Changeset View
Changeset View
Standalone View
Standalone View
crypto/heimdal/lib/krb5/pkinit.c
Show First 20 Lines • Show All 95 Lines • ▼ Show 20 Lines | |||||
{ | { | ||||
if (cert->cert) { | if (cert->cert) { | ||||
hx509_cert_free(cert->cert); | hx509_cert_free(cert->cert); | ||||
} | } | ||||
free(cert); | free(cert); | ||||
} | } | ||||
static krb5_error_code | static krb5_error_code | ||||
BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer) | BN_to_integer(krb5_context context, const BIGNUM *bn, heim_integer *integer) | ||||
{ | { | ||||
integer->length = BN_num_bytes(bn); | integer->length = BN_num_bytes(bn); | ||||
integer->data = malloc(integer->length); | integer->data = malloc(integer->length); | ||||
if (integer->data == NULL) { | if (integer->data == NULL) { | ||||
krb5_clear_error_message(context); | krb5_clear_error_message(context); | ||||
return ENOMEM; | return ENOMEM; | ||||
} | } | ||||
BN_bn2bin(bn, integer->data); | BN_bn2bin(bn, integer->data); | ||||
Show All 16 Lines | return NULL; | ||||
return bn; | return bn; | ||||
} | } | ||||
static krb5_error_code | static krb5_error_code | ||||
select_dh_group(krb5_context context, DH *dh, unsigned long bits, | select_dh_group(krb5_context context, DH *dh, unsigned long bits, | ||||
struct krb5_dh_moduli **moduli) | struct krb5_dh_moduli **moduli) | ||||
{ | { | ||||
const struct krb5_dh_moduli *m; | const struct krb5_dh_moduli *m; | ||||
BIGNUM *p, *g, *q; | |||||
if (bits == 0) { | if (bits == 0) { | ||||
m = moduli[1]; /* XXX */ | m = moduli[1]; /* XXX */ | ||||
if (m == NULL) | if (m == NULL) | ||||
m = moduli[0]; /* XXX */ | m = moduli[0]; /* XXX */ | ||||
} else { | } else { | ||||
int i; | int i; | ||||
for (i = 0; moduli[i] != NULL; i++) { | for (i = 0; moduli[i] != NULL; i++) { | ||||
if (bits < moduli[i]->bits) | if (bits < moduli[i]->bits) | ||||
break; | break; | ||||
} | } | ||||
if (moduli[i] == NULL) { | if (moduli[i] == NULL) { | ||||
krb5_set_error_message(context, EINVAL, | krb5_set_error_message(context, EINVAL, | ||||
N_("Did not find a DH group parameter " | N_("Did not find a DH group parameter " | ||||
"matching requirement of %lu bits", ""), | "matching requirement of %lu bits", ""), | ||||
bits); | bits); | ||||
return EINVAL; | return EINVAL; | ||||
} | } | ||||
m = moduli[i]; | m = moduli[i]; | ||||
} | } | ||||
dh->p = integer_to_BN(context, "p", &m->p); | p = integer_to_BN(context, "p", &m->p); | ||||
if (dh->p == NULL) | if (p == NULL) | ||||
return ENOMEM; | return ENOMEM; | ||||
dh->g = integer_to_BN(context, "g", &m->g); | g = integer_to_BN(context, "g", &m->g); | ||||
if (dh->g == NULL) | if (g == NULL) { | ||||
BN_free(p); | |||||
return ENOMEM; | return ENOMEM; | ||||
dh->q = integer_to_BN(context, "q", &m->q); | } | ||||
if (dh->q == NULL) | q = integer_to_BN(context, "q", &m->q); | ||||
if (q == NULL) { | |||||
BN_free(p); | |||||
BN_free(g); | |||||
return ENOMEM; | return ENOMEM; | ||||
} | |||||
bjk: This error handling might be cleaner to make all three assignments once and do a single check… | |||||
Done Inline ActionsYes, other places do that and I generally chose to match the existing style of whatever the current code used (either one check at the end or individual checks). It probably would be cleaner as you suggest though. jhb: Yes, other places do that and I generally chose to match the existing style of whatever the… | |||||
if (DH_set0_pqg(dh, p, q, g) != 1) { | |||||
BN_free(p); | |||||
BN_free(g); | |||||
BN_free(q); | |||||
return EINVAL; | |||||
} | |||||
return 0; | return 0; | ||||
} | } | ||||
struct certfind { | struct certfind { | ||||
const char *type; | const char *type; | ||||
const heim_oid *oid; | const heim_oid *oid; | ||||
}; | }; | ||||
▲ Show 20 Lines • Show All 296 Lines • ▼ Show 20 Lines | build_auth_pack(krb5_context context, | ||||
} | } | ||||
ALLOC(a->clientPublicValue, 1); | ALLOC(a->clientPublicValue, 1); | ||||
if (a->clientPublicValue == NULL) | if (a->clientPublicValue == NULL) | ||||
return ENOMEM; | return ENOMEM; | ||||
if (ctx->keyex == USE_DH) { | if (ctx->keyex == USE_DH) { | ||||
DH *dh = ctx->u.dh; | DH *dh = ctx->u.dh; | ||||
const BIGNUM *p, *g, *q, *pub_key; | |||||
DomainParameters dp; | DomainParameters dp; | ||||
heim_integer dh_pub_key; | heim_integer dh_pub_key; | ||||
ret = der_copy_oid(&asn1_oid_id_dhpublicnumber, | ret = der_copy_oid(&asn1_oid_id_dhpublicnumber, | ||||
&a->clientPublicValue->algorithm.algorithm); | &a->clientPublicValue->algorithm.algorithm); | ||||
if (ret) | if (ret) | ||||
return ret; | return ret; | ||||
memset(&dp, 0, sizeof(dp)); | memset(&dp, 0, sizeof(dp)); | ||||
ret = BN_to_integer(context, dh->p, &dp.p); | DH_get0_pqg(dh, &p, &q, &g); | ||||
ret = BN_to_integer(context, p, &dp.p); | |||||
if (ret) { | if (ret) { | ||||
free_DomainParameters(&dp); | free_DomainParameters(&dp); | ||||
return ret; | return ret; | ||||
} | } | ||||
ret = BN_to_integer(context, dh->g, &dp.g); | ret = BN_to_integer(context, g, &dp.g); | ||||
if (ret) { | if (ret) { | ||||
free_DomainParameters(&dp); | free_DomainParameters(&dp); | ||||
return ret; | return ret; | ||||
} | } | ||||
ret = BN_to_integer(context, dh->q, &dp.q); | ret = BN_to_integer(context, q, &dp.q); | ||||
if (ret) { | if (ret) { | ||||
free_DomainParameters(&dp); | free_DomainParameters(&dp); | ||||
return ret; | return ret; | ||||
} | } | ||||
dp.j = NULL; | dp.j = NULL; | ||||
dp.validationParms = NULL; | dp.validationParms = NULL; | ||||
a->clientPublicValue->algorithm.parameters = | a->clientPublicValue->algorithm.parameters = | ||||
malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); | malloc(sizeof(*a->clientPublicValue->algorithm.parameters)); | ||||
if (a->clientPublicValue->algorithm.parameters == NULL) { | if (a->clientPublicValue->algorithm.parameters == NULL) { | ||||
free_DomainParameters(&dp); | free_DomainParameters(&dp); | ||||
return ret; | return ret; | ||||
} | } | ||||
ASN1_MALLOC_ENCODE(DomainParameters, | ASN1_MALLOC_ENCODE(DomainParameters, | ||||
a->clientPublicValue->algorithm.parameters->data, | a->clientPublicValue->algorithm.parameters->data, | ||||
a->clientPublicValue->algorithm.parameters->length, | a->clientPublicValue->algorithm.parameters->length, | ||||
&dp, &size, ret); | &dp, &size, ret); | ||||
free_DomainParameters(&dp); | free_DomainParameters(&dp); | ||||
if (ret) | if (ret) | ||||
return ret; | return ret; | ||||
if (size != a->clientPublicValue->algorithm.parameters->length) | if (size != a->clientPublicValue->algorithm.parameters->length) | ||||
krb5_abortx(context, "Internal ASN1 encoder error"); | krb5_abortx(context, "Internal ASN1 encoder error"); | ||||
ret = BN_to_integer(context, dh->pub_key, &dh_pub_key); | DH_get0_key(dh, &pub_key, NULL); | ||||
ret = BN_to_integer(context, pub_key, &dh_pub_key); | |||||
if (ret) | if (ret) | ||||
return ret; | return ret; | ||||
ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, | ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length, | ||||
&dh_pub_key, &size, ret); | &dh_pub_key, &size, ret); | ||||
der_free_heim_integer(&dh_pub_key); | der_free_heim_integer(&dh_pub_key); | ||||
if (ret) | if (ret) | ||||
return ret; | return ret; | ||||
▲ Show 20 Lines • Show All 2,108 Lines • Show Last 20 Lines |
This error handling might be cleaner to make all three assignments once and do a single check, though this certainly works as-is.