Print this page
6429 SMB domain join doesn't work with libreSSL
Reviewed by: Yuri Pankov <yuripv@gmx.com>
Reviewed by: Vitaliy Gusev <vgusev@racktopsystems.com>
*** 29,38 ****
--- 29,39 ----
*/
/*
* Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
+ * Copyright 2015 RackTop Systems.
*/
#include <errno.h>
#include <string.h>
#include <stdio.h>
*** 367,380 ****
0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
- /* Solaris Kerberos */
- static k5_mutex_t oids_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
- static int pkinit_oids_refs = 0;
-
krb5_error_code
pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) {
krb5_error_code retval = ENOMEM;
pkinit_plg_crypto_context ctx = NULL;
--- 368,377 ----
*** 505,581 ****
}
static krb5_error_code
pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx)
{
! krb5_error_code retval = ENOMEM;
! int nid = 0;
! /*
! * If OpenSSL already knows about the OID, use the
! * existing definition. Otherwise, create an OID object.
! */
! #define CREATE_OBJ_IF_NEEDED(oid, vn, sn, ln) \
! nid = OBJ_txt2nid(oid); \
! if (nid == NID_undef) { \
! nid = OBJ_create(oid, sn, ln); \
! if (nid == NID_undef) { \
! pkiDebug("Error creating oid object for '%s'\n", oid); \
! goto out; \
! } \
! } \
! ctx->vn = OBJ_nid2obj(nid);
! /* Solaris Kerberos */
! retval = k5_mutex_lock(&oids_mutex);
! if (retval != 0)
! goto out;
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.2", id_pkinit_san,
! "id-pkinit-san", "KRB5PrincipalName");
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.1", id_pkinit_authData,
! "id-pkinit-authdata", "PKINIT signedAuthPack");
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.2", id_pkinit_DHKeyData,
! "id-pkinit-DHKeyData", "PKINIT dhSignedData");
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.3", id_pkinit_rkeyData,
! "id-pkinit-rkeyData", "PKINIT encKeyPack");
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.4", id_pkinit_KPClientAuth,
! "id-pkinit-KPClientAuth", "PKINIT Client EKU");
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.5", id_pkinit_KPKdc,
! "id-pkinit-KPKdc", "KDC EKU");
! #if 0
! CREATE_OBJ_IF_NEEDED("1.2.840.113549.1.7.1", id_pkinit_authData9,
! "id-pkcs7-data", "PKCS7 data");
! #else
! /* See note in pkinit_pkcs7type2oid() */
! ctx->id_pkinit_authData9 = NULL;
! #endif
!
! CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.2", id_ms_kp_sc_logon,
! "id-ms-kp-sc-logon EKU", "Microsoft SmartCard Login EKU");
!
! CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.3", id_ms_san_upn,
! "id-ms-san-upn", "Microsoft Universal Principal Name");
!
! CREATE_OBJ_IF_NEEDED("1.3.6.1.5.5.7.3.1", id_kp_serverAuth,
! "id-kp-serverAuth EKU", "Server Authentication EKU");
!
! /* Success */
! retval = 0;
!
! pkinit_oids_refs++;
! /* Solaris Kerberos */
! k5_mutex_unlock(&oids_mutex);
!
! out:
! return retval;
}
static krb5_error_code
get_cert(char *filename, X509 **retcert)
{
--- 502,548 ----
}
static krb5_error_code
pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx)
{
! ctx->id_pkinit_san = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
! if (ctx->id_pkinit_san == NULL)
! return ENOMEM;
! ctx->id_pkinit_authData = OBJ_txt2obj("1.3.6.1.5.2.3.1", 1);
! if (ctx->id_pkinit_authData == NULL)
! return ENOMEM;
! ctx->id_pkinit_DHKeyData = OBJ_txt2obj("1.3.6.1.5.2.3.2", 1);
! if (ctx->id_pkinit_DHKeyData == NULL)
! return ENOMEM;
! ctx->id_pkinit_rkeyData = OBJ_txt2obj("1.3.6.1.5.2.3.3", 1);
! if (ctx->id_pkinit_rkeyData == NULL)
! return ENOMEM;
! ctx->id_pkinit_KPClientAuth = OBJ_txt2obj("1.3.6.1.5.2.3.4", 1);
! if (ctx->id_pkinit_KPClientAuth == NULL)
! return ENOMEM;
! ctx->id_pkinit_KPKdc = OBJ_txt2obj("1.3.6.1.5.2.3.5", 1);
! if (ctx->id_pkinit_KPKdc == NULL)
! return ENOMEM;
! ctx->id_ms_kp_sc_logon = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 1);
! if (ctx->id_ms_kp_sc_logon == NULL)
! return ENOMEM;
! ctx->id_ms_san_upn = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1);
! if (ctx->id_ms_san_upn == NULL)
! return ENOMEM;
! ctx->id_kp_serverAuth = OBJ_txt2obj("1.3.6.1.5.5.7.3.1", 1);
! if (ctx->id_kp_serverAuth == NULL)
! return ENOMEM;
! return 0;
}
static krb5_error_code
get_cert(char *filename, X509 **retcert)
{
*** 650,666 ****
static void
pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
{
if (ctx == NULL)
return;
!
! /* Only call OBJ_cleanup once! */
! /* Solaris Kerberos: locking */
! k5_mutex_lock(&oids_mutex);
! if (--pkinit_oids_refs == 0)
! OBJ_cleanup();
! k5_mutex_unlock(&oids_mutex);
}
static krb5_error_code
pkinit_init_dh_params(pkinit_plg_crypto_context plgctx)
{
--- 617,635 ----
static void
pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
{
if (ctx == NULL)
return;
! ASN1_OBJECT_free(ctx->id_pkinit_san);
! ASN1_OBJECT_free(ctx->id_pkinit_authData);
! ASN1_OBJECT_free(ctx->id_pkinit_DHKeyData);
! ASN1_OBJECT_free(ctx->id_pkinit_rkeyData);
! ASN1_OBJECT_free(ctx->id_pkinit_KPClientAuth);
! ASN1_OBJECT_free(ctx->id_pkinit_KPKdc);
! ASN1_OBJECT_free(ctx->id_ms_kp_sc_logon);
! ASN1_OBJECT_free(ctx->id_ms_san_upn);
! ASN1_OBJECT_free(ctx->id_kp_serverAuth);
}
static krb5_error_code
pkinit_init_dh_params(pkinit_plg_crypto_context plgctx)
{
*** 869,879 ****
X509_ALGOR *alg = NULL;
ASN1_OCTET_STRING *digest = NULL;
unsigned int alg_len = 0, digest_len = 0;
unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL;
X509 *cert = NULL;
! ASN1_OBJECT *oid = NULL;
/* Solaris Kerberos */
if (signed_data == NULL)
return EINVAL;
--- 838,848 ----
X509_ALGOR *alg = NULL;
ASN1_OCTET_STRING *digest = NULL;
unsigned int alg_len = 0, digest_len = 0;
unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL;
X509 *cert = NULL;
! ASN1_OBJECT *oid = NULL, *oid_copy;
/* Solaris Kerberos */
if (signed_data == NULL)
return EINVAL;
*** 994,1005 ****
ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len);
PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest,
V_ASN1_OCTET_STRING, (char *) digest_attr);
/* create a content-type attr */
PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType,
! V_ASN1_OBJECT, oid);
/* create the signature over signed attributes. get DER encoded value */
/* This is the place where smartcard signature needs to be calculated */
sk = p7si->auth_attr;
alen = ASN1_item_i2d((ASN1_VALUE *) sk, &abuf,
--- 963,977 ----
ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len);
PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest,
V_ASN1_OCTET_STRING, (char *) digest_attr);
/* create a content-type attr */
+ oid_copy = OBJ_dup(oid);
+ if (oid_copy == NULL)
+ goto cleanup2;
PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType,
! V_ASN1_OBJECT, oid_copy);
/* create the signature over signed attributes. get DER encoded value */
/* This is the place where smartcard signature needs to be calculated */
sk = p7si->auth_attr;
alen = ASN1_item_i2d((ASN1_VALUE *) sk, &abuf,
*** 3125,3159 ****
}
static ASN1_OBJECT *
pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type)
{
- int nid;
-
switch (pkcs7_type) {
case CMS_SIGN_CLIENT:
return cryptoctx->id_pkinit_authData;
case CMS_SIGN_DRAFT9:
! /*
! * Delay creating this OID until we know we need it.
! * It shadows an existing OpenSSL oid. If it
! * is created too early, it breaks things like
! * the use of pkcs12 (which uses pkcs7 structures).
! * We need this shadow version because our code
! * depends on the "other" type to be unknown to the
! * OpenSSL code.
! */
! if (cryptoctx->id_pkinit_authData9 == NULL) {
! pkiDebug("%s: Creating shadow instance of pkcs7-data oid\n",
! __FUNCTION__);
! nid = OBJ_create("1.2.840.113549.1.7.1", "id-pkcs7-data",
! "PKCS7 data");
! if (nid == NID_undef)
! return NULL;
! cryptoctx->id_pkinit_authData9 = OBJ_nid2obj(nid);
! }
! return cryptoctx->id_pkinit_authData9;
case CMS_SIGN_SERVER:
return cryptoctx->id_pkinit_DHKeyData;
case CMS_ENVEL_SERVER:
return cryptoctx->id_pkinit_rkeyData;
default:
--- 3097,3111 ----
}
static ASN1_OBJECT *
pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type)
{
switch (pkcs7_type) {
case CMS_SIGN_CLIENT:
return cryptoctx->id_pkinit_authData;
case CMS_SIGN_DRAFT9:
! return OBJ_nid2obj(NID_pkcs7_data);
case CMS_SIGN_SERVER:
return cryptoctx->id_pkinit_DHKeyData;
case CMS_ENVEL_SERVER:
return cryptoctx->id_pkinit_rkeyData;
default: