#include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.120 2006/12/08 02:48:09 lha Exp $");
+RCSID("$Id: pkinit.c 21004 2007-06-08 01:53:10Z lha $");
struct krb5_dh_moduli {
char *name;
struct krb5_dh_moduli **m;
hx509_peer_info peer;
int type;
- int require_binding;
- int require_eku;
- int require_krbtgt_otherName;
- int require_hostname_match;
+ unsigned int require_binding:1;
+ unsigned int require_eku:1;
+ unsigned int require_krbtgt_otherName:1;
+ unsigned int require_hostname_match:1;
+ unsigned int trustedCertifiers:1;
};
static void
}
ret = hx509_cms_create_signed_1(id->hx509ctx,
+ 0,
eContentType,
eContent->data,
eContent->length,
return ret;
}
-
return ret;
}
memset(&req, 0, sizeof(req));
req.signedAuthPack = buf;
- req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
- if (req.trustedCertifiers == NULL) {
- krb5_set_error_string(context, "malloc: out of memory");
- free_PA_PK_AS_REQ(&req);
- goto out;
- }
- ret = build_edi(context, ctx->id->hx509ctx,
- ctx->id->anchors, req.trustedCertifiers);
- if (ret) {
- krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
- free_PA_PK_AS_REQ(&req);
- goto out;
+ if (ctx->trustedCertifiers) {
+
+ req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+ if (req.trustedCertifiers == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
+ ret = build_edi(context, ctx->id->hx509ctx,
+ ctx->id->anchors, req.trustedCertifiers);
+ if (ret) {
+ krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+ free_PA_PK_AS_REQ(&req);
+ goto out;
+ }
}
req.kdcPkId = NULL;
"pkinit_require_hostname_match",
NULL);
+ ctx->trustedCertifiers =
+ krb5_config_get_bool_default(context, NULL,
+ TRUE,
+ "realms",
+ req_body->realm,
+ "pkinit_trustedCertifiers",
+ NULL);
+
return pk_mk_padata(context, ctx, req_body, nonce, md);
}
id->verify_ctx,
data,
length,
+ NULL,
id->certpool,
contentType,
content,
&kdc_dh_info,
&size);
- if (ret)
+ if (ret) {
+ krb5_set_error_string(context, "pkinit - "
+ "failed to decode KDC DH Key Info");
goto out;
+ }
if (kdc_dh_info.nonce != nonce) {
krb5_set_error_string(context, "PKINIT: DH nonce is wrong");
_krb5_pk_cert_free(host);
if (content.data)
krb5_data_free(&content);
+ der_free_oid(&contentType);
free_KDCDHKeyInfo(&kdc_dh_info);
return ret;
pa->padata_value.length,
&rep,
&size);
- if (ret)
+ if (ret) {
+ krb5_set_error_string(context, "Failed to decode pkinit AS rep");
return ret;
+ }
switch (rep.element) {
case choice_PA_PK_AS_REP_dhInfo:
free(ctx->id);
ctx->id = NULL;
}
+ free(opt->opt_private->pk_init_ctx);
opt->opt_private->pk_init_ctx = NULL;
#endif
}