int
main(int argc, char **argv)
{
hx509_context context;
int ret = 0;
ret = hx509_context_init(&context);
if (ret)
errx(1, "hx509_context_init failed with %d", ret);
ret += test_name(context, "CN=foo,C=SE");
ret += test_name(context, "CN=foo,CN=kaka,CN=FOO,DC=ad1,C=SE");
ret += test_name(context, "1.2.3.4=foo,C=SE");
ret += test_name_fail(context, "=");
ret += test_name_fail(context, "CN=foo,=foo");
ret += test_name_fail(context, "CN=foo,really-unknown-type=foo");
ret += test_expand(context, "UID=${uid},C=SE", "UID=lha,C=SE");
ret += test_expand(context, "UID=foo${uid},C=SE", "UID=foolha,C=SE");
ret += test_expand(context, "UID=${uid}bar,C=SE", "UID=lhabar,C=SE");
ret += test_expand(context, "UID=f${uid}b,C=SE", "UID=flhab,C=SE");
ret += test_expand(context, "UID=${uid}${uid},C=SE", "UID=lhalha,C=SE");
ret += test_expand(context, "UID=${uid}{uid},C=SE", "UID=lha{uid},C=SE");
ret += test_compare(context);
hx509_context_free(&context);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_context_flags(unsigned int flags, krb5_context *context)
{
static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
krb5_context p;
krb5_error_code ret;
char **files = NULL;
*context = NULL;
p = calloc(1, sizeof(*p));
if (!p)
return ENOMEM;
p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
if (p->mutex == NULL) {
free(p);
return ENOMEM;
}
HEIMDAL_MUTEX_init(p->mutex);
HEIMDAL_MUTEX_lock(&homedir_mutex);
if (allow_homedir)
p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
HEIMDAL_MUTEX_unlock(&homedir_mutex);
if ((flags & KRB5_CONTEXT_FLAG_NO_CONFIG) == 0) {
ret = krb5_get_default_config_files(&files);
if (ret)
goto out;
}
ret = krb5_set_config_files(p, files);
krb5_free_config_files(files);
if (ret)
goto out;
heim_base_once_f(&init_context, p, init_context_once);
/* init error tables */
krb5_init_ets(p);
cc_ops_register(p);
kt_ops_register(p);
#ifdef PKINIT
ret = hx509_context_init(&p->hx509ctx);
if (ret)
goto out;
#endif
if (rk_SOCK_INIT())
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
out:
if (ret) {
krb5_free_context(p);
p = NULL;
}
*context = p;
return ret;
}
static CK_RV
init_context(void)
{
if (context == NULL) {
int ret = hx509_context_init(&context);
if (ret)
return CKR_GENERAL_ERROR;
}
return CKR_OK;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_context(krb5_context *context)
{
static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
krb5_context p;
krb5_error_code ret;
char **files;
*context = NULL;
p = calloc(1, sizeof(*p));
if(!p)
return ENOMEM;
p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
if (p->mutex == NULL) {
free(p);
return ENOMEM;
}
HEIMDAL_MUTEX_init(p->mutex);
p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
ret = krb5_get_default_config_files(&files);
if(ret)
goto out;
ret = krb5_set_config_files(p, files);
krb5_free_config_files(files);
if(ret)
goto out;
/* done enough to load plugins */
heim_base_once_f(&init_context, p, init_context_once);
/* init error tables */
krb5_init_ets(p);
cc_ops_register(p);
kt_ops_register(p);
#ifdef PKINIT
ret = hx509_context_init(&p->hx509ctx);
if (ret)
goto out;
#endif
if (rk_SOCK_INIT())
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
out:
if(ret) {
krb5_free_context(p);
p = NULL;
}
*context = p;
return ret;
}
static DATA_BLOB *encrypt_blob(struct torture_context *tctx,
TALLOC_CTX *mem_ctx,
DATA_BLOB *key,
DATA_BLOB *iv,
DATA_BLOB *to_encrypt,
const AlgorithmIdentifier *alg)
{
hx509_crypto crypto;
hx509_context hctx;
heim_octet_string ivos;
heim_octet_string *encrypted;
DATA_BLOB *blob = talloc_zero(mem_ctx, DATA_BLOB);
int res;
ivos.data = talloc_array(mem_ctx, uint8_t, iv->length);
ivos.length = iv->length;
memcpy(ivos.data, iv->data, iv->length);
hx509_context_init(&hctx);
res = hx509_crypto_init(hctx, NULL, &alg->algorithm, &crypto);
if (res) {
torture_comment(tctx,
"error while doing the init of the crypto object\n");
hx509_context_free(&hctx);
return NULL;
}
res = hx509_crypto_set_key_data(crypto, key->data, key->length);
if (res) {
torture_comment(tctx,
"error while setting the key of the crypto object\n");
hx509_context_free(&hctx);
return NULL;
}
hx509_crypto_set_padding(crypto, HX509_CRYPTO_PADDING_NONE);
res = hx509_crypto_encrypt(crypto,
to_encrypt->data,
to_encrypt->length,
&ivos,
&encrypted);
if (res) {
torture_comment(tctx, "error while encrypting\n");
hx509_crypto_destroy(crypto);
hx509_context_free(&hctx);
return NULL;
}
*blob = data_blob_talloc(blob, encrypted->data, encrypted->length);
der_free_octet_string(encrypted);
free(encrypted);
hx509_crypto_destroy(crypto);
hx509_context_free(&hctx);
return blob;
}
/*
* Encrypt a blob with the private key of the certificate
* passed as a parameter.
*/
static DATA_BLOB *encrypt_blob_pk(struct torture_context *tctx,
TALLOC_CTX *mem_ctx,
uint8_t *cert_data,
uint32_t cert_len,
DATA_BLOB *to_encrypt)
{
hx509_context hctx;
hx509_cert cert;
heim_octet_string secretdata;
heim_octet_string encrypted;
heim_oid encryption_oid;
DATA_BLOB *blob;
int hret;
hx509_context_init(&hctx);
hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert);
if (hret) {
torture_comment(tctx, "error while loading the cert\n");
hx509_context_free(&hctx);
return NULL;
}
secretdata.data = to_encrypt->data;
secretdata.length = to_encrypt->length;
hret = hx509_cert_public_encrypt(hctx, &secretdata,
cert, &encryption_oid,
&encrypted);
hx509_cert_free(cert);
hx509_context_free(&hctx);
if (hret) {
torture_comment(tctx, "error while encrypting\n");
return NULL;
}
blob = talloc_zero(mem_ctx, DATA_BLOB);
if (blob == NULL) {
der_free_oid(&encryption_oid);
der_free_octet_string(&encrypted);
return NULL;
}
*blob = data_blob_talloc(blob, encrypted.data, encrypted.length);
der_free_octet_string(&encrypted);
der_free_oid(&encryption_oid);
if (blob->data == NULL) {
return NULL;
}
return blob;
}
/*
* Certs used for this protocol have a GUID in the issuer_uniq_id field.
* This function fetch it.
*/
static struct GUID *get_cert_guid(struct torture_context *tctx,
TALLOC_CTX *mem_ctx,
uint8_t *cert_data,
uint32_t cert_len)
{
hx509_context hctx;
hx509_cert cert;
heim_bit_string subjectuniqid;
DATA_BLOB data;
int hret;
uint32_t size;
struct GUID *guid = talloc_zero(mem_ctx, struct GUID);
NTSTATUS status;
hx509_context_init(&hctx);
hret = hx509_cert_init_data(hctx, cert_data, cert_len, &cert);
if (hret) {
torture_comment(tctx, "error while loading the cert\n");
hx509_context_free(&hctx);
return NULL;
}
hret = hx509_cert_get_issuer_unique_id(hctx, cert, &subjectuniqid);
if (hret) {
torture_comment(tctx, "error while getting the issuer_uniq_id\n");
hx509_cert_free(cert);
hx509_context_free(&hctx);
return NULL;
}
/* The subjectuniqid is a bit string,
* which means that the real size has to be divided by 8
* to have the number of bytes
*/
hx509_cert_free(cert);
hx509_context_free(&hctx);
size = subjectuniqid.length / 8;
data = data_blob_const(subjectuniqid.data, size);
status = GUID_from_data_blob(&data, guid);
der_free_bit_string(&subjectuniqid);
if (!NT_STATUS_IS_OK(status)) {
return NULL;
}
return guid;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_context(krb5_context *context)
{
static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
krb5_context p;
krb5_error_code ret;
char **files;
uint8_t rnd;
*context = NULL;
/**
* krb5_init_context() will get one random byte to make sure our
* random is alive. Assumption is that once the non blocking
* source allows us to pull bytes, its all seeded and allows us to
* pull more bytes.
*
* Most Kerberos users calls krb5_init_context(), so this is
* useful point where we can do the checking.
*/
ret = krb5_generate_random(&rnd, sizeof(rnd));
if (ret)
return ret;
p = calloc(1, sizeof(*p));
if(!p)
return ENOMEM;
p->mutex = malloc(sizeof(HEIMDAL_MUTEX));
if (p->mutex == NULL) {
free(p);
return ENOMEM;
}
HEIMDAL_MUTEX_init(p->mutex);
p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
ret = krb5_get_default_config_files(&files);
if(ret)
goto out;
ret = krb5_set_config_files(p, files);
krb5_free_config_files(files);
if(ret)
goto out;
/* done enough to load plugins */
heim_base_once_f(&init_context, p, init_context_once);
/* init error tables */
krb5_init_ets(p);
cc_ops_register(p);
kt_ops_register(p);
#ifdef PKINIT
ret = hx509_context_init(&p->hx509ctx);
if (ret)
goto out;
#endif
if (rk_SOCK_INIT())
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
out:
if(ret) {
krb5_free_context(p);
p = NULL;
}
*context = p;
return ret;
}
