xref: /freebsd/crypto/heimdal/lib/krb5/pkinit.c (revision 1c05a6ea6b849ff95e539c31adea887c644a6a01)
1 /*
2  * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 
38 struct krb5_dh_moduli {
39     char *name;
40     unsigned long bits;
41     heim_integer p;
42     heim_integer g;
43     heim_integer q;
44 };
45 
46 #ifdef PKINIT
47 
48 #include <cms_asn1.h>
49 #include <pkcs8_asn1.h>
50 #include <pkcs9_asn1.h>
51 #include <pkcs12_asn1.h>
52 #include <pkinit_asn1.h>
53 #include <asn1_err.h>
54 
55 #include <der.h>
56 
57 struct krb5_pk_cert {
58     hx509_cert cert;
59 };
60 
61 struct krb5_pk_init_ctx_data {
62     struct krb5_pk_identity *id;
63     enum { USE_RSA, USE_DH, USE_ECDH } keyex;
64     union {
65 	DH *dh;
66 #ifdef HAVE_OPENSSL
67 	EC_KEY *eckey;
68 #endif
69     } u;
70     krb5_data *clientDHNonce;
71     struct krb5_dh_moduli **m;
72     hx509_peer_info peer;
73     enum krb5_pk_type type;
74     unsigned int require_binding:1;
75     unsigned int require_eku:1;
76     unsigned int require_krbtgt_otherName:1;
77     unsigned int require_hostname_match:1;
78     unsigned int trustedCertifiers:1;
79     unsigned int anonymous:1;
80 };
81 
82 static void
83 pk_copy_error(krb5_context context,
84 	      hx509_context hx509ctx,
85 	      int hxret,
86 	      const char *fmt,
87 	      ...)
88     __attribute__ ((format (printf, 4, 5)));
89 
90 /*
91  *
92  */
93 
94 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
95 _krb5_pk_cert_free(struct krb5_pk_cert *cert)
96 {
97     if (cert->cert) {
98 	hx509_cert_free(cert->cert);
99     }
100     free(cert);
101 }
102 
103 static krb5_error_code
104 BN_to_integer(krb5_context context, BIGNUM *bn, heim_integer *integer)
105 {
106     integer->length = BN_num_bytes(bn);
107     integer->data = malloc(integer->length);
108     if (integer->data == NULL) {
109 	krb5_clear_error_message(context);
110 	return ENOMEM;
111     }
112     BN_bn2bin(bn, integer->data);
113     integer->negative = BN_is_negative(bn);
114     return 0;
115 }
116 
117 static BIGNUM *
118 integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
119 {
120     BIGNUM *bn;
121 
122     bn = BN_bin2bn((const unsigned char *)f->data, f->length, NULL);
123     if (bn == NULL) {
124 	krb5_set_error_message(context, ENOMEM,
125 			       N_("PKINIT: parsing BN failed %s", ""), field);
126 	return NULL;
127     }
128     BN_set_negative(bn, f->negative);
129     return bn;
130 }
131 
132 static krb5_error_code
133 select_dh_group(krb5_context context, DH *dh, unsigned long bits,
134 		struct krb5_dh_moduli **moduli)
135 {
136     const struct krb5_dh_moduli *m;
137 
138     if (bits == 0) {
139 	m = moduli[1]; /* XXX */
140 	if (m == NULL)
141 	    m = moduli[0]; /* XXX */
142     } else {
143 	int i;
144 	for (i = 0; moduli[i] != NULL; i++) {
145 	    if (bits < moduli[i]->bits)
146 		break;
147 	}
148 	if (moduli[i] == NULL) {
149 	    krb5_set_error_message(context, EINVAL,
150 				   N_("Did not find a DH group parameter "
151 				      "matching requirement of %lu bits", ""),
152 				   bits);
153 	    return EINVAL;
154 	}
155 	m = moduli[i];
156     }
157 
158     dh->p = integer_to_BN(context, "p", &m->p);
159     if (dh->p == NULL)
160 	return ENOMEM;
161     dh->g = integer_to_BN(context, "g", &m->g);
162     if (dh->g == NULL)
163 	return ENOMEM;
164     dh->q = integer_to_BN(context, "q", &m->q);
165     if (dh->q == NULL)
166 	return ENOMEM;
167 
168     return 0;
169 }
170 
171 struct certfind {
172     const char *type;
173     const heim_oid *oid;
174 };
175 
176 /*
177  * Try searchin the key by to use by first looking for for PK-INIT
178  * EKU, then the Microsoft smart card EKU and last, no special EKU at all.
179  */
180 
181 static krb5_error_code
182 find_cert(krb5_context context, struct krb5_pk_identity *id,
183 	  hx509_query *q, hx509_cert *cert)
184 {
185     struct certfind cf[4] = {
186 	{ "MobileMe EKU" },
187 	{ "PKINIT EKU" },
188 	{ "MS EKU" },
189 	{ "any (or no)" }
190     };
191     int ret = HX509_CERT_NOT_FOUND;
192     size_t i, start = 1;
193     unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
194     const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
195 
196 
197     if (id->flags & PKINIT_BTMM)
198 	start = 0;
199 
200     cf[0].oid = &mobileMe;
201     cf[1].oid = &asn1_oid_id_pkekuoid;
202     cf[2].oid = &asn1_oid_id_pkinit_ms_eku;
203     cf[3].oid = NULL;
204 
205     for (i = start; i < sizeof(cf)/sizeof(cf[0]); i++) {
206 	ret = hx509_query_match_eku(q, cf[i].oid);
207 	if (ret) {
208 	    pk_copy_error(context, context->hx509ctx, ret,
209 			  "Failed setting %s OID", cf[i].type);
210 	    return ret;
211 	}
212 
213 	ret = hx509_certs_find(context->hx509ctx, id->certs, q, cert);
214 	if (ret == 0)
215 	    break;
216 	pk_copy_error(context, context->hx509ctx, ret,
217 		      "Failed finding certificate with %s OID", cf[i].type);
218     }
219     return ret;
220 }
221 
222 
223 static krb5_error_code
224 create_signature(krb5_context context,
225 		 const heim_oid *eContentType,
226 		 krb5_data *eContent,
227 		 struct krb5_pk_identity *id,
228 		 hx509_peer_info peer,
229 		 krb5_data *sd_data)
230 {
231     int ret, flags = 0;
232 
233     if (id->cert == NULL)
234 	flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
235 
236     ret = hx509_cms_create_signed_1(context->hx509ctx,
237 				    flags,
238 				    eContentType,
239 				    eContent->data,
240 				    eContent->length,
241 				    NULL,
242 				    id->cert,
243 				    peer,
244 				    NULL,
245 				    id->certs,
246 				    sd_data);
247     if (ret) {
248 	pk_copy_error(context, context->hx509ctx, ret,
249 		      "Create CMS signedData");
250 	return ret;
251     }
252 
253     return 0;
254 }
255 
256 static int
257 cert2epi(hx509_context context, void *ctx, hx509_cert c)
258 {
259     ExternalPrincipalIdentifiers *ids = ctx;
260     ExternalPrincipalIdentifier id;
261     hx509_name subject = NULL;
262     void *p;
263     int ret;
264 
265     if (ids->len > 10)
266 	return 0;
267 
268     memset(&id, 0, sizeof(id));
269 
270     ret = hx509_cert_get_subject(c, &subject);
271     if (ret)
272 	return ret;
273 
274     if (hx509_name_is_null_p(subject) != 0) {
275 
276 	id.subjectName = calloc(1, sizeof(*id.subjectName));
277 	if (id.subjectName == NULL) {
278 	    hx509_name_free(&subject);
279 	    free_ExternalPrincipalIdentifier(&id);
280 	    return ENOMEM;
281 	}
282 
283 	ret = hx509_name_binary(subject, id.subjectName);
284 	if (ret) {
285 	    hx509_name_free(&subject);
286 	    free_ExternalPrincipalIdentifier(&id);
287 	    return ret;
288 	}
289     }
290     hx509_name_free(&subject);
291 
292 
293     id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
294     if (id.issuerAndSerialNumber == NULL) {
295 	free_ExternalPrincipalIdentifier(&id);
296 	return ENOMEM;
297     }
298 
299     {
300 	IssuerAndSerialNumber iasn;
301 	hx509_name issuer;
302 	size_t size = 0;
303 
304 	memset(&iasn, 0, sizeof(iasn));
305 
306 	ret = hx509_cert_get_issuer(c, &issuer);
307 	if (ret) {
308 	    free_ExternalPrincipalIdentifier(&id);
309 	    return ret;
310 	}
311 
312 	ret = hx509_name_to_Name(issuer, &iasn.issuer);
313 	hx509_name_free(&issuer);
314 	if (ret) {
315 	    free_ExternalPrincipalIdentifier(&id);
316 	    return ret;
317 	}
318 
319 	ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
320 	if (ret) {
321 	    free_IssuerAndSerialNumber(&iasn);
322 	    free_ExternalPrincipalIdentifier(&id);
323 	    return ret;
324 	}
325 
326 	ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
327 			   id.issuerAndSerialNumber->data,
328 			   id.issuerAndSerialNumber->length,
329 			   &iasn, &size, ret);
330 	free_IssuerAndSerialNumber(&iasn);
331 	if (ret)
332 	    return ret;
333 	if (id.issuerAndSerialNumber->length != size)
334 	    abort();
335     }
336 
337     id.subjectKeyIdentifier = NULL;
338 
339     p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1));
340     if (p == NULL) {
341 	free_ExternalPrincipalIdentifier(&id);
342 	return ENOMEM;
343     }
344 
345     ids->val = p;
346     ids->val[ids->len] = id;
347     ids->len++;
348 
349     return 0;
350 }
351 
352 static krb5_error_code
353 build_edi(krb5_context context,
354 	  hx509_context hx509ctx,
355 	  hx509_certs certs,
356 	  ExternalPrincipalIdentifiers *ids)
357 {
358     return hx509_certs_iter_f(hx509ctx, certs, cert2epi, ids);
359 }
360 
361 static krb5_error_code
362 build_auth_pack(krb5_context context,
363 		unsigned nonce,
364 		krb5_pk_init_ctx ctx,
365 		const KDC_REQ_BODY *body,
366 		AuthPack *a)
367 {
368     size_t buf_size, len = 0;
369     krb5_error_code ret;
370     void *buf;
371     krb5_timestamp sec;
372     int32_t usec;
373     Checksum checksum;
374 
375     krb5_clear_error_message(context);
376 
377     memset(&checksum, 0, sizeof(checksum));
378 
379     krb5_us_timeofday(context, &sec, &usec);
380     a->pkAuthenticator.ctime = sec;
381     a->pkAuthenticator.nonce = nonce;
382 
383     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
384     if (ret)
385 	return ret;
386     if (buf_size != len)
387 	krb5_abortx(context, "internal error in ASN.1 encoder");
388 
389     ret = krb5_create_checksum(context,
390 			       NULL,
391 			       0,
392 			       CKSUMTYPE_SHA1,
393 			       buf,
394 			       len,
395 			       &checksum);
396     free(buf);
397     if (ret)
398 	return ret;
399 
400     ALLOC(a->pkAuthenticator.paChecksum, 1);
401     if (a->pkAuthenticator.paChecksum == NULL) {
402 	krb5_set_error_message(context, ENOMEM,
403 			       N_("malloc: out of memory", ""));
404 	return ENOMEM;
405     }
406 
407     ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
408 			 checksum.checksum.data, checksum.checksum.length);
409     free_Checksum(&checksum);
410     if (ret)
411 	return ret;
412 
413     if (ctx->keyex == USE_DH || ctx->keyex == USE_ECDH) {
414 	const char *moduli_file;
415 	unsigned long dh_min_bits;
416 	krb5_data dhbuf;
417 	size_t size = 0;
418 
419 	krb5_data_zero(&dhbuf);
420 
421 
422 
423 	moduli_file = krb5_config_get_string(context, NULL,
424 					     "libdefaults",
425 					     "moduli",
426 					     NULL);
427 
428 	dh_min_bits =
429 	    krb5_config_get_int_default(context, NULL, 0,
430 					"libdefaults",
431 					"pkinit_dh_min_bits",
432 					NULL);
433 
434 	ret = _krb5_parse_moduli(context, moduli_file, &ctx->m);
435 	if (ret)
436 	    return ret;
437 
438 	ctx->u.dh = DH_new();
439 	if (ctx->u.dh == NULL) {
440 	    krb5_set_error_message(context, ENOMEM,
441 				   N_("malloc: out of memory", ""));
442 	    return ENOMEM;
443 	}
444 
445 	ret = select_dh_group(context, ctx->u.dh, dh_min_bits, ctx->m);
446 	if (ret)
447 	    return ret;
448 
449 	if (DH_generate_key(ctx->u.dh) != 1) {
450 	    krb5_set_error_message(context, ENOMEM,
451 				   N_("pkinit: failed to generate DH key", ""));
452 	    return ENOMEM;
453 	}
454 
455 
456 	if (1 /* support_cached_dh */) {
457 	    ALLOC(a->clientDHNonce, 1);
458 	    if (a->clientDHNonce == NULL) {
459 		krb5_clear_error_message(context);
460 		return ENOMEM;
461 	    }
462 	    ret = krb5_data_alloc(a->clientDHNonce, 40);
463 	    if (a->clientDHNonce == NULL) {
464 		krb5_clear_error_message(context);
465 		return ret;
466 	    }
467 	    RAND_bytes(a->clientDHNonce->data, a->clientDHNonce->length);
468 	    ret = krb5_copy_data(context, a->clientDHNonce,
469 				 &ctx->clientDHNonce);
470 	    if (ret)
471 		return ret;
472 	}
473 
474 	ALLOC(a->clientPublicValue, 1);
475 	if (a->clientPublicValue == NULL)
476 	    return ENOMEM;
477 
478 	if (ctx->keyex == USE_DH) {
479 	    DH *dh = ctx->u.dh;
480 	    DomainParameters dp;
481 	    heim_integer dh_pub_key;
482 
483 	    ret = der_copy_oid(&asn1_oid_id_dhpublicnumber,
484 			       &a->clientPublicValue->algorithm.algorithm);
485 	    if (ret)
486 		return ret;
487 
488 	    memset(&dp, 0, sizeof(dp));
489 
490 	    ret = BN_to_integer(context, dh->p, &dp.p);
491 	    if (ret) {
492 		free_DomainParameters(&dp);
493 		return ret;
494 	    }
495 	    ret = BN_to_integer(context, dh->g, &dp.g);
496 	    if (ret) {
497 		free_DomainParameters(&dp);
498 		return ret;
499 	    }
500 	    ret = BN_to_integer(context, dh->q, &dp.q);
501 	    if (ret) {
502 		free_DomainParameters(&dp);
503 		return ret;
504 	    }
505 	    dp.j = NULL;
506 	    dp.validationParms = NULL;
507 
508 	    a->clientPublicValue->algorithm.parameters =
509 		malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
510 	    if (a->clientPublicValue->algorithm.parameters == NULL) {
511 		free_DomainParameters(&dp);
512 		return ret;
513 	    }
514 
515 	    ASN1_MALLOC_ENCODE(DomainParameters,
516 			       a->clientPublicValue->algorithm.parameters->data,
517 			       a->clientPublicValue->algorithm.parameters->length,
518 			       &dp, &size, ret);
519 	    free_DomainParameters(&dp);
520 	    if (ret)
521 		return ret;
522 	    if (size != a->clientPublicValue->algorithm.parameters->length)
523 		krb5_abortx(context, "Internal ASN1 encoder error");
524 
525 	    ret = BN_to_integer(context, dh->pub_key, &dh_pub_key);
526 	    if (ret)
527 		return ret;
528 
529 	    ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length,
530 			       &dh_pub_key, &size, ret);
531 	    der_free_heim_integer(&dh_pub_key);
532 	    if (ret)
533 		return ret;
534 	    if (size != dhbuf.length)
535 		krb5_abortx(context, "asn1 internal error");
536 	} else if (ctx->keyex == USE_ECDH) {
537 #ifdef HAVE_OPENSSL
538 	    ECParameters ecp;
539 	    unsigned char *p;
540 	    int xlen;
541 
542 	    /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */
543 
544 	    ecp.element = choice_ECParameters_namedCurve;
545 	    ret = der_copy_oid(&asn1_oid_id_ec_group_secp256r1,
546 			       &ecp.u.namedCurve);
547 	    if (ret)
548 		return ret;
549 
550 	    ALLOC(a->clientPublicValue->algorithm.parameters, 1);
551 	    if (a->clientPublicValue->algorithm.parameters == NULL) {
552 		free_ECParameters(&ecp);
553 		return ENOMEM;
554 	    }
555 	    ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret);
556 	    free_ECParameters(&ecp);
557 	    if (ret)
558 		return ret;
559 	    if ((int)size != xlen)
560 		krb5_abortx(context, "asn1 internal error");
561 
562 	    a->clientPublicValue->algorithm.parameters->data = p;
563 	    a->clientPublicValue->algorithm.parameters->length = size;
564 
565 	    /* copy in public key */
566 
567 	    ret = der_copy_oid(&asn1_oid_id_ecPublicKey,
568 			       &a->clientPublicValue->algorithm.algorithm);
569 	    if (ret)
570 		return ret;
571 
572 	    ctx->u.eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
573 	    if (ctx->u.eckey == NULL)
574 		return ENOMEM;
575 
576 	    ret = EC_KEY_generate_key(ctx->u.eckey);
577 	    if (ret != 1)
578 		return EINVAL;
579 
580 	    /* encode onto dhkey */
581 
582 	    xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
583 	    if (xlen <= 0)
584 		abort();
585 
586 	    dhbuf.data = malloc(xlen);
587 	    if (dhbuf.data == NULL)
588 		abort();
589 	    dhbuf.length = xlen;
590 	    p = dhbuf.data;
591 
592 	    xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
593 	    if (xlen <= 0)
594 		abort();
595 
596 	    /* XXX verify that this is right with RFC3279 */
597 #else
598 	    return EINVAL;
599 #endif
600 	} else
601 	    krb5_abortx(context, "internal error");
602 	a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
603 	a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
604     }
605 
606     {
607 	a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
608 	if (a->supportedCMSTypes == NULL)
609 	    return ENOMEM;
610 
611 	ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL,
612 				     ctx->id->cert,
613 				     &a->supportedCMSTypes->val,
614 				     &a->supportedCMSTypes->len);
615 	if (ret)
616 	    return ret;
617     }
618 
619     return ret;
620 }
621 
622 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
623 _krb5_pk_mk_ContentInfo(krb5_context context,
624 			const krb5_data *buf,
625 			const heim_oid *oid,
626 			struct ContentInfo *content_info)
627 {
628     krb5_error_code ret;
629 
630     ret = der_copy_oid(oid, &content_info->contentType);
631     if (ret)
632 	return ret;
633     ALLOC(content_info->content, 1);
634     if (content_info->content == NULL)
635 	return ENOMEM;
636     content_info->content->data = malloc(buf->length);
637     if (content_info->content->data == NULL)
638 	return ENOMEM;
639     memcpy(content_info->content->data, buf->data, buf->length);
640     content_info->content->length = buf->length;
641     return 0;
642 }
643 
644 static krb5_error_code
645 pk_mk_padata(krb5_context context,
646 	     krb5_pk_init_ctx ctx,
647 	     const KDC_REQ_BODY *req_body,
648 	     unsigned nonce,
649 	     METHOD_DATA *md)
650 {
651     struct ContentInfo content_info;
652     krb5_error_code ret;
653     const heim_oid *oid = NULL;
654     size_t size = 0;
655     krb5_data buf, sd_buf;
656     int pa_type = -1;
657 
658     krb5_data_zero(&buf);
659     krb5_data_zero(&sd_buf);
660     memset(&content_info, 0, sizeof(content_info));
661 
662     if (ctx->type == PKINIT_WIN2K) {
663 	AuthPack_Win2k ap;
664 	krb5_timestamp sec;
665 	int32_t usec;
666 
667 	memset(&ap, 0, sizeof(ap));
668 
669 	/* fill in PKAuthenticator */
670 	ret = copy_PrincipalName(req_body->sname, &ap.pkAuthenticator.kdcName);
671 	if (ret) {
672 	    free_AuthPack_Win2k(&ap);
673 	    krb5_clear_error_message(context);
674 	    goto out;
675 	}
676 	ret = copy_Realm(&req_body->realm, &ap.pkAuthenticator.kdcRealm);
677 	if (ret) {
678 	    free_AuthPack_Win2k(&ap);
679 	    krb5_clear_error_message(context);
680 	    goto out;
681 	}
682 
683 	krb5_us_timeofday(context, &sec, &usec);
684 	ap.pkAuthenticator.ctime = sec;
685 	ap.pkAuthenticator.cusec = usec;
686 	ap.pkAuthenticator.nonce = nonce;
687 
688 	ASN1_MALLOC_ENCODE(AuthPack_Win2k, buf.data, buf.length,
689 			   &ap, &size, ret);
690 	free_AuthPack_Win2k(&ap);
691 	if (ret) {
692 	    krb5_set_error_message(context, ret,
693 				   N_("Failed encoding AuthPackWin: %d", ""),
694 				   (int)ret);
695 	    goto out;
696 	}
697 	if (buf.length != size)
698 	    krb5_abortx(context, "internal ASN1 encoder error");
699 
700 	oid = &asn1_oid_id_pkcs7_data;
701     } else if (ctx->type == PKINIT_27) {
702 	AuthPack ap;
703 
704 	memset(&ap, 0, sizeof(ap));
705 
706 	ret = build_auth_pack(context, nonce, ctx, req_body, &ap);
707 	if (ret) {
708 	    free_AuthPack(&ap);
709 	    goto out;
710 	}
711 
712 	ASN1_MALLOC_ENCODE(AuthPack, buf.data, buf.length, &ap, &size, ret);
713 	free_AuthPack(&ap);
714 	if (ret) {
715 	    krb5_set_error_message(context, ret,
716 				   N_("Failed encoding AuthPack: %d", ""),
717 				   (int)ret);
718 	    goto out;
719 	}
720 	if (buf.length != size)
721 	    krb5_abortx(context, "internal ASN1 encoder error");
722 
723 	oid = &asn1_oid_id_pkauthdata;
724     } else
725 	krb5_abortx(context, "internal pkinit error");
726 
727     ret = create_signature(context, oid, &buf, ctx->id,
728 			   ctx->peer, &sd_buf);
729     krb5_data_free(&buf);
730     if (ret)
731 	goto out;
732 
733     ret = hx509_cms_wrap_ContentInfo(&asn1_oid_id_pkcs7_signedData, &sd_buf, &buf);
734     krb5_data_free(&sd_buf);
735     if (ret) {
736 	krb5_set_error_message(context, ret,
737 			       N_("ContentInfo wrapping of signedData failed",""));
738 	goto out;
739     }
740 
741     if (ctx->type == PKINIT_WIN2K) {
742 	PA_PK_AS_REQ_Win2k winreq;
743 
744 	pa_type = KRB5_PADATA_PK_AS_REQ_WIN;
745 
746 	memset(&winreq, 0, sizeof(winreq));
747 
748 	winreq.signed_auth_pack = buf;
749 
750 	ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_Win2k, buf.data, buf.length,
751 			   &winreq, &size, ret);
752 	free_PA_PK_AS_REQ_Win2k(&winreq);
753 
754     } else if (ctx->type == PKINIT_27) {
755 	PA_PK_AS_REQ req;
756 
757 	pa_type = KRB5_PADATA_PK_AS_REQ;
758 
759 	memset(&req, 0, sizeof(req));
760 	req.signedAuthPack = buf;
761 
762 	if (ctx->trustedCertifiers) {
763 
764 	    req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
765 	    if (req.trustedCertifiers == NULL) {
766 		ret = ENOMEM;
767 		krb5_set_error_message(context, ret,
768 				       N_("malloc: out of memory", ""));
769 		free_PA_PK_AS_REQ(&req);
770 		goto out;
771 	    }
772 	    ret = build_edi(context, context->hx509ctx,
773 			    ctx->id->anchors, req.trustedCertifiers);
774 	    if (ret) {
775 		krb5_set_error_message(context, ret,
776 				       N_("pk-init: failed to build "
777 					  "trustedCertifiers", ""));
778 		free_PA_PK_AS_REQ(&req);
779 		goto out;
780 	    }
781 	}
782 	req.kdcPkId = NULL;
783 
784 	ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
785 			   &req, &size, ret);
786 
787 	free_PA_PK_AS_REQ(&req);
788 
789     } else
790 	krb5_abortx(context, "internal pkinit error");
791     if (ret) {
792 	krb5_set_error_message(context, ret, "PA-PK-AS-REQ %d", (int)ret);
793 	goto out;
794     }
795     if (buf.length != size)
796 	krb5_abortx(context, "Internal ASN1 encoder error");
797 
798     ret = krb5_padata_add(context, md, pa_type, buf.data, buf.length);
799     if (ret)
800 	free(buf.data);
801 
802     if (ret == 0)
803     	krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
804 
805  out:
806     free_ContentInfo(&content_info);
807 
808     return ret;
809 }
810 
811 
812 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
813 _krb5_pk_mk_padata(krb5_context context,
814 		   void *c,
815 		   int ic_flags,
816 		   int win2k,
817 		   const KDC_REQ_BODY *req_body,
818 		   unsigned nonce,
819 		   METHOD_DATA *md)
820 {
821     krb5_pk_init_ctx ctx = c;
822     int win2k_compat;
823 
824     if (ctx->id->certs == NULL && ctx->anonymous == 0) {
825 	krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
826 			       N_("PKINIT: No user certificate given", ""));
827 	return HEIM_PKINIT_NO_PRIVATE_KEY;
828     }
829 
830     win2k_compat = krb5_config_get_bool_default(context, NULL,
831 						win2k,
832 						"realms",
833 						req_body->realm,
834 						"pkinit_win2k",
835 						NULL);
836 
837     if (win2k_compat) {
838 	ctx->require_binding =
839 	    krb5_config_get_bool_default(context, NULL,
840 					 TRUE,
841 					 "realms",
842 					 req_body->realm,
843 					 "pkinit_win2k_require_binding",
844 					 NULL);
845 	ctx->type = PKINIT_WIN2K;
846     } else
847 	ctx->type = PKINIT_27;
848 
849     ctx->require_eku =
850 	krb5_config_get_bool_default(context, NULL,
851 				     TRUE,
852 				     "realms",
853 				     req_body->realm,
854 				     "pkinit_require_eku",
855 				     NULL);
856     if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK)
857 	ctx->require_eku = 0;
858     if (ctx->id->flags & PKINIT_BTMM)
859 	ctx->require_eku = 0;
860 
861     ctx->require_krbtgt_otherName =
862 	krb5_config_get_bool_default(context, NULL,
863 				     TRUE,
864 				     "realms",
865 				     req_body->realm,
866 				     "pkinit_require_krbtgt_otherName",
867 				     NULL);
868 
869     ctx->require_hostname_match =
870 	krb5_config_get_bool_default(context, NULL,
871 				     FALSE,
872 				     "realms",
873 				     req_body->realm,
874 				     "pkinit_require_hostname_match",
875 				     NULL);
876 
877     ctx->trustedCertifiers =
878 	krb5_config_get_bool_default(context, NULL,
879 				     TRUE,
880 				     "realms",
881 				     req_body->realm,
882 				     "pkinit_trustedCertifiers",
883 				     NULL);
884 
885     return pk_mk_padata(context, ctx, req_body, nonce, md);
886 }
887 
888 static krb5_error_code
889 pk_verify_sign(krb5_context context,
890 	       const void *data,
891 	       size_t length,
892 	       struct krb5_pk_identity *id,
893 	       heim_oid *contentType,
894 	       krb5_data *content,
895 	       struct krb5_pk_cert **signer)
896 {
897     hx509_certs signer_certs;
898     int ret, flags = 0;
899 
900     /* BTMM is broken in Leo and SnowLeo */
901     if (id->flags & PKINIT_BTMM) {
902 	flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
903 	flags |= HX509_CMS_VS_NO_KU_CHECK;
904 	flags |= HX509_CMS_VS_NO_VALIDATE;
905     }
906 
907     *signer = NULL;
908 
909     ret = hx509_cms_verify_signed(context->hx509ctx,
910 				  id->verify_ctx,
911 				  flags,
912 				  data,
913 				  length,
914 				  NULL,
915 				  id->certpool,
916 				  contentType,
917 				  content,
918 				  &signer_certs);
919     if (ret) {
920 	pk_copy_error(context, context->hx509ctx, ret,
921 		      "CMS verify signed failed");
922 	return ret;
923     }
924 
925     *signer = calloc(1, sizeof(**signer));
926     if (*signer == NULL) {
927 	krb5_clear_error_message(context);
928 	ret = ENOMEM;
929 	goto out;
930     }
931 
932     ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
933     if (ret) {
934 	pk_copy_error(context, context->hx509ctx, ret,
935 		      "Failed to get on of the signer certs");
936 	goto out;
937     }
938 
939  out:
940     hx509_certs_free(&signer_certs);
941     if (ret) {
942 	if (*signer) {
943 	    hx509_cert_free((*signer)->cert);
944 	    free(*signer);
945 	    *signer = NULL;
946 	}
947     }
948 
949     return ret;
950 }
951 
952 static krb5_error_code
953 get_reply_key_win(krb5_context context,
954 		  const krb5_data *content,
955 		  unsigned nonce,
956 		  krb5_keyblock **key)
957 {
958     ReplyKeyPack_Win2k key_pack;
959     krb5_error_code ret;
960     size_t size;
961 
962     ret = decode_ReplyKeyPack_Win2k(content->data,
963 				    content->length,
964 				    &key_pack,
965 				    &size);
966     if (ret) {
967 	krb5_set_error_message(context, ret,
968 			       N_("PKINIT decoding reply key failed", ""));
969 	free_ReplyKeyPack_Win2k(&key_pack);
970 	return ret;
971     }
972 
973     if ((unsigned)key_pack.nonce != nonce) {
974 	krb5_set_error_message(context, ret,
975 			       N_("PKINIT enckey nonce is wrong", ""));
976 	free_ReplyKeyPack_Win2k(&key_pack);
977 	return KRB5KRB_AP_ERR_MODIFIED;
978     }
979 
980     *key = malloc (sizeof (**key));
981     if (*key == NULL) {
982 	free_ReplyKeyPack_Win2k(&key_pack);
983 	krb5_set_error_message(context, ENOMEM,
984 			       N_("malloc: out of memory", ""));
985 	return ENOMEM;
986     }
987 
988     ret = copy_EncryptionKey(&key_pack.replyKey, *key);
989     free_ReplyKeyPack_Win2k(&key_pack);
990     if (ret) {
991 	krb5_set_error_message(context, ret,
992 			       N_("PKINIT failed copying reply key", ""));
993 	free(*key);
994 	*key = NULL;
995     }
996 
997     return ret;
998 }
999 
1000 static krb5_error_code
1001 get_reply_key(krb5_context context,
1002 	      const krb5_data *content,
1003 	      const krb5_data *req_buffer,
1004 	      krb5_keyblock **key)
1005 {
1006     ReplyKeyPack key_pack;
1007     krb5_error_code ret;
1008     size_t size;
1009 
1010     ret = decode_ReplyKeyPack(content->data,
1011 			      content->length,
1012 			      &key_pack,
1013 			      &size);
1014     if (ret) {
1015 	krb5_set_error_message(context, ret,
1016 			       N_("PKINIT decoding reply key failed", ""));
1017 	free_ReplyKeyPack(&key_pack);
1018 	return ret;
1019     }
1020 
1021     {
1022 	krb5_crypto crypto;
1023 
1024 	/*
1025 	 * XXX Verify kp.replyKey is a allowed enctype in the
1026 	 * configuration file
1027 	 */
1028 
1029 	ret = krb5_crypto_init(context, &key_pack.replyKey, 0, &crypto);
1030 	if (ret) {
1031 	    free_ReplyKeyPack(&key_pack);
1032 	    return ret;
1033 	}
1034 
1035 	ret = krb5_verify_checksum(context, crypto, 6,
1036 				   req_buffer->data, req_buffer->length,
1037 				   &key_pack.asChecksum);
1038 	krb5_crypto_destroy(context, crypto);
1039 	if (ret) {
1040 	    free_ReplyKeyPack(&key_pack);
1041 	    return ret;
1042 	}
1043     }
1044 
1045     *key = malloc (sizeof (**key));
1046     if (*key == NULL) {
1047 	free_ReplyKeyPack(&key_pack);
1048 	krb5_set_error_message(context, ENOMEM,
1049 			       N_("malloc: out of memory", ""));
1050 	return ENOMEM;
1051     }
1052 
1053     ret = copy_EncryptionKey(&key_pack.replyKey, *key);
1054     free_ReplyKeyPack(&key_pack);
1055     if (ret) {
1056 	krb5_set_error_message(context, ret,
1057 			       N_("PKINIT failed copying reply key", ""));
1058 	free(*key);
1059 	*key = NULL;
1060     }
1061 
1062     return ret;
1063 }
1064 
1065 
1066 static krb5_error_code
1067 pk_verify_host(krb5_context context,
1068 	       const char *realm,
1069 	       const krb5_krbhst_info *hi,
1070 	       struct krb5_pk_init_ctx_data *ctx,
1071 	       struct krb5_pk_cert *host)
1072 {
1073     krb5_error_code ret = 0;
1074 
1075     if (ctx->require_eku) {
1076 	ret = hx509_cert_check_eku(context->hx509ctx, host->cert,
1077 				   &asn1_oid_id_pkkdcekuoid, 0);
1078 	if (ret) {
1079 	    krb5_set_error_message(context, ret,
1080 				   N_("No PK-INIT KDC EKU in kdc certificate", ""));
1081 	    return ret;
1082 	}
1083     }
1084     if (ctx->require_krbtgt_otherName) {
1085 	hx509_octet_string_list list;
1086 	size_t i;
1087 
1088 	ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
1089 						       host->cert,
1090 						       &asn1_oid_id_pkinit_san,
1091 						       &list);
1092 	if (ret) {
1093 	    krb5_set_error_message(context, ret,
1094 				   N_("Failed to find the PK-INIT "
1095 				      "subjectAltName in the KDC "
1096 				      "certificate", ""));
1097 
1098 	    return ret;
1099 	}
1100 
1101 	for (i = 0; i < list.len; i++) {
1102 	    KRB5PrincipalName r;
1103 
1104 	    ret = decode_KRB5PrincipalName(list.val[i].data,
1105 					   list.val[i].length,
1106 					   &r,
1107 					   NULL);
1108 	    if (ret) {
1109 		krb5_set_error_message(context, ret,
1110 				       N_("Failed to decode the PK-INIT "
1111 					  "subjectAltName in the "
1112 					  "KDC certificate", ""));
1113 
1114 		break;
1115 	    }
1116 
1117 	    if (r.principalName.name_string.len != 2 ||
1118 		strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
1119 		strcmp(r.principalName.name_string.val[1], realm) != 0 ||
1120 		strcmp(r.realm, realm) != 0)
1121 		{
1122 		    ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
1123 		    krb5_set_error_message(context, ret,
1124 					   N_("KDC have wrong realm name in "
1125 					      "the certificate", ""));
1126 		}
1127 
1128 	    free_KRB5PrincipalName(&r);
1129 	    if (ret)
1130 		break;
1131 	}
1132 	hx509_free_octet_string_list(&list);
1133     }
1134     if (ret)
1135 	return ret;
1136 
1137     if (hi) {
1138 	ret = hx509_verify_hostname(context->hx509ctx, host->cert,
1139 				    ctx->require_hostname_match,
1140 				    HX509_HN_HOSTNAME,
1141 				    hi->hostname,
1142 				    hi->ai->ai_addr, hi->ai->ai_addrlen);
1143 
1144 	if (ret)
1145 	    krb5_set_error_message(context, ret,
1146 				   N_("Address mismatch in "
1147 				      "the KDC certificate", ""));
1148     }
1149     return ret;
1150 }
1151 
1152 static krb5_error_code
1153 pk_rd_pa_reply_enckey(krb5_context context,
1154 		      int type,
1155 		      const heim_octet_string *indata,
1156 		      const heim_oid *dataType,
1157 		      const char *realm,
1158 		      krb5_pk_init_ctx ctx,
1159 		      krb5_enctype etype,
1160 		      const krb5_krbhst_info *hi,
1161 	       	      unsigned nonce,
1162 		      const krb5_data *req_buffer,
1163 	       	      PA_DATA *pa,
1164 	       	      krb5_keyblock **key)
1165 {
1166     krb5_error_code ret;
1167     struct krb5_pk_cert *host = NULL;
1168     krb5_data content;
1169     heim_oid contentType = { 0, NULL };
1170     int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
1171 
1172     if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_envelopedData, dataType)) {
1173 	krb5_set_error_message(context, EINVAL,
1174 			       N_("PKINIT: Invalid content type", ""));
1175 	return EINVAL;
1176     }
1177 
1178     if (ctx->type == PKINIT_WIN2K)
1179 	flags |= HX509_CMS_UE_ALLOW_WEAK;
1180 
1181     ret = hx509_cms_unenvelope(context->hx509ctx,
1182 			       ctx->id->certs,
1183 			       flags,
1184 			       indata->data,
1185 			       indata->length,
1186 			       NULL,
1187 			       0,
1188 			       &contentType,
1189 			       &content);
1190     if (ret) {
1191 	pk_copy_error(context, context->hx509ctx, ret,
1192 		      "Failed to unenvelope CMS data in PK-INIT reply");
1193 	return ret;
1194     }
1195     der_free_oid(&contentType);
1196 
1197     /* win2k uses ContentInfo */
1198     if (type == PKINIT_WIN2K) {
1199 	heim_oid type2;
1200 	heim_octet_string out;
1201 
1202 	ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
1203 	if (ret) {
1204 	    /* windows LH with interesting CMS packets */
1205 	    size_t ph = 1 + der_length_len(content.length);
1206 	    unsigned char *ptr = malloc(content.length + ph);
1207 	    size_t l;
1208 
1209 	    memcpy(ptr + ph, content.data, content.length);
1210 
1211 	    ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length,
1212 					  ASN1_C_UNIV, CONS, UT_Sequence, &l);
1213 	    if (ret)
1214 		return ret;
1215 	    free(content.data);
1216 	    content.data = ptr;
1217 	    content.length += ph;
1218 
1219 	    ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
1220 	    if (ret)
1221 		goto out;
1222 	}
1223 	if (der_heim_oid_cmp(&type2, &asn1_oid_id_pkcs7_signedData)) {
1224 	    ret = EINVAL; /* XXX */
1225 	    krb5_set_error_message(context, ret,
1226 				   N_("PKINIT: Invalid content type", ""));
1227 	    der_free_oid(&type2);
1228 	    der_free_octet_string(&out);
1229 	    goto out;
1230 	}
1231 	der_free_oid(&type2);
1232 	krb5_data_free(&content);
1233 	ret = krb5_data_copy(&content, out.data, out.length);
1234 	der_free_octet_string(&out);
1235 	if (ret) {
1236 	    krb5_set_error_message(context, ret,
1237 				   N_("malloc: out of memory", ""));
1238 	    goto out;
1239 	}
1240     }
1241 
1242     ret = pk_verify_sign(context,
1243 			 content.data,
1244 			 content.length,
1245 			 ctx->id,
1246 			 &contentType,
1247 			 &content,
1248 			 &host);
1249     if (ret)
1250 	goto out;
1251 
1252     /* make sure that it is the kdc's certificate */
1253     ret = pk_verify_host(context, realm, hi, ctx, host);
1254     if (ret) {
1255 	goto out;
1256     }
1257 
1258 #if 0
1259     if (type == PKINIT_WIN2K) {
1260 	if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) != 0) {
1261 	    ret = KRB5KRB_AP_ERR_MSG_TYPE;
1262 	    krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
1263 	    goto out;
1264 	}
1265     } else {
1266 	if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkrkeydata) != 0) {
1267 	    ret = KRB5KRB_AP_ERR_MSG_TYPE;
1268 	    krb5_set_error_message(context, ret, "PKINIT: reply key, wrong oid");
1269 	    goto out;
1270 	}
1271     }
1272 #endif
1273 
1274     switch(type) {
1275     case PKINIT_WIN2K:
1276 	ret = get_reply_key(context, &content, req_buffer, key);
1277 	if (ret != 0 && ctx->require_binding == 0)
1278 	    ret = get_reply_key_win(context, &content, nonce, key);
1279 	break;
1280     case PKINIT_27:
1281 	ret = get_reply_key(context, &content, req_buffer, key);
1282 	break;
1283     }
1284     if (ret)
1285 	goto out;
1286 
1287     /* XXX compare given etype with key->etype */
1288 
1289  out:
1290     if (host)
1291 	_krb5_pk_cert_free(host);
1292     der_free_oid(&contentType);
1293     krb5_data_free(&content);
1294 
1295     return ret;
1296 }
1297 
1298 static krb5_error_code
1299 pk_rd_pa_reply_dh(krb5_context context,
1300 		  const heim_octet_string *indata,
1301 		  const heim_oid *dataType,
1302 		  const char *realm,
1303 		  krb5_pk_init_ctx ctx,
1304 		  krb5_enctype etype,
1305 		  const krb5_krbhst_info *hi,
1306 		  const DHNonce *c_n,
1307 		  const DHNonce *k_n,
1308                   unsigned nonce,
1309                   PA_DATA *pa,
1310                   krb5_keyblock **key)
1311 {
1312     const unsigned char *p;
1313     unsigned char *dh_gen_key = NULL;
1314     struct krb5_pk_cert *host = NULL;
1315     BIGNUM *kdc_dh_pubkey = NULL;
1316     KDCDHKeyInfo kdc_dh_info;
1317     heim_oid contentType = { 0, NULL };
1318     krb5_data content;
1319     krb5_error_code ret;
1320     int dh_gen_keylen = 0;
1321     size_t size;
1322 
1323     krb5_data_zero(&content);
1324     memset(&kdc_dh_info, 0, sizeof(kdc_dh_info));
1325 
1326     if (der_heim_oid_cmp(&asn1_oid_id_pkcs7_signedData, dataType)) {
1327 	krb5_set_error_message(context, EINVAL,
1328 			       N_("PKINIT: Invalid content type", ""));
1329 	return EINVAL;
1330     }
1331 
1332     ret = pk_verify_sign(context,
1333 			 indata->data,
1334 			 indata->length,
1335 			 ctx->id,
1336 			 &contentType,
1337 			 &content,
1338 			 &host);
1339     if (ret)
1340 	goto out;
1341 
1342     /* make sure that it is the kdc's certificate */
1343     ret = pk_verify_host(context, realm, hi, ctx, host);
1344     if (ret)
1345 	goto out;
1346 
1347     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) {
1348 	ret = KRB5KRB_AP_ERR_MSG_TYPE;
1349 	krb5_set_error_message(context, ret,
1350 			       N_("pkinit - dh reply contains wrong oid", ""));
1351 	goto out;
1352     }
1353 
1354     ret = decode_KDCDHKeyInfo(content.data,
1355 			      content.length,
1356 			      &kdc_dh_info,
1357 			      &size);
1358 
1359     if (ret) {
1360 	krb5_set_error_message(context, ret,
1361 			       N_("pkinit - failed to decode "
1362 				  "KDC DH Key Info", ""));
1363 	goto out;
1364     }
1365 
1366     if (kdc_dh_info.nonce != nonce) {
1367 	ret = KRB5KRB_AP_ERR_MODIFIED;
1368 	krb5_set_error_message(context, ret,
1369 			       N_("PKINIT: DH nonce is wrong", ""));
1370 	goto out;
1371     }
1372 
1373     if (kdc_dh_info.dhKeyExpiration) {
1374 	if (k_n == NULL) {
1375 	    ret = KRB5KRB_ERR_GENERIC;
1376 	    krb5_set_error_message(context, ret,
1377 				   N_("pkinit; got key expiration "
1378 				      "without server nonce", ""));
1379 	    goto out;
1380 	}
1381 	if (c_n == NULL) {
1382 	    ret = KRB5KRB_ERR_GENERIC;
1383 	    krb5_set_error_message(context, ret,
1384 				   N_("pkinit; got DH reuse but no "
1385 				      "client nonce", ""));
1386 	    goto out;
1387 	}
1388     } else {
1389 	if (k_n) {
1390 	    ret = KRB5KRB_ERR_GENERIC;
1391 	    krb5_set_error_message(context, ret,
1392 				   N_("pkinit: got server nonce "
1393 				      "without key expiration", ""));
1394 	    goto out;
1395 	}
1396 	c_n = NULL;
1397     }
1398 
1399 
1400     p = kdc_dh_info.subjectPublicKey.data;
1401     size = (kdc_dh_info.subjectPublicKey.length + 7) / 8;
1402 
1403     if (ctx->keyex == USE_DH) {
1404 	DHPublicKey k;
1405 	ret = decode_DHPublicKey(p, size, &k, NULL);
1406 	if (ret) {
1407 	    krb5_set_error_message(context, ret,
1408 				   N_("pkinit: can't decode "
1409 				      "without key expiration", ""));
1410 	    goto out;
1411 	}
1412 
1413 	kdc_dh_pubkey = integer_to_BN(context, "DHPublicKey", &k);
1414 	free_DHPublicKey(&k);
1415 	if (kdc_dh_pubkey == NULL) {
1416 	    ret = ENOMEM;
1417 	    goto out;
1418 	}
1419 
1420 
1421 	size = DH_size(ctx->u.dh);
1422 
1423 	dh_gen_key = malloc(size);
1424 	if (dh_gen_key == NULL) {
1425 	    ret = ENOMEM;
1426 	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
1427 	    goto out;
1428 	}
1429 
1430 	dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh);
1431 	if (dh_gen_keylen == -1) {
1432 	    ret = KRB5KRB_ERR_GENERIC;
1433 	    dh_gen_keylen = 0;
1434 	    krb5_set_error_message(context, ret,
1435 				   N_("PKINIT: Can't compute Diffie-Hellman key", ""));
1436 	    goto out;
1437 	}
1438 	if (dh_gen_keylen < (int)size) {
1439 	    size -= dh_gen_keylen;
1440 	    memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
1441 	    memset(dh_gen_key, 0, size);
1442 	}
1443 
1444     } else {
1445 #ifdef HAVE_OPENSSL
1446 	const EC_GROUP *group;
1447 	EC_KEY *public = NULL;
1448 
1449 	group = EC_KEY_get0_group(ctx->u.eckey);
1450 
1451 	public = EC_KEY_new();
1452 	if (public == NULL) {
1453 	    ret = ENOMEM;
1454 	    goto out;
1455 	}
1456 	if (EC_KEY_set_group(public, group) != 1) {
1457 	    EC_KEY_free(public);
1458 	    ret = ENOMEM;
1459 	    goto out;
1460 	}
1461 
1462 	if (o2i_ECPublicKey(&public, &p, size) == NULL) {
1463 	    EC_KEY_free(public);
1464 	    ret = KRB5KRB_ERR_GENERIC;
1465 	    krb5_set_error_message(context, ret,
1466 				   N_("PKINIT: Can't parse ECDH public key", ""));
1467 	    goto out;
1468 	}
1469 
1470 	size = (EC_GROUP_get_degree(group) + 7) / 8;
1471 	dh_gen_key = malloc(size);
1472 	if (dh_gen_key == NULL) {
1473 	    EC_KEY_free(public);
1474 	    ret = ENOMEM;
1475 	    krb5_set_error_message(context, ret,
1476 				   N_("malloc: out of memory", ""));
1477 	    goto out;
1478 	}
1479 	dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
1480 					 EC_KEY_get0_public_key(public), ctx->u.eckey, NULL);
1481 	EC_KEY_free(public);
1482 	if (dh_gen_keylen == -1) {
1483 	    ret = KRB5KRB_ERR_GENERIC;
1484 	    dh_gen_keylen = 0;
1485 	    krb5_set_error_message(context, ret,
1486 				   N_("PKINIT: Can't compute ECDH public key", ""));
1487 	    goto out;
1488 	}
1489 #else
1490 	ret = EINVAL;
1491 #endif
1492     }
1493 
1494     if (dh_gen_keylen <= 0) {
1495 	ret = EINVAL;
1496 	krb5_set_error_message(context, ret,
1497 			       N_("PKINIT: resulting DH key <= 0", ""));
1498 	dh_gen_keylen = 0;
1499 	goto out;
1500     }
1501 
1502     *key = malloc (sizeof (**key));
1503     if (*key == NULL) {
1504 	ret = ENOMEM;
1505 	krb5_set_error_message(context, ret,
1506 			       N_("malloc: out of memory", ""));
1507 	goto out;
1508     }
1509 
1510     ret = _krb5_pk_octetstring2key(context,
1511 				   etype,
1512 				   dh_gen_key, dh_gen_keylen,
1513 				   c_n, k_n,
1514 				   *key);
1515     if (ret) {
1516 	krb5_set_error_message(context, ret,
1517 			       N_("PKINIT: can't create key from DH key", ""));
1518 	free(*key);
1519 	*key = NULL;
1520 	goto out;
1521     }
1522 
1523  out:
1524     if (kdc_dh_pubkey)
1525 	BN_free(kdc_dh_pubkey);
1526     if (dh_gen_key) {
1527 	memset(dh_gen_key, 0, dh_gen_keylen);
1528 	free(dh_gen_key);
1529     }
1530     if (host)
1531 	_krb5_pk_cert_free(host);
1532     if (content.data)
1533 	krb5_data_free(&content);
1534     der_free_oid(&contentType);
1535     free_KDCDHKeyInfo(&kdc_dh_info);
1536 
1537     return ret;
1538 }
1539 
1540 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1541 _krb5_pk_rd_pa_reply(krb5_context context,
1542 		     const char *realm,
1543 		     void *c,
1544 		     krb5_enctype etype,
1545 		     const krb5_krbhst_info *hi,
1546 		     unsigned nonce,
1547 		     const krb5_data *req_buffer,
1548 		     PA_DATA *pa,
1549 		     krb5_keyblock **key)
1550 {
1551     krb5_pk_init_ctx ctx = c;
1552     krb5_error_code ret;
1553     size_t size;
1554 
1555     /* Check for IETF PK-INIT first */
1556     if (ctx->type == PKINIT_27) {
1557 	PA_PK_AS_REP rep;
1558 	heim_octet_string os, data;
1559 	heim_oid oid;
1560 
1561 	if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
1562 	    krb5_set_error_message(context, EINVAL,
1563 				   N_("PKINIT: wrong padata recv", ""));
1564 	    return EINVAL;
1565 	}
1566 
1567 	ret = decode_PA_PK_AS_REP(pa->padata_value.data,
1568 				  pa->padata_value.length,
1569 				  &rep,
1570 				  &size);
1571 	if (ret) {
1572 	    krb5_set_error_message(context, ret,
1573 				   N_("Failed to decode pkinit AS rep", ""));
1574 	    return ret;
1575 	}
1576 
1577 	switch (rep.element) {
1578 	case choice_PA_PK_AS_REP_dhInfo:
1579 	    _krb5_debug(context, 5, "krb5_get_init_creds: using pkinit dh");
1580 	    os = rep.u.dhInfo.dhSignedData;
1581 	    break;
1582 	case choice_PA_PK_AS_REP_encKeyPack:
1583 	    _krb5_debug(context, 5, "krb5_get_init_creds: using kinit enc reply key");
1584 	    os = rep.u.encKeyPack;
1585 	    break;
1586 	default: {
1587 	    PA_PK_AS_REP_BTMM btmm;
1588 	    free_PA_PK_AS_REP(&rep);
1589 	    memset(&rep, 0, sizeof(rep));
1590 
1591 	    _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key");
1592 
1593 	    ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
1594 					   pa->padata_value.length,
1595 					   &btmm,
1596 					   &size);
1597 	    if (ret) {
1598 		krb5_set_error_message(context, EINVAL,
1599 				       N_("PKINIT: -27 reply "
1600 					  "invalid content type", ""));
1601 		return EINVAL;
1602 	    }
1603 
1604 	    if (btmm.dhSignedData || btmm.encKeyPack == NULL) {
1605 		free_PA_PK_AS_REP_BTMM(&btmm);
1606 		ret = EINVAL;
1607 		krb5_set_error_message(context, ret,
1608 				       N_("DH mode not supported for BTMM mode", ""));
1609 		return ret;
1610 	    }
1611 
1612 	    /*
1613 	     * Transform to IETF style PK-INIT reply so that free works below
1614 	     */
1615 
1616 	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
1617 	    rep.u.encKeyPack.data = btmm.encKeyPack->data;
1618 	    rep.u.encKeyPack.length = btmm.encKeyPack->length;
1619 	    btmm.encKeyPack->data = NULL;
1620 	    btmm.encKeyPack->length = 0;
1621 	    free_PA_PK_AS_REP_BTMM(&btmm);
1622 	    os = rep.u.encKeyPack;
1623 	}
1624 	}
1625 
1626 	ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
1627 	if (ret) {
1628 	    free_PA_PK_AS_REP(&rep);
1629 	    krb5_set_error_message(context, ret,
1630 				   N_("PKINIT: failed to unwrap CI", ""));
1631 	    return ret;
1632 	}
1633 
1634 	switch (rep.element) {
1635 	case choice_PA_PK_AS_REP_dhInfo:
1636 	    ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi,
1637 				    ctx->clientDHNonce,
1638 				    rep.u.dhInfo.serverDHNonce,
1639 				    nonce, pa, key);
1640 	    break;
1641 	case choice_PA_PK_AS_REP_encKeyPack:
1642 	    ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
1643 					ctx, etype, hi, nonce, req_buffer, pa, key);
1644 	    break;
1645 	default:
1646 	    krb5_abortx(context, "pk-init as-rep case not possible to happen");
1647 	}
1648 	der_free_octet_string(&data);
1649 	der_free_oid(&oid);
1650 	free_PA_PK_AS_REP(&rep);
1651 
1652     } else if (ctx->type == PKINIT_WIN2K) {
1653 	PA_PK_AS_REP_Win2k w2krep;
1654 
1655 	/* Check for Windows encoding of the AS-REP pa data */
1656 
1657 #if 0 /* should this be ? */
1658 	if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
1659 	    krb5_set_error_message(context, EINVAL,
1660 				   "PKINIT: wrong padata recv");
1661 	    return EINVAL;
1662 	}
1663 #endif
1664 
1665 	memset(&w2krep, 0, sizeof(w2krep));
1666 
1667 	ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
1668 					pa->padata_value.length,
1669 					&w2krep,
1670 					&size);
1671 	if (ret) {
1672 	    krb5_set_error_message(context, ret,
1673 				   N_("PKINIT: Failed decoding windows "
1674 				      "pkinit reply %d", ""), (int)ret);
1675 	    return ret;
1676 	}
1677 
1678 	krb5_clear_error_message(context);
1679 
1680 	switch (w2krep.element) {
1681 	case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
1682 	    heim_octet_string data;
1683 	    heim_oid oid;
1684 
1685 	    ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
1686 					       &oid, &data, NULL);
1687 	    free_PA_PK_AS_REP_Win2k(&w2krep);
1688 	    if (ret) {
1689 		krb5_set_error_message(context, ret,
1690 				       N_("PKINIT: failed to unwrap CI", ""));
1691 		return ret;
1692 	    }
1693 
1694 	    ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, realm,
1695 					ctx, etype, hi, nonce, req_buffer, pa, key);
1696 	    der_free_octet_string(&data);
1697 	    der_free_oid(&oid);
1698 
1699 	    break;
1700 	}
1701 	default:
1702 	    free_PA_PK_AS_REP_Win2k(&w2krep);
1703 	    ret = EINVAL;
1704 	    krb5_set_error_message(context, ret,
1705 				   N_("PKINIT: win2k reply invalid "
1706 				      "content type", ""));
1707 	    break;
1708 	}
1709 
1710     } else {
1711 	ret = EINVAL;
1712 	krb5_set_error_message(context, ret,
1713 			       N_("PKINIT: unknown reply type", ""));
1714     }
1715 
1716     return ret;
1717 }
1718 
1719 struct prompter {
1720     krb5_context context;
1721     krb5_prompter_fct prompter;
1722     void *prompter_data;
1723 };
1724 
1725 static int
1726 hx_pass_prompter(void *data, const hx509_prompt *prompter)
1727 {
1728     krb5_error_code ret;
1729     krb5_prompt prompt;
1730     krb5_data password_data;
1731     struct prompter *p = data;
1732 
1733     password_data.data   = prompter->reply.data;
1734     password_data.length = prompter->reply.length;
1735 
1736     prompt.prompt = prompter->prompt;
1737     prompt.hidden = hx509_prompt_hidden(prompter->type);
1738     prompt.reply  = &password_data;
1739 
1740     switch (prompter->type) {
1741     case HX509_PROMPT_TYPE_INFO:
1742 	prompt.type   = KRB5_PROMPT_TYPE_INFO;
1743 	break;
1744     case HX509_PROMPT_TYPE_PASSWORD:
1745     case HX509_PROMPT_TYPE_QUESTION:
1746     default:
1747 	prompt.type   = KRB5_PROMPT_TYPE_PASSWORD;
1748 	break;
1749     }
1750 
1751     ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
1752     if (ret) {
1753 	memset (prompter->reply.data, 0, prompter->reply.length);
1754 	return 1;
1755     }
1756     return 0;
1757 }
1758 
1759 static krb5_error_code
1760 _krb5_pk_set_user_id(krb5_context context,
1761 		     krb5_principal principal,
1762 		     krb5_pk_init_ctx ctx,
1763 		     struct hx509_certs_data *certs)
1764 {
1765     hx509_certs c = hx509_certs_ref(certs);
1766     hx509_query *q = NULL;
1767     int ret;
1768 
1769     if (ctx->id->certs)
1770 	hx509_certs_free(&ctx->id->certs);
1771     if (ctx->id->cert) {
1772 	hx509_cert_free(ctx->id->cert);
1773 	ctx->id->cert = NULL;
1774     }
1775 
1776     ctx->id->certs = c;
1777     ctx->anonymous = 0;
1778 
1779     ret = hx509_query_alloc(context->hx509ctx, &q);
1780     if (ret) {
1781 	pk_copy_error(context, context->hx509ctx, ret,
1782 		      "Allocate query to find signing certificate");
1783 	return ret;
1784     }
1785 
1786     hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
1787     hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
1788 
1789     if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) {
1790 	ctx->id->flags |= PKINIT_BTMM;
1791     }
1792 
1793     ret = find_cert(context, ctx->id, q, &ctx->id->cert);
1794     hx509_query_free(context->hx509ctx, q);
1795 
1796     if (ret == 0 && _krb5_have_debug(context, 2)) {
1797 	hx509_name name;
1798 	char *str, *sn;
1799 	heim_integer i;
1800 
1801 	ret = hx509_cert_get_subject(ctx->id->cert, &name);
1802 	if (ret)
1803 	    goto out;
1804 
1805 	ret = hx509_name_to_string(name, &str);
1806 	hx509_name_free(&name);
1807 	if (ret)
1808 	    goto out;
1809 
1810 	ret = hx509_cert_get_serialnumber(ctx->id->cert, &i);
1811 	if (ret) {
1812 	    free(str);
1813 	    goto out;
1814 	}
1815 
1816 	ret = der_print_hex_heim_integer(&i, &sn);
1817 	der_free_heim_integer(&i);
1818 	if (ret) {
1819 	    free(name);
1820 	    goto out;
1821 	}
1822 
1823 	_krb5_debug(context, 2, "using cert: subject: %s sn: %s", str, sn);
1824 	free(str);
1825 	free(sn);
1826     }
1827  out:
1828 
1829     return ret;
1830 }
1831 
1832 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1833 _krb5_pk_load_id(krb5_context context,
1834 		 struct krb5_pk_identity **ret_id,
1835 		 const char *user_id,
1836 		 const char *anchor_id,
1837 		 char * const *chain_list,
1838 		 char * const *revoke_list,
1839 		 krb5_prompter_fct prompter,
1840 		 void *prompter_data,
1841 		 char *password)
1842 {
1843     struct krb5_pk_identity *id = NULL;
1844     struct prompter p;
1845     int ret;
1846 
1847     *ret_id = NULL;
1848 
1849     if (anchor_id == NULL) {
1850 	krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
1851 			       N_("PKINIT: No anchor given", ""));
1852 	return HEIM_PKINIT_NO_VALID_CA;
1853     }
1854 
1855     /* load cert */
1856 
1857     id = calloc(1, sizeof(*id));
1858     if (id == NULL) {
1859 	krb5_set_error_message(context, ENOMEM,
1860 			       N_("malloc: out of memory", ""));
1861 	return ENOMEM;
1862     }
1863 
1864     if (user_id) {
1865 	hx509_lock lock;
1866 
1867 	ret = hx509_lock_init(context->hx509ctx, &lock);
1868 	if (ret) {
1869 	    pk_copy_error(context, context->hx509ctx, ret, "Failed init lock");
1870 	    goto out;
1871 	}
1872 
1873 	if (password && password[0])
1874 	    hx509_lock_add_password(lock, password);
1875 
1876 	if (prompter) {
1877 	    p.context = context;
1878 	    p.prompter = prompter;
1879 	    p.prompter_data = prompter_data;
1880 
1881 	    ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
1882 	    if (ret) {
1883 		hx509_lock_free(lock);
1884 		goto out;
1885 	    }
1886 	}
1887 
1888 	ret = hx509_certs_init(context->hx509ctx, user_id, 0, lock, &id->certs);
1889         hx509_lock_free(lock);
1890 	if (ret) {
1891 	    pk_copy_error(context, context->hx509ctx, ret,
1892 			  "Failed to init cert certs");
1893 	    goto out;
1894 	}
1895     } else {
1896 	id->certs = NULL;
1897     }
1898 
1899     ret = hx509_certs_init(context->hx509ctx, anchor_id, 0, NULL, &id->anchors);
1900     if (ret) {
1901 	pk_copy_error(context, context->hx509ctx, ret,
1902 		      "Failed to init anchors");
1903 	goto out;
1904     }
1905 
1906     ret = hx509_certs_init(context->hx509ctx, "MEMORY:pkinit-cert-chain",
1907 			   0, NULL, &id->certpool);
1908     if (ret) {
1909 	pk_copy_error(context, context->hx509ctx, ret,
1910 		      "Failed to init chain");
1911 	goto out;
1912     }
1913 
1914     while (chain_list && *chain_list) {
1915 	ret = hx509_certs_append(context->hx509ctx, id->certpool,
1916 				 NULL, *chain_list);
1917 	if (ret) {
1918 	    pk_copy_error(context, context->hx509ctx, ret,
1919 			  "Failed to laod chain %s",
1920 			  *chain_list);
1921 	    goto out;
1922 	}
1923 	chain_list++;
1924     }
1925 
1926     if (revoke_list) {
1927 	ret = hx509_revoke_init(context->hx509ctx, &id->revokectx);
1928 	if (ret) {
1929 	    pk_copy_error(context, context->hx509ctx, ret,
1930 			  "Failed init revoke list");
1931 	    goto out;
1932 	}
1933 
1934 	while (*revoke_list) {
1935 	    ret = hx509_revoke_add_crl(context->hx509ctx,
1936 				       id->revokectx,
1937 				       *revoke_list);
1938 	    if (ret) {
1939 		pk_copy_error(context, context->hx509ctx, ret,
1940 			      "Failed load revoke list");
1941 		goto out;
1942 	    }
1943 	    revoke_list++;
1944 	}
1945     } else
1946 	hx509_context_set_missing_revoke(context->hx509ctx, 1);
1947 
1948     ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx);
1949     if (ret) {
1950 	pk_copy_error(context, context->hx509ctx, ret,
1951 		      "Failed init verify context");
1952 	goto out;
1953     }
1954 
1955     hx509_verify_attach_anchors(id->verify_ctx, id->anchors);
1956     hx509_verify_attach_revoke(id->verify_ctx, id->revokectx);
1957 
1958  out:
1959     if (ret) {
1960 	hx509_verify_destroy_ctx(id->verify_ctx);
1961 	hx509_certs_free(&id->certs);
1962 	hx509_certs_free(&id->anchors);
1963 	hx509_certs_free(&id->certpool);
1964 	hx509_revoke_free(&id->revokectx);
1965 	free(id);
1966     } else
1967 	*ret_id = id;
1968 
1969     return ret;
1970 }
1971 
1972 /*
1973  *
1974  */
1975 
1976 static void
1977 pk_copy_error(krb5_context context,
1978 	      hx509_context hx509ctx,
1979 	      int hxret,
1980 	      const char *fmt,
1981 	      ...)
1982 {
1983     va_list va;
1984     char *s, *f;
1985     int ret;
1986 
1987     va_start(va, fmt);
1988     ret = vasprintf(&f, fmt, va);
1989     va_end(va);
1990     if (ret == -1 || f == NULL) {
1991 	krb5_clear_error_message(context);
1992 	return;
1993     }
1994 
1995     s = hx509_get_error_string(hx509ctx, hxret);
1996     if (s == NULL) {
1997 	krb5_clear_error_message(context);
1998 	free(f);
1999 	return;
2000     }
2001     krb5_set_error_message(context, hxret, "%s: %s", f, s);
2002     free(s);
2003     free(f);
2004 }
2005 
2006 static int
2007 parse_integer(krb5_context context, char **p, const char *file, int lineno,
2008 	      const char *name, heim_integer *integer)
2009 {
2010     int ret;
2011     char *p1;
2012     p1 = strsep(p, " \t");
2013     if (p1 == NULL) {
2014 	krb5_set_error_message(context, EINVAL,
2015 			       N_("moduli file %s missing %s on line %d", ""),
2016 			       file, name, lineno);
2017 	return EINVAL;
2018     }
2019     ret = der_parse_hex_heim_integer(p1, integer);
2020     if (ret) {
2021 	krb5_set_error_message(context, ret,
2022 			       N_("moduli file %s failed parsing %s "
2023 				  "on line %d", ""),
2024 			       file, name, lineno);
2025 	return ret;
2026     }
2027 
2028     return 0;
2029 }
2030 
2031 krb5_error_code
2032 _krb5_parse_moduli_line(krb5_context context,
2033 			const char *file,
2034 			int lineno,
2035 			char *p,
2036 			struct krb5_dh_moduli **m)
2037 {
2038     struct krb5_dh_moduli *m1;
2039     char *p1;
2040     int ret;
2041 
2042     *m = NULL;
2043 
2044     m1 = calloc(1, sizeof(*m1));
2045     if (m1 == NULL) {
2046 	krb5_set_error_message(context, ENOMEM,
2047 			       N_("malloc: out of memory", ""));
2048 	return ENOMEM;
2049     }
2050 
2051     while (isspace((unsigned char)*p))
2052 	p++;
2053     if (*p  == '#') {
2054         free(m1);
2055 	return 0;
2056     }
2057     ret = EINVAL;
2058 
2059     p1 = strsep(&p, " \t");
2060     if (p1 == NULL) {
2061 	krb5_set_error_message(context, ret,
2062 			       N_("moduli file %s missing name on line %d", ""),
2063 			       file, lineno);
2064 	goto out;
2065     }
2066     m1->name = strdup(p1);
2067     if (m1->name == NULL) {
2068 	ret = ENOMEM;
2069 	krb5_set_error_message(context, ret, N_("malloc: out of memeory", ""));
2070 	goto out;
2071     }
2072 
2073     p1 = strsep(&p, " \t");
2074     if (p1 == NULL) {
2075 	krb5_set_error_message(context, ret,
2076 			       N_("moduli file %s missing bits on line %d", ""),
2077 			       file, lineno);
2078 	goto out;
2079     }
2080 
2081     m1->bits = atoi(p1);
2082     if (m1->bits == 0) {
2083 	krb5_set_error_message(context, ret,
2084 			       N_("moduli file %s have un-parsable "
2085 				  "bits on line %d", ""), file, lineno);
2086 	goto out;
2087     }
2088 
2089     ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
2090     if (ret)
2091 	goto out;
2092     ret = parse_integer(context, &p, file, lineno, "g", &m1->g);
2093     if (ret)
2094 	goto out;
2095     ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
2096     if (ret)
2097 	goto out;
2098 
2099     *m = m1;
2100 
2101     return 0;
2102  out:
2103     free(m1->name);
2104     der_free_heim_integer(&m1->p);
2105     der_free_heim_integer(&m1->g);
2106     der_free_heim_integer(&m1->q);
2107     free(m1);
2108     return ret;
2109 }
2110 
2111 void
2112 _krb5_free_moduli(struct krb5_dh_moduli **moduli)
2113 {
2114     int i;
2115     for (i = 0; moduli[i] != NULL; i++) {
2116 	free(moduli[i]->name);
2117 	der_free_heim_integer(&moduli[i]->p);
2118 	der_free_heim_integer(&moduli[i]->g);
2119 	der_free_heim_integer(&moduli[i]->q);
2120 	free(moduli[i]);
2121     }
2122     free(moduli);
2123 }
2124 
2125 static const char *default_moduli_RFC2412_MODP_group2 =
2126     /* name */
2127     "RFC2412-MODP-group2 "
2128     /* bits */
2129     "1024 "
2130     /* p */
2131     "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
2132     "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
2133     "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
2134     "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
2135     "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
2136     "FFFFFFFF" "FFFFFFFF "
2137     /* g */
2138     "02 "
2139     /* q */
2140     "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
2141     "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
2142     "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
2143     "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
2144     "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
2145     "FFFFFFFF" "FFFFFFFF";
2146 
2147 static const char *default_moduli_rfc3526_MODP_group14 =
2148     /* name */
2149     "rfc3526-MODP-group14 "
2150     /* bits */
2151     "1760 "
2152     /* p */
2153     "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
2154     "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
2155     "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
2156     "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
2157     "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
2158     "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
2159     "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
2160     "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
2161     "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
2162     "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
2163     "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
2164     /* g */
2165     "02 "
2166     /* q */
2167     "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
2168     "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
2169     "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
2170     "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
2171     "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
2172     "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
2173     "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
2174     "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
2175     "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
2176     "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
2177     "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
2178 
2179 krb5_error_code
2180 _krb5_parse_moduli(krb5_context context, const char *file,
2181 		   struct krb5_dh_moduli ***moduli)
2182 {
2183     /* name bits P G Q */
2184     krb5_error_code ret;
2185     struct krb5_dh_moduli **m = NULL, **m2;
2186     char buf[4096];
2187     FILE *f;
2188     int lineno = 0, n = 0;
2189 
2190     *moduli = NULL;
2191 
2192     m = calloc(1, sizeof(m[0]) * 3);
2193     if (m == NULL) {
2194 	krb5_set_error_message(context, ENOMEM,
2195 			       N_("malloc: out of memory", ""));
2196 	return ENOMEM;
2197     }
2198 
2199     strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
2200     ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[0]);
2201     if (ret) {
2202 	_krb5_free_moduli(m);
2203 	return ret;
2204     }
2205     n++;
2206 
2207     strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
2208     ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[1]);
2209     if (ret) {
2210 	_krb5_free_moduli(m);
2211 	return ret;
2212     }
2213     n++;
2214 
2215 
2216     if (file == NULL)
2217 	file = MODULI_FILE;
2218 
2219 #ifdef KRB5_USE_PATH_TOKENS
2220     {
2221         char * exp_file;
2222 
2223         if (_krb5_expand_path_tokens(context, file, &exp_file) == 0) {
2224             f = fopen(exp_file, "r");
2225             krb5_xfree(exp_file);
2226         } else {
2227             f = NULL;
2228         }
2229     }
2230 #else
2231     f = fopen(file, "r");
2232 #endif
2233 
2234     if (f == NULL) {
2235 	*moduli = m;
2236 	return 0;
2237     }
2238     rk_cloexec_file(f);
2239 
2240     while(fgets(buf, sizeof(buf), f) != NULL) {
2241 	struct krb5_dh_moduli *element;
2242 
2243 	buf[strcspn(buf, "\n")] = '\0';
2244 	lineno++;
2245 
2246 	m2 = realloc(m, (n + 2) * sizeof(m[0]));
2247 	if (m2 == NULL) {
2248 	    _krb5_free_moduli(m);
2249 	    krb5_set_error_message(context, ENOMEM,
2250 				   N_("malloc: out of memory", ""));
2251 	    return ENOMEM;
2252 	}
2253 	m = m2;
2254 
2255 	m[n] = NULL;
2256 
2257 	ret = _krb5_parse_moduli_line(context, file, lineno, buf,  &element);
2258 	if (ret) {
2259 	    _krb5_free_moduli(m);
2260 	    return ret;
2261 	}
2262 	if (element == NULL)
2263 	    continue;
2264 
2265 	m[n] = element;
2266 	m[n + 1] = NULL;
2267 	n++;
2268     }
2269     *moduli = m;
2270     return 0;
2271 }
2272 
2273 krb5_error_code
2274 _krb5_dh_group_ok(krb5_context context, unsigned long bits,
2275 		  heim_integer *p, heim_integer *g, heim_integer *q,
2276 		  struct krb5_dh_moduli **moduli,
2277 		  char **name)
2278 {
2279     int i;
2280 
2281     if (name)
2282 	*name = NULL;
2283 
2284     for (i = 0; moduli[i] != NULL; i++) {
2285 	if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
2286 	    der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
2287 	    (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
2288 	    {
2289 		if (bits && bits > moduli[i]->bits) {
2290 		    krb5_set_error_message(context,
2291 					   KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
2292 					   N_("PKINIT: DH group parameter %s "
2293 					      "no accepted, not enough bits "
2294 					      "generated", ""),
2295 					   moduli[i]->name);
2296 		    return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
2297 		}
2298 		if (name)
2299 		    *name = strdup(moduli[i]->name);
2300 		return 0;
2301 	    }
2302     }
2303     krb5_set_error_message(context,
2304 			   KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED,
2305 			   N_("PKINIT: DH group parameter no ok", ""));
2306     return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
2307 }
2308 #endif /* PKINIT */
2309 
2310 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
2311 _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
2312 {
2313 #ifdef PKINIT
2314     krb5_pk_init_ctx ctx;
2315 
2316     if (opt->opt_private == NULL || opt->opt_private->pk_init_ctx == NULL)
2317 	return;
2318     ctx = opt->opt_private->pk_init_ctx;
2319     switch (ctx->keyex) {
2320     case USE_DH:
2321 	if (ctx->u.dh)
2322 	    DH_free(ctx->u.dh);
2323 	break;
2324     case USE_RSA:
2325 	break;
2326     case USE_ECDH:
2327 #ifdef HAVE_OPENSSL
2328 	if (ctx->u.eckey)
2329 	    EC_KEY_free(ctx->u.eckey);
2330 #endif
2331 	break;
2332     }
2333     if (ctx->id) {
2334 	hx509_verify_destroy_ctx(ctx->id->verify_ctx);
2335 	hx509_certs_free(&ctx->id->certs);
2336 	hx509_cert_free(ctx->id->cert);
2337 	hx509_certs_free(&ctx->id->anchors);
2338 	hx509_certs_free(&ctx->id->certpool);
2339 
2340 	if (ctx->clientDHNonce) {
2341 	    krb5_free_data(NULL, ctx->clientDHNonce);
2342 	    ctx->clientDHNonce = NULL;
2343 	}
2344 	if (ctx->m)
2345 	    _krb5_free_moduli(ctx->m);
2346 	free(ctx->id);
2347 	ctx->id = NULL;
2348     }
2349     free(opt->opt_private->pk_init_ctx);
2350     opt->opt_private->pk_init_ctx = NULL;
2351 #endif
2352 }
2353 
2354 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2355 krb5_get_init_creds_opt_set_pkinit(krb5_context context,
2356 				   krb5_get_init_creds_opt *opt,
2357 				   krb5_principal principal,
2358 				   const char *user_id,
2359 				   const char *x509_anchors,
2360 				   char * const * pool,
2361 				   char * const * pki_revoke,
2362 				   int flags,
2363 				   krb5_prompter_fct prompter,
2364 				   void *prompter_data,
2365 				   char *password)
2366 {
2367 #ifdef PKINIT
2368     krb5_error_code ret;
2369     char *anchors = NULL;
2370 
2371     if (opt->opt_private == NULL) {
2372 	krb5_set_error_message(context, EINVAL,
2373 			       N_("PKINIT: on non extendable opt", ""));
2374 	return EINVAL;
2375     }
2376 
2377     opt->opt_private->pk_init_ctx =
2378 	calloc(1, sizeof(*opt->opt_private->pk_init_ctx));
2379     if (opt->opt_private->pk_init_ctx == NULL) {
2380 	krb5_set_error_message(context, ENOMEM,
2381 			       N_("malloc: out of memory", ""));
2382 	return ENOMEM;
2383     }
2384     opt->opt_private->pk_init_ctx->require_binding = 0;
2385     opt->opt_private->pk_init_ctx->require_eku = 1;
2386     opt->opt_private->pk_init_ctx->require_krbtgt_otherName = 1;
2387     opt->opt_private->pk_init_ctx->peer = NULL;
2388 
2389     /* XXX implement krb5_appdefault_strings  */
2390     if (pool == NULL)
2391 	pool = krb5_config_get_strings(context, NULL,
2392 				       "appdefaults",
2393 				       "pkinit_pool",
2394 				       NULL);
2395 
2396     if (pki_revoke == NULL)
2397 	pki_revoke = krb5_config_get_strings(context, NULL,
2398 					     "appdefaults",
2399 					     "pkinit_revoke",
2400 					     NULL);
2401 
2402     if (x509_anchors == NULL) {
2403 	krb5_appdefault_string(context, "kinit",
2404 			       krb5_principal_get_realm(context, principal),
2405 			       "pkinit_anchors", NULL, &anchors);
2406 	x509_anchors = anchors;
2407     }
2408 
2409     if (flags & 4)
2410 	opt->opt_private->pk_init_ctx->anonymous = 1;
2411 
2412     ret = _krb5_pk_load_id(context,
2413 			   &opt->opt_private->pk_init_ctx->id,
2414 			   user_id,
2415 			   x509_anchors,
2416 			   pool,
2417 			   pki_revoke,
2418 			   prompter,
2419 			   prompter_data,
2420 			   password);
2421     if (ret) {
2422 	free(opt->opt_private->pk_init_ctx);
2423 	opt->opt_private->pk_init_ctx = NULL;
2424 	return ret;
2425     }
2426 
2427     if (opt->opt_private->pk_init_ctx->id->certs) {
2428 	_krb5_pk_set_user_id(context,
2429 			     principal,
2430 			     opt->opt_private->pk_init_ctx,
2431 			     opt->opt_private->pk_init_ctx->id->certs);
2432     } else
2433 	opt->opt_private->pk_init_ctx->id->cert = NULL;
2434 
2435     if ((flags & 2) == 0) {
2436 	hx509_context hx509ctx = context->hx509ctx;
2437 	hx509_cert cert = opt->opt_private->pk_init_ctx->id->cert;
2438 
2439 	opt->opt_private->pk_init_ctx->keyex = USE_DH;
2440 
2441 	/*
2442 	 * If its a ECDSA certs, lets select ECDSA as the keyex algorithm.
2443 	 */
2444 	if (cert) {
2445 	    AlgorithmIdentifier alg;
2446 
2447 	    ret = hx509_cert_get_SPKI_AlgorithmIdentifier(hx509ctx, cert, &alg);
2448 	    if (ret == 0) {
2449 		if (der_heim_oid_cmp(&alg.algorithm, &asn1_oid_id_ecPublicKey) == 0)
2450 		    opt->opt_private->pk_init_ctx->keyex = USE_ECDH;
2451 		free_AlgorithmIdentifier(&alg);
2452 	    }
2453 	}
2454 
2455     } else {
2456 	opt->opt_private->pk_init_ctx->keyex = USE_RSA;
2457 
2458 	if (opt->opt_private->pk_init_ctx->id->certs == NULL) {
2459 	    krb5_set_error_message(context, EINVAL,
2460 				   N_("No anonymous pkinit support in RSA mode", ""));
2461 	    return EINVAL;
2462 	}
2463     }
2464 
2465     return 0;
2466 #else
2467     krb5_set_error_message(context, EINVAL,
2468 			   N_("no support for PKINIT compiled in", ""));
2469     return EINVAL;
2470 #endif
2471 }
2472 
2473 krb5_error_code KRB5_LIB_FUNCTION
2474 krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
2475 					      krb5_get_init_creds_opt *opt,
2476 					      struct hx509_certs_data *certs)
2477 {
2478 #ifdef PKINIT
2479     if (opt->opt_private == NULL) {
2480 	krb5_set_error_message(context, EINVAL,
2481 			       N_("PKINIT: on non extendable opt", ""));
2482 	return EINVAL;
2483     }
2484     if (opt->opt_private->pk_init_ctx == NULL) {
2485 	krb5_set_error_message(context, EINVAL,
2486 			       N_("PKINIT: on pkinit context", ""));
2487 	return EINVAL;
2488     }
2489 
2490     _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
2491 
2492     return 0;
2493 #else
2494     krb5_set_error_message(context, EINVAL,
2495 			   N_("no support for PKINIT compiled in", ""));
2496     return EINVAL;
2497 #endif
2498 }
2499 
2500 #ifdef PKINIT
2501 
2502 static int
2503 get_ms_san(hx509_context context, hx509_cert cert, char **upn)
2504 {
2505     hx509_octet_string_list list;
2506     int ret;
2507 
2508     *upn = NULL;
2509 
2510     ret = hx509_cert_find_subjectAltName_otherName(context,
2511 						   cert,
2512 						   &asn1_oid_id_pkinit_ms_san,
2513 						   &list);
2514     if (ret)
2515 	return 0;
2516 
2517     if (list.len > 0 && list.val[0].length > 0)
2518 	ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length,
2519 				upn, NULL);
2520     else
2521 	ret = 1;
2522     hx509_free_octet_string_list(&list);
2523 
2524     return ret;
2525 }
2526 
2527 static int
2528 find_ms_san(hx509_context context, hx509_cert cert, void *ctx)
2529 {
2530     char *upn;
2531     int ret;
2532 
2533     ret = get_ms_san(context, cert, &upn);
2534     if (ret == 0)
2535 	free(upn);
2536     return ret;
2537 }
2538 
2539 
2540 
2541 #endif
2542 
2543 /*
2544  * Private since it need to be redesigned using krb5_get_init_creds()
2545  */
2546 
2547 KRB5_LIB_FUNCTION krb5_error_code  KRB5_LIB_CALL
2548 krb5_pk_enterprise_cert(krb5_context context,
2549 			const char *user_id,
2550 			krb5_const_realm realm,
2551 			krb5_principal *principal,
2552 			struct hx509_certs_data **res)
2553 {
2554 #ifdef PKINIT
2555     krb5_error_code ret;
2556     hx509_certs certs, result;
2557     hx509_cert cert = NULL;
2558     hx509_query *q;
2559     char *name;
2560 
2561     *principal = NULL;
2562     if (res)
2563 	*res = NULL;
2564 
2565     if (user_id == NULL) {
2566 	krb5_set_error_message(context, ENOENT, "no user id");
2567 	return ENOENT;
2568     }
2569 
2570     ret = hx509_certs_init(context->hx509ctx, user_id, 0, NULL, &certs);
2571     if (ret) {
2572 	pk_copy_error(context, context->hx509ctx, ret,
2573 		      "Failed to init cert certs");
2574 	goto out;
2575     }
2576 
2577     ret = hx509_query_alloc(context->hx509ctx, &q);
2578     if (ret) {
2579 	krb5_set_error_message(context, ret, "out of memory");
2580 	hx509_certs_free(&certs);
2581 	goto out;
2582     }
2583 
2584     hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
2585     hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
2586     hx509_query_match_eku(q, &asn1_oid_id_pkinit_ms_eku);
2587     hx509_query_match_cmp_func(q, find_ms_san, NULL);
2588 
2589     ret = hx509_certs_filter(context->hx509ctx, certs, q, &result);
2590     hx509_query_free(context->hx509ctx, q);
2591     hx509_certs_free(&certs);
2592     if (ret) {
2593 	pk_copy_error(context, context->hx509ctx, ret,
2594 		      "Failed to find PKINIT certificate");
2595 	return ret;
2596     }
2597 
2598     ret = hx509_get_one_cert(context->hx509ctx, result, &cert);
2599     hx509_certs_free(&result);
2600     if (ret) {
2601 	pk_copy_error(context, context->hx509ctx, ret,
2602 		      "Failed to get one cert");
2603 	goto out;
2604     }
2605 
2606     ret = get_ms_san(context->hx509ctx, cert, &name);
2607     if (ret) {
2608 	pk_copy_error(context, context->hx509ctx, ret,
2609 		      "Failed to get MS SAN");
2610 	goto out;
2611     }
2612 
2613     ret = krb5_make_principal(context, principal, realm, name, NULL);
2614     free(name);
2615     if (ret)
2616 	goto out;
2617 
2618     krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL);
2619 
2620     if (res) {
2621 	ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res);
2622 	if (ret)
2623 	    goto out;
2624 
2625 	ret = hx509_certs_add(context->hx509ctx, *res, cert);
2626 	if (ret) {
2627 	    hx509_certs_free(res);
2628 	    goto out;
2629 	}
2630     }
2631 
2632  out:
2633     hx509_cert_free(cert);
2634 
2635     return ret;
2636 #else
2637     krb5_set_error_message(context, EINVAL,
2638 			   N_("no support for PKINIT compiled in", ""));
2639     return EINVAL;
2640 #endif
2641 }
2642