xref: /illumos-gate/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_clnt.c

135     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;  local
155     retval = pkinit_get_kdc_cert(context, plgctx->cryptoctx, reqctx->cryptoctx,
157     if (retval) {
158 	pkiDebug("pkinit_get_kdc_cert returned %d\n", retval);
163     retval = k5int_encode_krb5_kdc_req_body(request, &der_req);
164     if (retval) {
165 	pkiDebug("encode_krb5_kdc_req_body returned %d\n", (int) retval);
169     retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0,
171     if (retval)
178     retval = krb5_us_timeofday(context, &ctsec, &cusec);
179     if (retval)
189     retval = pkinit_as_req_create(context, plgctx, reqctx, ctsec, cusec,
191     if (retval || !out_data->length) {
193 		 (int) retval);
196     retval = ENOMEM;
245     retval = 0;
254     if (retval) {
267     return retval;
281     krb5_error_code retval = ENOMEM;  local
324 	    retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
327 	    if (retval)
333 	    retval = -1;
340 	    retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid);
341 	    if (retval) {
347 	    if ((retval = client_create_dh(context, plgctx->cryptoctx,
372 	    retval = -1;
379 	    retval = k5int_encode_krb5_auth_pack(auth_pack, &coded_auth_pack);
382 	    retval = k5int_encode_krb5_auth_pack_draft9(auth_pack9,
386     if (retval) {
387 	pkiDebug("failed to encode the AuthPack %d\n", retval);
401 		retval = ENOMEM;
404 	    retval = cms_signeddata_create(context, plgctx->cryptoctx,
417 		retval = ENOMEM;
420 	    retval = cms_signeddata_create(context, plgctx->cryptoctx,
432     if (retval) {
440 	    retval = create_krb5_trustedCertifiers(context, plgctx->cryptoctx,
442 	    if (retval)
444 	    retval = create_issuerAndSerial(context, plgctx->cryptoctx,
447 	    if (retval)
451 	    retval = k5int_encode_krb5_pa_pk_as_req(req, as_req);
456 	    retval = create_krb5_trustedCas(context, plgctx->cryptoctx,
458 	    if (retval)
462 	    retval = create_issuerAndSerial(context, plgctx->cryptoctx,
465 	    if (retval)
468 	    retval = k5int_encode_krb5_pa_pk_as_req_draft9(req9, as_req);
472     if (!retval)
490     pkiDebug("pkinit_as_req_create retval=%d\n", (int) retval);
492     return retval;
505     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;  local
521     retval =
524     if (retval) {
526 		 retval, error_message(retval));
530     retval = 0;
534     return retval;
545     krb5_error_code retval;  local
554     retval = pkinit_libdefault_strings(context,
558     if (retval || cfghosts == NULL) {
568     retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx,
571     if (retval) {
573 	retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
577     retval = call_san_checking_plugins(context, plgctx, reqctx, idctx,
582     if (retval) {
583 	retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
590 	retval = plugin_decision;
601 	    retval = 0;
610 	retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
621 		retval = 0;
629     retval = 0;
646 	     __FUNCTION__, retval, *valid_san, *need_eku_checking);
647     return retval;
656     krb5_error_code retval;  local
663 	retval = 0;
666     retval = crypto_check_cert_eku(context, plgctx->cryptoctx,
671     if (retval) {
673 		 __FUNCTION__, retval, error_message(retval));
679 	     __FUNCTION__, retval, *eku_accepted);
680     return retval;
699     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;  local
720     if ((retval = k5int_decode_krb5_pa_pk_as_rep(as_rep, &kdc_reply))) {
721 	pkiDebug("decode_krb5_as_rep failed %d\n", retval);
722 	return retval;
732 	    if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx,
745 	    if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx,
757 	    retval = -1;
761     retval = verify_kdc_san(context, plgctx, reqctx, request->server,
763     if (retval)
768 	retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
773 	retval = verify_kdc_eku(context, plgctx, reqctx,
775 	if (retval)
780 	    retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
794 	    if ((retval = k5int_decode_krb5_kdc_dh_key_info(&k5data,
801 	    if ((retval = client_process_dh(context, plgctx->cryptoctx,
810 	    retval = pkinit_octetstring2key(context, etype, client_key,
812 	    if (retval) {
814 			 error_message(retval));
824 	    if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
839 		    if ((retval =
848 			retval = -1;
863 	    retval = krb5_c_make_checksum(context,
868 	    if (retval) {
906     retval = 0;
928 	     retval, error_message(retval));
929     return retval;
1031     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;  local
1073 	retval = pkinit_identity_set_prompter(reqctx->idctx, prompter, prompter_data);
1074 	if (retval) {
1076 		     retval, error_message(retval));
1077 	    return retval;
1080 	retval = pkinit_identity_initialize(context, plgctx->cryptoctx,
1083 	if (retval) {
1085 		     retval, error_message(retval));
1086 	    return retval;
1088 	retval = pa_pkinit_gen_req(context, plgctx, reqctx, request,
1095 	retval = (*get_data_proc)(context, rock,
1097 	if (retval) {
1099 		     retval, error_message(retval));
1100 	    return retval;
1105 	retval = pa_pkinit_parse_rep(context, plgctx, reqctx, request,
1111 	     retval, error_message(retval));
1112     return retval;
1137     krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;  local
1150 	return retval;
1156     retval = k5int_decode_krb5_typed_data(&err_reply->e_data, &typed_data);
1157     if (retval) {
1170 	    retval = k5int_decode_krb5_td_trusted_certifiers(&scratch,
1172 	    if (retval) {
1176 	    retval = pkinit_process_td_trusted_certifiers(context,
1179 	    if (!retval)
1183 	    retval = k5int_decode_krb5_td_dh_parameters(&scratch, &algId);
1184 	    if (retval) {
1188 	    retval = pkinit_process_td_dh_params(context, plgctx->cryptoctx,
1191 	    if (!retval)
1199 	retval = pa_pkinit_gen_req(context, plgctx, reqctx, request, in_padata,
1201 	if (retval)
1205     retval = 0;
1217 	     retval, error_message(retval));
1218     return retval;
1242     krb5_error_code retval = ENOMEM;  local
1259     retval = pkinit_init_req_opts(&reqctx->opts);
1260     if (retval)
1269     retval = pkinit_init_req_crypto(&reqctx->cryptoctx);
1270     if (retval)
1273     retval = pkinit_init_identity_crypto(&reqctx->idctx);
1274     if (retval)
1277     retval = pkinit_dup_identity_opts(plgctx->idopts, &reqctx->idopts);
1278     if (retval)
1285     if (retval) {
1350     krb5_error_code retval = ENOMEM;  local
1362     retval = pkinit_accessor_init();
1363     if (retval)
1366     retval = pkinit_init_plg_opts(&ctx->opts);
1367     if (retval)
1370     retval = pkinit_init_plg_crypto(&ctx->cryptoctx);
1371     if (retval)
1374     retval = pkinit_init_identity_opts(&ctx->idopts);
1375     if (retval)
1378     retval = pkinit_init_client_profile(context, ctx);
1379     if (retval)
1387     if (retval)
1390     return retval;
1456     krb5_error_code retval;  local
1471 	retval = add_string_to_array(context, &plgctx->idopts->anchors, value);
1472 	if (retval)
1473 	    return retval;
1496     krb5_error_code retval;  local
1500     retval = handle_gic_opt(context, plgctx, attr, value);
1501     if (retval)
1502 	return retval;

Last Index update Thu Apr 25 09:51:16 UTC 2024