p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
if (cms_msg_type == CMS_SIGN_DRAFT9){
- /* don't include signed attributes for pa-type 15 request */
- abuf = data;
- alen = data_len;
- } else {
+ /* don't include signed attributes for pa-type 15 request */
+ abuf = data;
+ alen = data_len;
+ } else {
/* add signed attributes */
/* compute sha1 digest over the EncapsulatedContentInfo */
EVP_MD_CTX_init(&ctx);
__FUNCTION__, ERR_error_string(err, NULL));
goto cleanup;
}
- etype = CMS_get0_eContentType(cms);
+ etype = CMS_get0_eContentType(cms);
/*
* Prior to 1.10 the MIT client incorrectly omitted the pkinit structure
* directly in a CMS ContentInfo rather than using SignedData with no
* signers. Handle that case.
- */
+ */
type = CMS_get0_type(cms);
if (is_signed && !OBJ_cmp(type, oid)) {
unsigned char *d;
/* Not actually signed; anonymous case */
if (!is_signed)
goto cleanup;
- *is_signed = 0;
- /* We cannot use CMS_dataInit because there may be no digest */
- octets = pkinit_CMS_get0_content_signed(cms);
- if (octets)
- out = BIO_new_mem_buf((*octets)->data, (*octets)->length);
- if (out == NULL)
- goto cleanup;
+ *is_signed = 0;
+ /* We cannot use CMS_dataInit because there may be no digest */
+ octets = pkinit_CMS_get0_content_signed(cms);
+ if (octets)
+ out = BIO_new_mem_buf((*octets)->data, (*octets)->length);
+ if (out == NULL)
+ goto cleanup;
} else {
pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
if (x == NULL)
if (i <= 0)
goto cleanup;
out = BIO_new(BIO_s_mem());
- if (cms_msg_type == CMS_SIGN_DRAFT9)
- flags |= CMS_NOATTR;
- if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
- unsigned long err = ERR_peek_error();
- switch(ERR_GET_REASON(err)) {
- case PKCS7_R_DIGEST_FAILURE:
- retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
- break;
- case PKCS7_R_SIGNATURE_FAILURE:
- default:
- retval = KRB5KDC_ERR_INVALID_SIG;
+ if (cms_msg_type == CMS_SIGN_DRAFT9)
+ flags |= CMS_NOATTR;
+ if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
+ unsigned long err = ERR_peek_error();
+ switch(ERR_GET_REASON(err)) {
+ case PKCS7_R_DIGEST_FAILURE:
+ retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
+ break;
+ case PKCS7_R_SIGNATURE_FAILURE:
+ default:
+ retval = KRB5KDC_ERR_INVALID_SIG;
+ }
+ pkiDebug("CMS Verification failure\n");
+ krb5_set_error_message(context, retval, "%s\n",
+ ERR_error_string(err, NULL));
+ goto cleanup;
}
- pkiDebug("CMS Verification failure\n");
- krb5_set_error_message(context, retval, "%s\n",
- ERR_error_string(err, NULL));
- goto cleanup;
- }
} /* message was signed */
if (!OBJ_cmp(etype, oid))
valid_oid = 1;
retval = krb5_c_keylengths(context, etype, &keybytes, &keylength);
if (retval)
- goto cleanup;
+ goto cleanup;
key_block->length = keylength;
key_block->contents = malloc(keylength);
return 0;
}
else if ((alg_id->length == krb5_pkinit_sha256_oid_len) &&
- (0 == memcmp(alg_id->data, krb5_pkinit_sha256_oid,
- krb5_pkinit_sha256_oid_len))) {
+ (0 == memcmp(alg_id->data, krb5_pkinit_sha256_oid,
+ krb5_pkinit_sha256_oid_len))) {
*hash_bytes = 32;
*func = &EVP_sha256;
return 0;
}
else if ((alg_id->length == krb5_pkinit_sha512_oid_len) &&
(0 == memcmp(alg_id->data, krb5_pkinit_sha512_oid,
- krb5_pkinit_sha512_oid_len))) {
+ krb5_pkinit_sha512_oid_len))) {
*hash_bytes = 32;
*func = &EVP_sha512;
return 0;
(0 == EVP_DigestUpdate(&c, secret->data, secret->length)) ||
(0 == EVP_DigestUpdate(&c, other_info->data, other_info->length))) {
krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
- "Call to OpenSSL EVP_DigestUpdate() returned an error.");
+ "Call to OpenSSL EVP_DigestUpdate() returned an error.");
retval = KRB5_CRYPTO_INTERNAL;
goto cleanup;
}
/* 4. Set key = Hash1 || Hash2 || ... so that length of key is K bytes. */
if (0 == EVP_DigestFinal(&c, (rand_buf + offset), &s)) {
- krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
+ krb5_set_error_message(context, KRB5_CRYPTO_INTERNAL,
"Call to OpenSSL EVP_DigestUpdate() returned an error.");
retval = KRB5_CRYPTO_INTERNAL;
goto cleanup;
assert(s == hash_len); /* add a message to this assert? */
- EVP_MD_CTX_cleanup(&c);
+ EVP_MD_CTX_cleanup(&c);
}
/* Reduce length of random data to key_len to avoid errors. */
/* statically declare OID constants for all three algorithms */
const krb5_octet krb5_pkinit_sha1_oid[10] =
- {0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x01};
+{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x01};
const size_t krb5_pkinit_sha1_oid_len = 8;
const krb5_octet krb5_pkinit_sha256_oid[10] =
- {0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x02};
+{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x02};
const size_t krb5_pkinit_sha256_oid_len = 8;
const krb5_octet krb5_pkinit_sha512_oid [10] =
- {0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x03};
+{0x2B,0x06,0x01,0x05,0x02,0x03,0x06,0x03};
const size_t krb5_pkinit_sha512_oid_len = 8;
* Initialize a krb5_data from @a s, a constant string. Note @a s is evaluated
* multiple times; this is acceptable for constants.
*/
-#define DATA_FROM_STRING(s) \
+#define DATA_FROM_STRING(s) \
{0, sizeof(s)-1, (char *) s}
char party_v_name [] = "krbtgt/SU.SE@SU.SE";
int enctype_value = 18;
krb5_octet key_hex [] =
- {0xe6, 0xAB, 0x38, 0xC9, 0x41, 0x3E, 0x03, 0x5B,
- 0xB0, 0x79, 0x20, 0x1E, 0xD0, 0xB6, 0xB7, 0x3D,
- 0x8D, 0x49, 0xA8, 0x14, 0xA7, 0x37, 0xC0, 0x4E,
- 0xE6, 0x64, 0x96, 0x14, 0x20, 0x6F, 0x73, 0xAD};
+{0xe6, 0xAB, 0x38, 0xC9, 0x41, 0x3E, 0x03, 0x5B,
+ 0xB0, 0x79, 0x20, 0x1E, 0xD0, 0xB6, 0xB7, 0x3D,
+ 0x8D, 0x49, 0xA8, 0x14, 0xA7, 0x37, 0xC0, 0x4E,
+ 0xE6, 0x64, 0x96, 0x14, 0x20, 0x6F, 0x73, 0xAD};
const krb5_data lha_data = DATA_FROM_STRING("lha");
int
&u_principal)))
(0 != (retval = krb5_parse_name(context, party_v_name,
&v_principal)))) {
- printf("ERROR in pkinit_kdf_test: Error parsing names, retval = %d",
- retval);
- goto cleanup;
+ printf("ERROR in pkinit_kdf_test: Error parsing names, retval = %d",
+ retval);
+ goto cleanup;
}
/* set-up the as_req and and pk_as_rep data */
memset(twenty_as, 0xaa, sizeof(twenty_as));
- memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
+ memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
as_req.length = sizeof(twenty_as);
as_req.data = (unsigned char *)&twenty_as;
/* set-up the key_block */
if (0 != (retval = krb5_init_keyblock(context, enctype, max_keylen,
&key_block_ptr))) {
- printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d",
- retval);
- goto cleanup;
+ printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d",
+ retval);
+ goto cleanup;
- }
+ }
/* call pkinit_alg_agility_kdf() with test vector values*/
if (0 != (retval = pkinit_alg_agility_kdf(context, &secret, &alg_id.algorithm,
/* compare key to expected key value */
if ((key_block.length == sizeof(key_hex)) &&
- (0 == memcmp(key_block.contents, key_hex, key_block.length))) {
- printf("SUCCESS: Correct key value generated!");
- retval = 0;
- }
- else {
- printf("FAILURE: Incorrect key value generated!");
- retval = 1;
- }
-
- cleanup:
- /* release all allocated resources, whether good or bad return */
- if (secret.data)
- free(secret.data);
- if (u_principal)
- free(u_principal);
- if (v_principal)
- free(v_principal);
- krb5_free_keyblock_contents(context, &key_block);
- exit(retval);
+ (0 == memcmp(key_block.contents, key_hex, key_block.length))) {
+ printf("SUCCESS: Correct key value generated!");
+ retval = 0;
+ }
+ else {
+ printf("FAILURE: Incorrect key value generated!");
+ retval = 1;
+ }
+
+cleanup:
+ /* release all allocated resources, whether good or bad return */
+ if (secret.data)
+ free(secret.data);
+ if (u_principal)
+ free(u_principal);
+ if (v_principal)
+ free(v_principal);
+ krb5_free_keyblock_contents(context, &key_block);
+ exit(retval);
}