid content type");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: Invalid content type", ""));
der_free_oid(&type);
der_free_octet_string(&out);
goto out;
ret = krb5_data_copy(&content, out.data, out.length);
der_free_octet_string(&out);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT: out of memory");
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
goto out;
}
}
- ret = _krb5_pk_verify_sign(context,
+ ret = _krb5_pk_verify_sign(context,
content.data,
content.length,
ctx->id,
memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
if (der_heim_oid_cmp(oid_id_pkcs7_signedData(), dataType)) {
- krb5_set_error_message(context, EINVAL, "PKINIT: Invalid content type");
+ krb5_set_error_message(context, EINVAL,
+ N_("PKINIT: Invalid content type", ""));
return EINVAL;
}
- ret = _krb5_pk_verify_sign(context,
+ ret = _krb5_pk_verify_sign(context,
indata->data,
indata->length,
ctx->id,
if (der_heim_oid_cmp(&contentType, oid_id_pkdhkeydata())) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
- krb5_set_error_message(context, ret, "pkinit - dh reply contains wrong oid");
+ krb5_set_error_message(context, ret,
+ N_("pkinit - dh reply contains wrong oid", ""));
goto out;
}
&size);
if (ret) {
- krb5_set_error_message(context, ret, "pkinit - "
- "failed to decode KDC DH Key Info");
+ krb5_set_error_message(context, ret,
+ N_("pkinit - failed to decode "
+ "KDC DH Key Info", ""));
goto out;
}
if (kdc_dh_info.nonce != nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
- krb5_set_error_message(context, ret, "PKINIT: DH nonce is wrong");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: DH nonce is wrong", ""));
goto out;
}
if (kdc_dh_info.dhKeyExpiration) {
if (k_n == NULL) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret, "pkinit; got key expiration "
- "without server nonce");
+ krb5_set_error_message(context, ret,
+ N_("pkinit; got key expiration "
+ "without server nonce", ""));
goto out;
}
if (c_n == NULL) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret, "pkinit; got DH reuse but no "
- "client nonce");
+ krb5_set_error_message(context, ret,
+ N_("pkinit; got DH reuse but no "
+ "client nonce", ""));
goto out;
}
} else {
if (k_n) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret, "pkinit: got server nonce "
- "without key expiration");
+ krb5_set_error_message(context, ret,
+ N_("pkinit: got server nonce "
+ "without key expiration", ""));
goto out;
}
c_n = NULL;
DHPublicKey k;
ret = decode_DHPublicKey(p, size, &k, NULL);
if (ret) {
- krb5_set_error_message(context, ret, "pkinit: can't decode "
- "without key expiration");
+ krb5_set_error_message(context, ret,
+ N_("pkinit: can't decode "
+ "without key expiration", ""));
goto out;
}
goto out;
}
}
-
+
dh_gen_keylen = DH_size(ctx->dh);
size = BN_num_bytes(ctx->dh->p);
if (size < dh_gen_keylen)
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
+ krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
}
memset(dh_gen_key, 0, size - dh_gen_keylen);
kdc_dh_pubkey, ctx->dh);
if (dh_gen_keylen == -1) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret,
- "PKINIT: Can't compute Diffie-Hellman key");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: Can't compute Diffie-Hellman key", ""));
goto out;
}
*key = malloc (sizeof (**key));
if (*key == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
+ krb5_set_error_message(context, ret,
+ N_("malloc: out of memory", ""));
goto out;
}
*key);
if (ret) {
krb5_set_error_message(context, ret,
- "PKINIT: can't create key from DH key");
+ N_("PKINIT: can't create key from DH key", ""));
free(*key);
*key = NULL;
goto out;
heim_oid oid;
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
- krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv");
+ krb5_set_error_message(context, EINVAL,
+ N_("PKINIT: wrong padata recv", ""));
return EINVAL;
}
&rep,
&size);
if (ret) {
- krb5_set_error_message(context, ret, "Failed to decode pkinit AS rep");
+ krb5_set_error_message(context, ret,
+ N_("Failed to decode pkinit AS rep", ""));
return ret;
}
break;
default:
free_PA_PK_AS_REP(&rep);
- krb5_set_error_message(context, EINVAL, "PKINIT: -27 reply "
- "invalid content type");
+ krb5_set_error_message(context, EINVAL,
+ N_("PKINIT: -27 reply "
+ "invalid content type", ""));
return EINVAL;
}
ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
if (ret) {
free_PA_PK_AS_REP(&rep);
- krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: failed to unwrap CI", ""));
return ret;
}
nonce, pa, key);
break;
case choice_PA_PK_AS_REP_encKeyPack:
- ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
+ ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
ctx, etype, hi, nonce, req_buffer, pa, key);
break;
default:
} else if (ctx->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k w2krep;
- /* Check for Windows encoding of the AS-REP pa data */
+ /* Check for Windows encoding of the AS-REP pa data */
#if 0 /* should this be ? */
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
- krb5_set_error_message(context, EINVAL, "PKINIT: wrong padata recv");
+ krb5_set_error_message(context, EINVAL,
+ "PKINIT: wrong padata recv");
return EINVAL;
}
#endif
&w2krep,
&size);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT: Failed decoding windows "
- "pkinit reply %d", (int)ret);
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: Failed decoding windows "
+ "pkinit reply %d", ""), (int)ret);
return ret;
}
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
switch (w2krep.element) {
case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
heim_octet_string data;
heim_oid oid;
-
- ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
+
+ ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
&oid, &data, NULL);
free_PA_PK_AS_REP_Win2k(&w2krep);
if (ret) {
- krb5_set_error_message(context, ret, "PKINIT: failed to unwrap CI");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: failed to unwrap CI", ""));
return ret;
}
default:
free_PA_PK_AS_REP_Win2k(&w2krep);
ret = EINVAL;
- krb5_set_error_message(context, ret, "PKINIT: win2k reply invalid "
- "content type");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: win2k reply invalid "
+ "content type", ""));
break;
}
-
+
} else {
ret = EINVAL;
- krb5_set_error_message(context, ret, "PKINIT: unknown reply type");
+ krb5_set_error_message(context, ret,
+ N_("PKINIT: unknown reply type", ""));
}
return ret;
void *prompter_data;
};
-static int
+static int
hx_pass_prompter(void *data, const hx509_prompt *prompter)
{
krb5_error_code ret;
krb5_prompt prompt;
krb5_data password_data;
struct prompter *p = data;
-
+
password_data.data = prompter->reply.data;
password_data.length = prompter->reply.length;
prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
break;
}
-
+
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
memset (prompter->reply.data, 0, prompter->reply.length);
if (anchor_id == NULL) {
krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
- "PKINIT: No anchor given");
+ N_("PKINIT: No anchor given", ""));
return HEIM_PKINIT_NO_VALID_CA;
}
if (user_id == NULL) {
krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
- "PKINIT: No user certificate given");
+ N_("PKINIT: No user certificate given", ""));
return HEIM_PKINIT_NO_PRIVATE_KEY;
}
id = calloc(1, sizeof(*id));
if (id == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
goto out;
}
- ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
+ ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
0, NULL, &id->certpool);
if (ret) {
pk_copy_error(context, id->hx509ctx, ret,
}
while (*revoke_list) {
- ret = hx509_revoke_add_crl(id->hx509ctx,
+ ret = hx509_revoke_add_crl(id->hx509ctx,
id->revokectx,
*revoke_list);
if (ret) {
- pk_copy_error(context, id->hx509ctx, ret,
+ pk_copy_error(context, id->hx509ctx, ret,
"Failed load revoke list");
goto out;
}
ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
if (ret) {
- pk_copy_error(context, id->hx509ctx, ret,
+ pk_copy_error(context, id->hx509ctx, ret,
"Failed init verify context");
goto out;
}
}
static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits,
+select_dh_group(krb5_context context, DH *dh, unsigned long bits,
struct krb5_dh_moduli **moduli)
{
const struct krb5_dh_moduli *m;
}
if (moduli[i] == NULL) {
krb5_set_error_message(context, EINVAL,
- "Did not find a DH group parameter "
- "matching requirement of %lu bits",
+ N_("Did not find a DH group parameter "
+ "matching requirement of %lu bits", ""),
bits);
return EINVAL;
}
vasprintf(&f, fmt, va);
va_end(va);
if (f == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
return;
}
s = hx509_get_error_string(hx509ctx, hxret);
if (s == NULL) {
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
free(f);
return;
}
free(f);
}
-#endif /* PKINIT */
-
static int
-parse_integer(krb5_context context, char **p, const char *file, int lineno,
+parse_integer(krb5_context context, char **p, const char *file, int lineno,
const char *name, heim_integer *integer)
{
int ret;
char *p1;
p1 = strsep(p, " \t");
if (p1 == NULL) {
- krb5_set_error_message(context, EINVAL, "moduli file %s missing %s on line %d",
+ krb5_set_error_message(context, EINVAL,
+ N_("moduli file %s missing %s on line %d", ""),
file, name, lineno);
return EINVAL;
}
ret = der_parse_hex_heim_integer(p1, integer);
if (ret) {
- krb5_set_error_message(context, ret, "moduli file %s failed parsing %s "
- "on line %d",
+ krb5_set_error_message(context, ret,
+ N_("moduli file %s failed parsing %s "
+ "on line %d", ""),
file, name, lineno);
return ret;
}
}
krb5_error_code
-_krb5_parse_moduli_line(krb5_context context,
+_krb5_parse_moduli_line(krb5_context context,
const char *file,
int lineno,
char *p,
m1 = calloc(1, sizeof(*m1));
if (m1 == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
p1 = strsep(&p, " \t");
if (p1 == NULL) {
- krb5_set_error_message(context, ret, "moduli file %s missing name "
- "on line %d", file, lineno);
+ krb5_set_error_message(context, ret,
+ N_("moduli file %s missing name on line %d", ""),
+ file, lineno);
goto out;
}
m1->name = strdup(p1);
if (p1 == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc - out of memeory");
+ krb5_set_error_message(context, ret, N_("malloc: out of memeory", ""));
goto out;
}
p1 = strsep(&p, " \t");
if (p1 == NULL) {
- krb5_set_error_message(context, ret, "moduli file %s missing bits on line %d",
+ krb5_set_error_message(context, ret,
+ N_("moduli file %s missing bits on line %d", ""),
file, lineno);
goto out;
}
m1->bits = atoi(p1);
if (m1->bits == 0) {
- krb5_set_error_message(context, ret, "moduli file %s have un-parsable "
- "bits on line %d", file, lineno);
+ krb5_set_error_message(context, ret,
+ N_("moduli file %s have un-parsable "
+ "bits on line %d", ""), file, lineno);
goto out;
}
m = calloc(1, sizeof(m[0]) * 3);
if (m == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
m2 = realloc(m, (n + 2) * sizeof(m[0]));
if (m2 == NULL) {
_krb5_free_moduli(m);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
m = m2;
(q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
{
if (bits && bits > moduli[i]->bits) {
- krb5_set_error_message(context,
+ krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
- "PKINIT: DH group parameter %s "
- "no accepted, not enough bits generated",
+ N_("PKINIT: DH group parameter %s "
+ "no accepted, not enough bits "
+ "generated", ""),
moduli[i]->name);
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
}
krb5_set_error_message(context,
KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
- "PKINIT: DH group parameter no ok");
+ N_("PKINIT: DH group parameter no ok", ""));
return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
}
+#endif /* PKINIT */
void KRB5_LIB_FUNCTION
_krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
opt->opt_private->pk_init_ctx = NULL;
#endif
}
-
+
krb5_error_code KRB5_LIB_FUNCTION
krb5_get_init_creds_opt_set_pkinit(krb5_context context,
krb5_get_init_creds_opt *opt,
char *anchors = NULL;
if (opt->opt_private == NULL) {
- krb5_set_error_message(context, EINVAL, "PKINIT: on non extendable opt");
+ krb5_set_error_message(context, EINVAL,
+ N_("PKINIT: on non extendable opt", ""));
return EINVAL;
}
- opt->opt_private->pk_init_ctx =
+ opt->opt_private->pk_init_ctx =
calloc(1, sizeof(*opt->opt_private->pk_init_ctx));
if (opt->opt_private->pk_init_ctx == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
opt->opt_private->pk_init_ctx->dh = NULL;
/* XXX implement krb5_appdefault_strings */
if (pool == NULL)
pool = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_pool",
+ "appdefaults",
+ "pkinit_pool",
NULL);
if (pki_revoke == NULL)
pki_revoke = krb5_config_get_strings(context, NULL,
- "appdefaults",
- "pkinit_revoke",
+ "appdefaults",
+ "pkinit_revoke",
NULL);
if (x509_anchors == NULL) {
krb5_appdefault_string(context, "kinit",
- krb5_principal_get_realm(context, principal),
+ krb5_principal_get_realm(context, principal),
"pkinit_anchors", NULL, &anchors);
x509_anchors = anchors;
}
"pkinit_dh_min_bits",
NULL);
- ret = _krb5_parse_moduli(context, moduli_file,
+ ret = _krb5_parse_moduli(context, moduli_file,
&opt->opt_private->pk_init_ctx->m);
if (ret) {
_krb5_get_init_creds_opt_free_pkinit(opt);
opt->opt_private->pk_init_ctx->dh = DH_new();
if (opt->opt_private->pk_init_ctx->dh == NULL) {
_krb5_get_init_creds_opt_free_pkinit(opt);
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
ret = select_dh_group(context, opt->opt_private->pk_init_ctx->dh,
- dh_min_bits,
+ dh_min_bits,
opt->opt_private->pk_init_ctx->m);
if (ret) {
_krb5_get_init_creds_opt_free_pkinit(opt);
if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
_krb5_get_init_creds_opt_free_pkinit(opt);
- krb5_set_error_message(context, ENOMEM, "pkinit: failed to generate DH key");
+ krb5_set_error_message(context, ENOMEM,
+ N_("pkinit: failed to generate DH key", ""));
return ENOMEM;
}
}
return 0;
#else
- krb5_set_error_message(context, EINVAL, "no support for PKINIT compiled in");
+ krb5_set_error_message(context, EINVAL,
+ N_("no support for PKINIT compiled in", ""));
return EINVAL;
#endif
}
git.samba.org / sfrench / samba-autobuild / .git / blobdiff