自学教程：C++ ASN1_MALLOC_ENCODE函数代码示例

inti2d_DHparams(DH *dh, unsigned char **pp){    DHParameter data;    size_t size = 0;    int ret;    memset(&data, 0, sizeof(data));    if (bn2heim_int(dh->p, &data.prime) ||	bn2heim_int(dh->g, &data.base))    {	free_DHParameter(&data);	return -1;    }    if (pp == NULL) {	size = length_DHParameter(&data);	free_DHParameter(&data);    } else {	void *p;	size_t len;	ASN1_MALLOC_ENCODE(DHParameter, p, len, &data, &size, ret);	free_DHParameter(&data);	if (ret)	    return -1;	if (len != size) {	    abort();        }	memcpy((char *)*pp, p, size);	free(p);	*pp += size;    }    return (int)size;}

inthx509_cms_wrap_ContentInfo(const heim_oid *oid,			   const heim_octet_string *buf,			   heim_octet_string *res){    ContentInfo ci;    size_t size;    int ret;    memset(res, 0, sizeof(*res));    memset(&ci, 0, sizeof(ci));    ret = der_copy_oid(oid, &ci.contentType);    if (ret)	return ret;    if (buf) {	ALLOC(ci.content, 1);	if (ci.content == NULL) {	    free_ContentInfo(&ci);	    return ENOMEM;	}	ci.content->data = malloc(buf->length);	if (ci.content->data == NULL) {	    free_ContentInfo(&ci);	    return ENOMEM;	}	memcpy(ci.content->data, buf->data, buf->length);	ci.content->length = buf->length;    }    ASN1_MALLOC_ENCODE(ContentInfo, res->data, res->length, &ci, &size, ret);    free_ContentInfo(&ci);    if (ret)	return ret;    if (res->length != size)	_hx509_abort("internal ASN.1 encoder error");    return 0;}

static voidadd_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ,	       struct getarg_strings *strings){    krb5_error_code ret;    HDB_extension ext;    krb5_data buf;    size_t size = 0;    int i;    memset(&ext, 0, sizeof(ext));    ext.mandatory = FALSE;    ext.data.element = choice_HDB_extension_data_pkinit_acl;    ext.data.u.aliases.case_insensitive = 0;    if (strings->num_strings == 1 && strings->strings[0][0] == '/0') {	ext.data.u.pkinit_acl.val = NULL;	ext.data.u.pkinit_acl.len = 0;    } else {	ext.data.u.pkinit_acl.val =	    calloc(strings->num_strings,		   sizeof(ext.data.u.pkinit_acl.val[0]));	ext.data.u.pkinit_acl.len = strings->num_strings;	for (i = 0; i < strings->num_strings; i++) {	    ext.data.u.pkinit_acl.val[i].subject = estrdup(strings->strings[i]);	}    }    ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length,		       &ext, &size, ret);    free_HDB_extension(&ext);    if (ret)	abort();    if (buf.length != size)	abort();    add_tl(princ, KRB5_TL_EXTENSION, &buf);}

krb5_error_code KRB5_LIB_FUNCTIONkrb5_build_ap_req (krb5_context context,		   krb5_enctype enctype,		   krb5_creds *cred,		   krb5_flags ap_options,		   krb5_data authenticator,		   krb5_data *retdata){  krb5_error_code ret = 0;  AP_REQ ap;  Ticket t;  size_t len;    ap.pvno = 5;  ap.msg_type = krb_ap_req;  memset(&ap.ap_options, 0, sizeof(ap.ap_options));  ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;  ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;    ap.ticket.tkt_vno = 5;  copy_Realm(&cred->server->realm, &ap.ticket.realm);  copy_PrincipalName(&cred->server->name, &ap.ticket.sname);  decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);  copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part);  free_Ticket(&t);  ap.authenticator.etype = enctype;  ap.authenticator.kvno  = NULL;  ap.authenticator.cipher = authenticator;  ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length,		     &ap, &len, ret);  if(ret == 0 && retdata->length != len)      krb5_abortx(context, "internal error in ASN.1 encoder");  free_AP_REQ(&ap);  return ret;}

inti2d_RSAPublicKey(RSA *rsa, unsigned char **pp){    RSAPublicKey data;    size_t size;    int ret;    memset(&data, 0, sizeof(data));    if (_hc_BN_to_integer(rsa->n, &data.modulus) ||	_hc_BN_to_integer(rsa->e, &data.publicExponent))    {	free_RSAPublicKey(&data);	return -1;    }    if (pp == NULL) {	size = length_RSAPublicKey(&data);	free_RSAPublicKey(&data);    } else {	void *p;	size_t len;	ASN1_MALLOC_ENCODE(RSAPublicKey, p, len, &data, &size, ret);	free_RSAPublicKey(&data);	if (ret)	    return -1;	if (len != size)	    abort();	memcpy(*pp, p, size);	free(p);	*pp += size;    }    return size;}

static krb5_error_codeget_pa_etype_info(krb5_context context,		  krb5_kdc_configuration *config,		  METHOD_DATA *md, Key *ckey){    krb5_error_code ret = 0;    ETYPE_INFO pa;    unsigned char *buf;    size_t len;    pa.len = 1;    pa.val = calloc(1, sizeof(pa.val[0]));    if(pa.val == NULL)	return ENOMEM;    ret = make_etype_info_entry(context, &pa.val[0], ckey);    if (ret) {	free_ETYPE_INFO(&pa);	return ret;    }    ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);    free_ETYPE_INFO(&pa);    if(ret)	return ret;    ret = realloc_method_data(md);    if(ret) {	free(buf);	return ret;    }    md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;    md->val[md->len - 1].padata_value.length = len;    md->val[md->len - 1].padata_value.data = buf;    return 0;}

krb5_error_code_kdc_encode_reply(krb5_context context,		  krb5_kdc_configuration *config,		  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,		  krb5_enctype etype,		  int skvno, const EncryptionKey *skey,		  int ckvno, const EncryptionKey *reply_key,		  int rk_is_subkey,		  const char **e_text,		  krb5_data *reply){    unsigned char *buf;    size_t buf_size;    size_t len = 0;    krb5_error_code ret;    krb5_crypto crypto;    ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);    if(ret) {	const char *msg = krb5_get_error_message(context, ret);	kdc_log(context, config, 0, "Failed to encode ticket: %s", msg);	krb5_free_error_message(context, msg);	return ret;    }    if(buf_size != len) {	free(buf);	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");	*e_text = "KDC internal error";	return KRB5KRB_ERR_GENERIC;    }    ret = krb5_crypto_init(context, skey, etype, &crypto);    if (ret) {        const char *msg;	free(buf);	msg = krb5_get_error_message(context, ret);	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);	krb5_free_error_message(context, msg);	return ret;    }    ret = krb5_encrypt_EncryptedData(context,				     crypto,				     KRB5_KU_TICKET,				     buf,				     len,				     skvno,				     &rep->ticket.enc_part);    free(buf);    krb5_crypto_destroy(context, crypto);    if(ret) {	const char *msg = krb5_get_error_message(context, ret);	kdc_log(context, config, 0, "Failed to encrypt data: %s", msg);	krb5_free_error_message(context, msg);	return ret;    }    if(rep->msg_type == krb_as_rep && !config->encode_as_rep_as_tgs_rep)	ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret);    else	ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);    if(ret) {	const char *msg = krb5_get_error_message(context, ret);	kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);	krb5_free_error_message(context, msg);	return ret;    }    if(buf_size != len) {	free(buf);	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");	*e_text = "KDC internal error";	return KRB5KRB_ERR_GENERIC;    }    ret = krb5_crypto_init(context, reply_key, 0, &crypto);    if (ret) {	const char *msg = krb5_get_error_message(context, ret);	free(buf);	kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);	krb5_free_error_message(context, msg);	return ret;    }    if(rep->msg_type == krb_as_rep) {	krb5_encrypt_EncryptedData(context,				   crypto,				   KRB5_KU_AS_REP_ENC_PART,				   buf,				   len,				   ckvno,				   &rep->enc_part);	free(buf);	ASN1_MALLOC_ENCODE(AS_REP, buf, buf_size, rep, &len, ret);    } else {	krb5_encrypt_EncryptedData(context,				   crypto,				   rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION,				   buf,				   len,				   ckvno,				   &rep->enc_part);	free(buf);//.........这里部分代码省略.........

//.........这里部分代码省略.........	    goto out;	}    }    /* extensions      [3]  EXPLICIT Extensions OPTIONAL */    tbsc->extensions = calloc(1, sizeof(*tbsc->extensions));    if (tbsc->extensions == NULL) {	ret = ENOMEM;	hx509_set_error_string(context, 0, ret, "Out of memory");	goto out;    }    /* Add the text BMP string Domaincontroller to the cert */    if (tbs->flags.domaincontroller) {	data.data = rk_UNCONST("/x1e/x20/x00/x44/x00/x6f/x00/x6d"			       "/x00/x61/x00/x69/x00/x6e/x00/x43"			       "/x00/x6f/x00/x6e/x00/x74/x00/x72"			       "/x00/x6f/x00/x6c/x00/x6c/x00/x65"			       "/x00/x72");	data.length = 34;	ret = add_extension(context, tbsc, 0,			    &asn1_oid_id_ms_cert_enroll_domaincontroller,			    &data);	if (ret)	    goto out;    }    /* add KeyUsage */    {	KeyUsage ku;	ku = int2KeyUsage(key_usage);	ASN1_MALLOC_ENCODE(KeyUsage, data.data, data.length, &ku, &size, ret);	if (ret) {	    hx509_set_error_string(context, 0, ret, "Out of memory");	    goto out;	}	if (size != data.length)	    _hx509_abort("internal ASN.1 encoder error");	ret = add_extension(context, tbsc, 1,			    &asn1_oid_id_x509_ce_keyUsage, &data);	free(data.data);	if (ret)	    goto out;    }    /* add ExtendedKeyUsage */    if (tbs->eku.len > 0) {	ASN1_MALLOC_ENCODE(ExtKeyUsage, data.data, data.length,			   &tbs->eku, &size, ret);	if (ret) {	    hx509_set_error_string(context, 0, ret, "Out of memory");	    goto out;	}	if (size != data.length)	    _hx509_abort("internal ASN.1 encoder error");	ret = add_extension(context, tbsc, 0,			    &asn1_oid_id_x509_ce_extKeyUsage, &data);	free(data.data);	if (ret)	    goto out;    }    /* add Subject Alternative Name */    if (tbs->san.len > 0) {

inthx509_ca_tbs_add_san_pkinit(hx509_context context,			    hx509_ca_tbs tbs,			    const char *principal){    heim_octet_string os;    KRB5PrincipalName p;    size_t size;    int ret;    char *s = NULL;    memset(&p, 0, sizeof(p));    /* parse principal */    {	const char *str;	char *q;	int n;		/* count number of component */	n = 1;	for(str = principal; *str != '/0' && *str != '@'; str++){	    if(*str=='//'){		if(str[1] == '/0' || str[1] == '@') {		    ret = HX509_PARSING_NAME_FAILED;		    hx509_set_error_string(context, 0, ret,					   "trailing // in principal name");		    goto out;		}		str++;	    } else if(*str == '/')		n++;	}	p.principalName.name_string.val =	    calloc(n, sizeof(*p.principalName.name_string.val));	if (p.principalName.name_string.val == NULL) {	    ret = ENOMEM;	    hx509_set_error_string(context, 0, ret, "malloc: out of memory");	    goto out;	}	p.principalName.name_string.len = n;		p.principalName.name_type = KRB5_NT_PRINCIPAL;	q = s = strdup(principal);	if (q == NULL) {	    ret = ENOMEM;	    hx509_set_error_string(context, 0, ret, "malloc: out of memory");	    goto out;	}	p.realm = strrchr(q, '@');	if (p.realm == NULL) {	    ret = HX509_PARSING_NAME_FAILED;	    hx509_set_error_string(context, 0, ret, "Missing @ in principal");	    goto out;	};	*p.realm++ = '/0';	n = 0;	while (q) {	    p.principalName.name_string.val[n++] = q;	    q = strchr(q, '/');	    if (q)		*q++ = '/0';	}    }    ASN1_MALLOC_ENCODE(KRB5PrincipalName, os.data, os.length, &p, &size, ret);    if (ret) {	hx509_set_error_string(context, 0, ret, "Out of memory");	goto out;    }    if (size != os.length)	_hx509_abort("internal ASN.1 encoder error");    ret = hx509_ca_tbs_add_san_otherName(context,					 tbs,					 &asn1_oid_id_pkinit_san,					 &os);    free(os.data);out:    if (p.principalName.name_string.val)	free (p.principalName.name_string.val);    if (s)	free(s);    return ret;}

//.........这里部分代码省略.........     */    if ((flags & HX509_CMS_SIGNATURE_NO_CERTS) == 0) {	ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs);	if (ret)	    return ret;    }    sigctx.anchors = anchors;    sigctx.pool = pool;    sigctx.sd.version = CMSVersion_v3;    der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);    /**     * Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.     */    if ((flags & HX509_CMS_SIGNATURE_DETACHED) == 0) {	ALLOC(sigctx.sd.encapContentInfo.eContent, 1);	if (sigctx.sd.encapContentInfo.eContent == NULL) {	    hx509_clear_error_string(context);	    ret = ENOMEM;	    goto out;	}	sigctx.sd.encapContentInfo.eContent->data = malloc(length);	if (sigctx.sd.encapContentInfo.eContent->data == NULL) {	    hx509_clear_error_string(context);	    ret = ENOMEM;	    goto out;	}	memcpy(sigctx.sd.encapContentInfo.eContent->data, data, length);	sigctx.sd.encapContentInfo.eContent->length = length;    }    /**     * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no     * signatures).     */    if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) {	ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx);	if (ret)	    goto out;    }    if (sigctx.sd.signerInfos.len) {	/*	 * For each signerInfo, collect all different digest types.	 */	for (i = 0; i < sigctx.sd.signerInfos.len; i++) {	    AlgorithmIdentifier *di =		&sigctx.sd.signerInfos.val[i].digestAlgorithm;	    for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)		if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)		    break;	    if (j == sigctx.sd.digestAlgorithms.len) {		ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);		if (ret) {		    hx509_clear_error_string(context);		    goto out;		}	    }	}    }    /*     * Add certs we think are needed, build as part of sig_process     */    if (sigctx.certs) {	ALLOC(sigctx.sd.certificates, 1);	if (sigctx.sd.certificates == NULL) {	    hx509_clear_error_string(context);	    ret = ENOMEM;	    goto out;	}	ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx);	if (ret)	    goto out;    }    ASN1_MALLOC_ENCODE(SignedData,		       signed_data->data, signed_data->length,		       &sigctx.sd, &size, ret);    if (ret) {	hx509_clear_error_string(context);	goto out;    }    if (signed_data->length != size)	_hx509_abort("internal ASN.1 encoder error");out:    hx509_certs_free(&sigctx.certs);    free_SignedData(&sigctx.sd);    return ret;}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALLkrb5_mk_rep(krb5_context context,	    krb5_auth_context auth_context,	    krb5_data *outbuf){    krb5_error_code ret;    AP_REP ap;    EncAPRepPart body;    u_char *buf = NULL;    size_t buf_size;    size_t len = 0;    krb5_crypto crypto;    ap.pvno = 5;    ap.msg_type = krb_ap_rep;    memset (&body, 0, sizeof(body));    body.ctime = auth_context->authenticator->ctime;    body.cusec = auth_context->authenticator->cusec;    if (auth_context->flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {	if (auth_context->local_subkey == NULL) {	    ret = krb5_auth_con_generatelocalsubkey(context,						    auth_context,						    auth_context->keyblock);	    if(ret) {		free_EncAPRepPart(&body);		return ret;	    }	}	ret = krb5_copy_keyblock(context, auth_context->local_subkey,				 &body.subkey);	if (ret) {	    free_EncAPRepPart(&body);	    return krb5_enomem(context);	}    } else	body.subkey = NULL;    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {	if(auth_context->local_seqnumber == 0)	    krb5_generate_seq_number (context,				      auth_context->keyblock,				      &auth_context->local_seqnumber);	ALLOC(body.seq_number, 1);	if (body.seq_number == NULL) {	    free_EncAPRepPart(&body);	    return krb5_enomem(context);	}	*(body.seq_number) = auth_context->local_seqnumber;    } else	body.seq_number = NULL;    ap.enc_part.etype = auth_context->keyblock->keytype;    ap.enc_part.kvno  = NULL;    ASN1_MALLOC_ENCODE(EncAPRepPart, buf, buf_size, &body, &len, ret);    free_EncAPRepPart (&body);    if(ret)	return ret;    if (buf_size != len)	krb5_abortx(context, "internal error in ASN.1 encoder");    ret = krb5_crypto_init(context, auth_context->keyblock,			   0 /* ap.enc_part.etype */, &crypto);    if (ret) {	free (buf);	return ret;    }    ret = krb5_encrypt (context,			crypto,			KRB5_KU_AP_REQ_ENC_PART,			buf + buf_size - len,			len,			&ap.enc_part.cipher);    krb5_crypto_destroy(context, crypto);    free(buf);    if (ret)	return ret;    ASN1_MALLOC_ENCODE(AP_REP, outbuf->data, outbuf->length, &ap, &len, ret);    if (ret == 0 && outbuf->length != len)	krb5_abortx(context, "internal error in ASN.1 encoder");    free_AP_REP (&ap);    return ret;}

//.........这里部分代码省略.........	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);	    free_NegotiationToken(&resp);	    gss_mg_collect_error(&mech, ret, minor);	    *minor_status = minor;	    return ret;	}	if (ret == GSS_S_COMPLETE) {	    ctx->open = 1;	}    } else if (*(resp.u.negTokenResp.negResult) == accept_completed) {	if (ctx->maybe_open)	    ctx->open = 1;    }    if (*(resp.u.negTokenResp.negResult) == request_mic) {	ctx->require_mic = 1;    }    if (ctx->open) {	/*	 * Verify the mechListMIC if one was provided or CFX was	 * used and a non-preferred mechanism was selected	 */	if (resp.u.negTokenResp.mechListMIC != NULL) {	    require_mic = 1;	} else {	    ret = _gss_spnego_require_mechlist_mic(minor_status, ctx,						   &require_mic);	    if (ret) {		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);		free_NegotiationToken(&resp);		gss_release_buffer(&minor, &mech_output_token);		return ret;	    }	}    } else {	require_mic = 0;    }    if (require_mic) {	ASN1_MALLOC_ENCODE(MechTypeList, mech_buf.value, mech_buf.length,			   &ctx->initiator_mech_types, &buf_len, ret);	if (ret) {	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);	    free_NegotiationToken(&resp);	    gss_release_buffer(&minor, &mech_output_token);	    *minor_status = ret;	    return GSS_S_FAILURE;	}	if (mech_buf.length != buf_len)	    abort();	if (resp.u.negTokenResp.mechListMIC == NULL) {	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);	    free(mech_buf.value);	    free_NegotiationToken(&resp);	    *minor_status = 0;	    return GSS_S_DEFECTIVE_TOKEN;	}	mic_buf.length = resp.u.negTokenResp.mechListMIC->length;	mic_buf.value  = resp.u.negTokenResp.mechListMIC->data;	if (mech_output_token.length == 0) {	    ret = gss_verify_mic(minor_status,				 ctx->negotiated_ctx_id,				 &mech_buf,				 &mic_buf,				 NULL);	   if (ret) {		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);		free(mech_buf.value);		gss_release_buffer(&minor, &mech_output_token);		free_NegotiationToken(&resp);		return GSS_S_DEFECTIVE_TOKEN;	    }	    ctx->verified_mic = 1;	}    }    ret = spnego_reply_internal(minor_status, ctx,				require_mic ? &mech_buf : NULL,				&mech_output_token,				output_token);    if (mech_buf.value != NULL)	free(mech_buf.value);    free_NegotiationToken(&resp);    gss_release_buffer(&minor, &mech_output_token);    if (actual_mech_type)	*actual_mech_type = ctx->negotiated_mech_type;    if (ret_flags)	*ret_flags = ctx->mech_flags;    if (time_rec)	*time_rec = ctx->mech_time_rec;    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);    return ret;}

//.........这里部分代码省略.........				       &salt, out);	    if (ret)		goto out;	}	krb5_free_salt(context->context, salt);	assert( out->n_key_data == n_keys );    }    if(ret){	kadm5_free_principal_ent(context, out);	goto out;    }    if(mask & KADM5_TL_DATA) {	time_t last_pw_expire;	const HDB_Ext_PKINIT_acl *acl;	const HDB_Ext_Aliases *aliases;	ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire);	if (ret == 0 && last_pw_expire) {	    unsigned char buf[4];	    _krb5_put_int(buf, last_pw_expire, sizeof(buf));	    ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));	}	if(ret){	    kadm5_free_principal_ent(context, out);	    goto out;	}	/*	 * If the client was allowed to get key data, let it have the	 * password too.	 */	if(mask & KADM5_KEY_DATA) {	    heim_utf8_string pw;	    ret = hdb_entry_get_password(context->context,					 context->db, &ent.entry, &pw);	    if (ret == 0) {		ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1);		free(pw);	    }	    krb5_clear_error_message(context->context);	}	ret = hdb_entry_get_pkinit_acl(&ent.entry, &acl);	if (ret == 0 && acl) {	    krb5_data buf;	    size_t len;	    ASN1_MALLOC_ENCODE(HDB_Ext_PKINIT_acl, buf.data, buf.length,				acl, &len, ret);	    if (ret) {		kadm5_free_principal_ent(context, out);		goto out;	    }	    if (len != buf.length)		krb5_abortx(context->context,			    "internal ASN.1 encoder error");	    ret = add_tl_data(out, KRB5_TL_PKINIT_ACL, buf.data, buf.length);	    free(buf.data);	    if (ret) {		kadm5_free_principal_ent(context, out);		goto out;	    }	}	if(ret){	    kadm5_free_principal_ent(context, out);	    goto out;	}	ret = hdb_entry_get_aliases(&ent.entry, &aliases);	if (ret == 0 && aliases) {	    krb5_data buf;	    size_t len;	    ASN1_MALLOC_ENCODE(HDB_Ext_Aliases, buf.data, buf.length,			       aliases, &len, ret);	    if (ret) {		kadm5_free_principal_ent(context, out);		goto out;	    }	    if (len != buf.length)		krb5_abortx(context->context,			    "internal ASN.1 encoder error");	    ret = add_tl_data(out, KRB5_TL_ALIASES, buf.data, buf.length);	    free(buf.data);	    if (ret) {		kadm5_free_principal_ent(context, out);		goto out;	    }	}	if(ret){	    kadm5_free_principal_ent(context, out);	    goto out;	}    }out:    hdb_free_entry(context->context, &ent);    return _kadm5_error_code(ret);}

static krb5_error_codetkt_referral_send(krb5_context context,		  krb5_tkt_creds_context ctx,		  krb5_data *in,		  krb5_data *out,		  krb5_realm *realm,		  unsigned int *flags){    krb5_error_code ret;    TGS_REQ req;    size_t len;    METHOD_DATA padata;    padata.val = NULL;    padata.len = 0;    krb5_generate_random_block(&ctx->nonce, sizeof(ctx->nonce));    ctx->nonce &= 0xffffffff;    if (_krb5_have_debug(context, 10)) {	char *sname, *tgtname;	krb5_unparse_name(context, ctx->tgt.server, &tgtname);	krb5_unparse_name(context, ctx->next.server, &sname);	_krb5_debugx(context, 10, "sending TGS-REQ for %s using %s", sname, tgtname);    }    ret = _krb5_init_tgs_req(context,			     ctx->ccache,			     ctx->addreseses,			     ctx->kdc_flags,			     ctx->impersonate_principal,			     NULL,			     &ctx->next,			     &ctx->tgt,			     ctx->nonce,			     &padata,			     &ctx->subkey,			     &req);    if (ret)	goto out;    ASN1_MALLOC_ENCODE(TGS_REQ, out->data, out->length, &req, &len, ret);    if (ret)	goto out;    if(out->length != len)	krb5_abortx(context, "internal error in ASN.1 encoder");    /* don't free addresses */    req.req_body.addresses = NULL;    free_TGS_REQ(&req);    *realm = ctx->tgt.server->name.name_string.val[1];    *flags |= KRB5_TKT_STATE_CONTINUE;        ctx->error = 0;    ctx->state = tkt_referral_recv;    return 0;    out:    ctx->error = ret;    ctx->state = NULL;    return ret;}

krb5_error_code_krb5_init_tgs_req(krb5_context context,		   krb5_ccache ccache,		   krb5_addresses *addresses,		   krb5_kdc_flags flags,		   krb5_const_principal impersonate_principal,		   Ticket *second_ticket,		   krb5_creds *in_creds,		   krb5_creds *krbtgt,		   unsigned nonce,		   METHOD_DATA *padata,		   krb5_keyblock **subkey,		   TGS_REQ *t){    krb5_auth_context ac = NULL;    krb5_error_code ret = 0;        /* inherit the forwardable/proxyable flags from the krbtgt */    flags.b.forwardable = krbtgt->flags.b.forwardable;    flags.b.proxiable = krbtgt->flags.b.proxiable;    if (ccache->ops->tgt_req) {	KERB_TGS_REQ_OUT out;	KERB_TGS_REQ_IN in;		memset(&in, 0, sizeof(in));	memset(&out, 0, sizeof(out));	ret = ccache->ops->tgt_req(context, ccache, &in, &out);	if (ret)	    return ret;	free_KERB_TGS_REQ_OUT(&out);	return 0;    }    memset(t, 0, sizeof(*t));    if (impersonate_principal) {	krb5_crypto crypto;	PA_S4U2Self self;	krb5_data data;	void *buf;	size_t size, len;	self.name = impersonate_principal->name;	self.realm = impersonate_principal->realm;	self.auth = rk_UNCONST("Kerberos");		ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);	if (ret)	    goto fail;	ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);	if (ret) {	    krb5_data_free(&data);	    goto fail;	}	ret = krb5_create_checksum(context,				   crypto,				   KRB5_KU_OTHER_CKSUM,				   0,				   data.data,				   data.length,				   &self.cksum);	krb5_crypto_destroy(context, crypto);	krb5_data_free(&data);	if (ret)	    goto fail;	ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);	free_Checksum(&self.cksum);	if (ret)	    goto fail;	if (len != size)	    krb5_abortx(context, "internal asn1 error");		ret = krb5_padata_add(context, padata, KRB5_PADATA_FOR_USER, buf, len);	if (ret)	    goto fail;    }    t->pvno = 5;    t->msg_type = krb_tgs_req;    if (in_creds->session.keytype) {	ALLOC_SEQ(&t->req_body.etype, 1);	if(t->req_body.etype.val == NULL) {	    ret = ENOMEM;	    krb5_set_error_message(context, ret,				   N_("malloc: out of memory", ""));	    goto fail;	}	t->req_body.etype.val[0] = in_creds->session.keytype;    } else {	ret = _krb5_init_etype(context,			       KRB5_PDU_TGS_REQUEST,			       &t->req_body.etype.len,			       &t->req_body.etype.val,//.........这里部分代码省略.........

static krb5_error_codepk_mk_pa_reply_dh(krb5_context context,		  krb5_kdc_configuration *config,      		  pk_client_params *cp,		  ContentInfo *content_info,		  hx509_cert *kdc_cert){    KDCDHKeyInfo dh_info;    krb5_data signed_data, buf;    ContentInfo contentinfo;    krb5_error_code ret;    hx509_cert cert;    hx509_query *q;    size_t size = 0;    memset(&contentinfo, 0, sizeof(contentinfo));    memset(&dh_info, 0, sizeof(dh_info));    krb5_data_zero(&signed_data);    krb5_data_zero(&buf);    *kdc_cert = NULL;    if (cp->keyex == USE_DH) {	DH *kdc_dh = cp->u.dh.key;	heim_integer i;	ret = BN_to_integer(context, kdc_dh->pub_key, &i);	if (ret)	    return ret;	ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);	der_free_heim_integer(&i);	if (ret) {	    krb5_set_error_message(context, ret, "ASN.1 encoding of "				   "DHPublicKey failed (%d)", ret);	    return ret;	}	if (buf.length != size)	    krb5_abortx(context, "Internal ASN.1 encoder error");	dh_info.subjectPublicKey.length = buf.length * 8;	dh_info.subjectPublicKey.data = buf.data;	krb5_data_zero(&buf);    } else if (cp->keyex == USE_ECDH) {        unsigned char *p;        ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, &p,                                      &dh_info.subjectPublicKey.length);        dh_info.subjectPublicKey.data = p;        if (ret)            goto out;    } else	krb5_abortx(context, "no keyex selected ?");    dh_info.nonce = cp->nonce;    ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,		       ret);    if (ret) {	krb5_set_error_message(context, ret, "ASN.1 encoding of "			       "KdcDHKeyInfo failed (%d)", ret);	goto out;    }    if (buf.length != size)	krb5_abortx(context, "Internal ASN.1 encoder error");    /*     * Create the SignedData structure and sign the KdcDHKeyInfo     * filled in above     */    ret = hx509_query_alloc(context->hx509ctx, &q);    if (ret)	goto out;    hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);    if (config->pkinit_kdc_friendly_name)	hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);    ret = hx509_certs_find(context->hx509ctx,			   kdc_identity->certs,			   q,			   &cert);    hx509_query_free(context->hx509ctx, q);    if (ret)	goto out;    ret = hx509_cms_create_signed_1(context->hx509ctx,				    0,				    &asn1_oid_id_pkdhkeydata,				    buf.data,				    buf.length,				    NULL,				    cert,				    cp->peer,				    cp->client_anchors,				    kdc_identity->certpool,				    &signed_data);    if (ret) {	kdc_log(context, config, 0, "Failed signing the DH* reply: %d", ret);//.........这里部分代码省略.........

static krb5_error_codepk_mk_pa_reply_enckey(krb5_context context,		      krb5_kdc_configuration *config,		      pk_client_params *cp,		      const KDC_REQ *req,		      const krb5_data *req_buffer,		      krb5_keyblock *reply_key,		      ContentInfo *content_info,		      hx509_cert *kdc_cert){    const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;    krb5_error_code ret;    krb5_data buf, signed_data;    size_t size = 0;    int do_win2k = 0;    krb5_data_zero(&buf);    krb5_data_zero(&signed_data);    *kdc_cert = NULL;    /*     * If the message client is a win2k-type but it send pa data     * 09-binding it expects a IETF (checksum) reply so there can be     * no replay attacks.     */    switch (cp->type) {    case PKINIT_WIN2K: {	int i = 0;	if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL	    && config->pkinit_require_binding == 0)	{	    do_win2k = 1;	}	sdAlg = &asn1_oid_id_pkcs7_data;	evAlg = &asn1_oid_id_pkcs7_data;	envelopedAlg = &asn1_oid_id_rsadsi_des_ede3_cbc;	break;    }    case PKINIT_27:	sdAlg = &asn1_oid_id_pkrkeydata;	evAlg = &asn1_oid_id_pkcs7_signedData;	break;    default:	krb5_abortx(context, "internal pkinit error");    }    if (do_win2k) {	ReplyKeyPack_Win2k kp;	memset(&kp, 0, sizeof(kp));	ret = copy_EncryptionKey(reply_key, &kp.replyKey);	if (ret) {	    krb5_clear_error_message(context);	    goto out;	}	kp.nonce = cp->nonce;	ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,			   buf.data, buf.length,			   &kp, &size,ret);	free_ReplyKeyPack_Win2k(&kp);    } else {	krb5_crypto ascrypto;	ReplyKeyPack kp;	memset(&kp, 0, sizeof(kp));	ret = copy_EncryptionKey(reply_key, &kp.replyKey);	if (ret) {	    krb5_clear_error_message(context);	    goto out;	}	ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);	if (ret) {	    krb5_clear_error_message(context);	    goto out;	}	ret = krb5_create_checksum(context, ascrypto, 6, 0,				   req_buffer->data, req_buffer->length,				   &kp.asChecksum);	if (ret) {	    krb5_clear_error_message(context);	    goto out;	}	ret = krb5_crypto_destroy(context, ascrypto);	if (ret) {	    krb5_clear_error_message(context);	    goto out;	}	ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);	free_ReplyKeyPack(&kp);    }    if (ret) {	krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "			       "failed (%d)", ret);	goto out;//.........这里部分代码省略.........

krb5_error_code_kdc_pk_mk_pa_reply(krb5_context context,		    krb5_kdc_configuration *config,		    pk_client_params *cp,		    const hdb_entry_ex *client,		    krb5_enctype sessionetype,		    const KDC_REQ *req,		    const krb5_data *req_buffer,		    krb5_keyblock *reply_key,		    krb5_keyblock *sessionkey,		    METHOD_DATA *md){    krb5_error_code ret;    void *buf = NULL;    size_t len = 0, size = 0;    krb5_enctype enctype;    int pa_type;    hx509_cert kdc_cert = NULL;    size_t i;    if (!config->enable_pkinit) {	krb5_clear_error_message(context);	return 0;    }    if (req->req_body.etype.len > 0) {	for (i = 0; i < req->req_body.etype.len; i++)	    if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)		break;	if (req->req_body.etype.len <= i) {	    ret = KRB5KRB_ERR_GENERIC;	    krb5_set_error_message(context, ret,				   "No valid enctype available from client");	    goto out;	}	enctype = req->req_body.etype.val[i];    } else	enctype = ETYPE_DES3_CBC_SHA1;    if (cp->type == PKINIT_27) {	PA_PK_AS_REP rep;	const char *type, *other = "";	memset(&rep, 0, sizeof(rep));	pa_type = KRB5_PADATA_PK_AS_REP;	if (cp->keyex == USE_RSA) {	    ContentInfo info;	    type = "enckey";	    rep.element = choice_PA_PK_AS_REP_encKeyPack;	    ret = krb5_generate_random_keyblock(context, enctype,						&cp->reply_key);	    if (ret) {		free_PA_PK_AS_REP(&rep);		goto out;	    }	    ret = pk_mk_pa_reply_enckey(context,					config,					cp,					req,					req_buffer,					&cp->reply_key,					&info,					&kdc_cert);	    if (ret) {		free_PA_PK_AS_REP(&rep);		goto out;	    }	    ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,			       rep.u.encKeyPack.length, &info, &size,			       ret);	    free_ContentInfo(&info);	    if (ret) {		krb5_set_error_message(context, ret, "encoding of Key ContentInfo "				       "failed %d", ret);		free_PA_PK_AS_REP(&rep);		goto out;	    }	    if (rep.u.encKeyPack.length != size)		krb5_abortx(context, "Internal ASN.1 encoder error");	    ret = krb5_generate_random_keyblock(context, sessionetype,						sessionkey);	    if (ret) {		free_PA_PK_AS_REP(&rep);		goto out;	    }	} else {	    ContentInfo info;	    switch (cp->keyex) {	    case USE_DH: type = "dh"; break;	    case USE_ECDH: type = "ecdh"; break;	    default: krb5_abortx(context, "unknown keyex"); break;	    }//.........这里部分代码省略.........

//.........这里部分代码省略.........		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,				       "Failed to verify messageDigest");		goto next_sigature;	    }	    /*	     * Fetch content oid inside signedAttrs or set it to	     * id-pkcs7-data.	     */	    attr = find_attribute(&sa, &asn1_oid_id_pkcs9_contentType);	    if (attr == NULL) {		match_oid = &asn1_oid_id_pkcs7_data;	    } else {		if (attr->value.len != 1) {		    ret = HX509_CMS_DATA_OID_MISMATCH;		    hx509_set_error_string(context, 0, ret,					   "More then one oid in signedAttrs");		    goto next_sigature;		}		ret = decode_ContentType(attr->value.val[0].data,					 attr->value.val[0].length,					 &decode_oid,					 &size);		if (ret) {		    hx509_set_error_string(context, 0, ret,					   "Failed to decode "					   "oid in signedAttrs");		    goto next_sigature;		}		match_oid = &decode_oid;	    }	    ASN1_MALLOC_ENCODE(CMSAttributes,			       signed_data.data,			       signed_data.length,			       &sa,			       &size, ret);	    if (ret) {		if (match_oid == &decode_oid)		    der_free_oid(&decode_oid);		hx509_clear_error_string(context);		goto next_sigature;	    }	    if (size != signed_data.length)		_hx509_abort("internal ASN.1 encoder error");	} else {	    signed_data.data = content->data;	    signed_data.length = content->length;	    match_oid = &asn1_oid_id_pkcs7_data;	}	/**	 * If HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH, allow	 * encapContentInfo mismatch with the oid in signedAttributes	 * (or if no signedAttributes where use, pkcs7-data oid).	 * This is only needed to work with broken CMS implementations	 * that doesn't follow CMS signedAttributes rules.	 */	if (der_heim_oid_cmp(match_oid, &sd.encapContentInfo.eContentType) &&	    (flags & HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH) == 0) {	    ret = HX509_CMS_DATA_OID_MISMATCH;	    hx509_set_error_string(context, 0, ret,				   "Oid in message mismatch from the expected");

static intsig_process(hx509_context context, void *ctx, hx509_cert cert){    struct sigctx *sigctx = ctx;    heim_octet_string buf, sigdata = { 0, NULL };    SignerInfo *signer_info = NULL;    AlgorithmIdentifier digest;    size_t size;    void *ptr;    int ret;    SignedData *sd = &sigctx->sd;    hx509_path path;    memset(&digest, 0, sizeof(digest));    memset(&path, 0, sizeof(path));    if (_hx509_cert_private_key(cert) == NULL) {	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,			       "Private key missing for signing");	return HX509_PRIVATE_KEY_MISSING;    }    if (sigctx->digest_alg) {	ret = copy_AlgorithmIdentifier(sigctx->digest_alg, &digest);	if (ret)	    hx509_clear_error_string(context);    } else {	ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,				  _hx509_cert_private_key(cert),				  sigctx->peer, &digest);    }    if (ret)	goto out;    /*     * Allocate on more signerInfo and do the signature processing     */    ptr = realloc(sd->signerInfos.val,		  (sd->signerInfos.len + 1) * sizeof(sd->signerInfos.val[0]));    if (ptr == NULL) {	ret = ENOMEM;	goto out;    }    sd->signerInfos.val = ptr;    signer_info = &sd->signerInfos.val[sd->signerInfos.len];    memset(signer_info, 0, sizeof(*signer_info));    signer_info->version = 1;    ret = fill_CMSIdentifier(cert, sigctx->cmsidflag, &signer_info->sid);    if (ret) {	hx509_clear_error_string(context);	goto out;    }    signer_info->signedAttrs = NULL;    signer_info->unsignedAttrs = NULL;    ret = copy_AlgorithmIdentifier(&digest, &signer_info->digestAlgorithm);    if (ret) {	hx509_clear_error_string(context);	goto out;    }    /*     * If it isn't pkcs7-data send signedAttributes     */    if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {	CMSAttributes sa;	heim_octet_string sig;	ALLOC(signer_info->signedAttrs, 1);	if (signer_info->signedAttrs == NULL) {	    ret = ENOMEM;	    goto out;	}	ret = _hx509_create_signature(context,				      NULL,				      &digest,				      &sigctx->content,				      NULL,				      &sig);	if (ret)	    goto out;	ASN1_MALLOC_ENCODE(MessageDigest,			   buf.data,			   buf.length,			   &sig,			   &size,			   ret);	der_free_octet_string(&sig);	if (ret) {	    hx509_clear_error_string(context);	    goto out;//.........这里部分代码省略.........

//.........这里部分代码省略.........	ret = _kdc_find_etype(context,			      config->preauth_use_strongest_session_key, TRUE,			      client, b->etype.val, b->etype.len, NULL, &ckey);	if (ret == 0) {	    /*	     * RFC4120 requires:	     * - If the client only knows about old enctypes, then send	     *   both info replies (we send 'info' first in the list).	     * - If the client is 'modern', because it knows about 'new'	     *   enctype types, then only send the 'info2' reply.	     *	     * Before we send the full list of etype-info data, we pick	     * the client key we would have used anyway below, just pick	     * that instead.	     */	    if (older_enctype(ckey->key.keytype)) {		ret = get_pa_etype_info(context, config,					&method_data, ckey);		if (ret) {		    free_METHOD_DATA(&method_data);		    goto out;		}	    }	    ret = get_pa_etype_info2(context, config,				     &method_data, ckey);	    if (ret) {		free_METHOD_DATA(&method_data);		goto out;	    }	}	ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);	free_METHOD_DATA(&method_data);	e_data.data   = buf;	e_data.length = len;	e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",	ret = KRB5KDC_ERR_PREAUTH_REQUIRED;	kdc_log(context, config, 0,		"No preauth found, returning PREAUTH-REQUIRED -- %s",		client_name);	goto out;    }    /*     * Verify flags after the user been required to prove its identity     * with in a preauth mech.     */    ret = _kdc_check_access(context, config, client, client_name,			    server, server_name,			    req, &e_data);    if(ret)	goto out;    if (clientdb->hdb_auth_status)	(clientdb->hdb_auth_status)(context, clientdb, client,				    HDB_AUTH_SUCCESS);    /*     * Selelct the best encryption type for the KDC with out regard to     * the client since the client never needs to read that data.

static krb5_error_codetgs_check_authenticator(krb5_context context, 			krb5_kdc_configuration *config,	                krb5_auth_context ac,			KDC_REQ_BODY *b, 			const char **e_text,			krb5_keyblock *key){    krb5_authenticator auth;    size_t len;    unsigned char *buf;    size_t buf_size;    krb5_error_code ret;    krb5_crypto crypto;        krb5_auth_con_getauthenticator(context, ac, &auth);    if(auth->cksum == NULL){	kdc_log(context, config, 0, "No authenticator in request");	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;	goto out;    }    /*     * according to RFC1510 it doesn't need to be keyed,     * but according to the latest draft it needs to.     */    if (#if 0!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)	||#endif !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {	kdc_log(context, config, 0, "Bad checksum type in authenticator: %d", 		auth->cksum->cksumtype);	ret =  KRB5KRB_AP_ERR_INAPP_CKSUM;	goto out;    }		    /* XXX should not re-encode this */    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);    if(ret){	kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", 		krb5_get_err_text(context, ret));	goto out;    }    if(buf_size != len) {	free(buf);	kdc_log(context, config, 0, "Internal error in ASN.1 encoder");	*e_text = "KDC internal error";	ret = KRB5KRB_ERR_GENERIC;	goto out;    }    ret = krb5_crypto_init(context, key, 0, &crypto);    if (ret) {	free(buf);	kdc_log(context, config, 0, "krb5_crypto_init failed: %s",		krb5_get_err_text(context, ret));	goto out;    }    ret = krb5_verify_checksum(context,			       crypto,			       KRB5_KU_TGS_REQ_AUTH_CKSUM,			       buf, 			       len,			       auth->cksum);    free(buf);    krb5_crypto_destroy(context, crypto);    if(ret){	kdc_log(context, config, 0,		"Failed to verify authenticator checksum: %s", 		krb5_get_err_text(context, ret));    }out:    free_Authenticator(auth);    free(auth);    return ret;}

/* * Send a reply. Note that we only need to send a reply if we * need to send a MIC or a mechanism token. Otherwise, we can * return an empty buffer. * * The return value of this will be returned to the API, so it * must return GSS_S_CONTINUE_NEEDED if a token was generated. */static OM_uint32spnego_reply_internal(OM_uint32 *minor_status,		      gssspnego_ctx context_handle,		      const gss_buffer_t mech_buf,		      gss_buffer_t mech_token,		      gss_buffer_t output_token){    NegotiationToken nt;    gss_buffer_desc mic_buf;    OM_uint32 ret;    size_t size;    if (mech_buf == GSS_C_NO_BUFFER && mech_token->length == 0) {	output_token->length = 0;	output_token->value = NULL;	return context_handle->open ? GSS_S_COMPLETE : GSS_S_FAILURE;    }    memset(&nt, 0, sizeof(nt));    nt.element = choice_NegotiationToken_negTokenResp;    ALLOC(nt.u.negTokenResp.negResult, 1);    if (nt.u.negTokenResp.negResult == NULL) {	*minor_status = ENOMEM;	return GSS_S_FAILURE;    }    nt.u.negTokenResp.supportedMech = NULL;    output_token->length = 0;    output_token->value = NULL;    if (mech_token->length == 0) {	nt.u.negTokenResp.responseToken = NULL;	*(nt.u.negTokenResp.negResult)  = accept_completed;    } else {	ALLOC(nt.u.negTokenResp.responseToken, 1);	if (nt.u.negTokenResp.responseToken == NULL) {	    free_NegotiationToken(&nt);	    *minor_status = ENOMEM;	    return GSS_S_FAILURE;	}	nt.u.negTokenResp.responseToken->length = mech_token->length;	nt.u.negTokenResp.responseToken->data   = mech_token->value;	mech_token->length = 0;	mech_token->value  = NULL;	*(nt.u.negTokenResp.negResult)  = accept_incomplete;    }    if (mech_buf != GSS_C_NO_BUFFER) {	ret = gss_get_mic(minor_status,			  context_handle->negotiated_ctx_id,			  0,			  mech_buf,			  &mic_buf);	if (ret == GSS_S_COMPLETE) {	    ALLOC(nt.u.negTokenResp.mechListMIC, 1);	    if (nt.u.negTokenResp.mechListMIC == NULL) {		gss_release_buffer(minor_status, &mic_buf);		free_NegotiationToken(&nt);		*minor_status = ENOMEM;		return GSS_S_FAILURE;	    }	    nt.u.negTokenResp.mechListMIC->length = mic_buf.length;	    nt.u.negTokenResp.mechListMIC->data   = mic_buf.value;	} else if (ret == GSS_S_UNAVAILABLE) {	    nt.u.negTokenResp.mechListMIC = NULL;	} if (ret) {	    free_NegotiationToken(&nt);	    *minor_status = ENOMEM;	    return GSS_S_FAILURE;	}    } else {	nt.u.negTokenResp.mechListMIC = NULL;    }    ASN1_MALLOC_ENCODE(NegotiationToken,		       output_token->value, output_token->length,		       &nt, &size, ret);    if (ret) {	free_NegotiationToken(&nt);	*minor_status = ret;	return GSS_S_FAILURE;    }    if (*(nt.u.negTokenResp.negResult) == accept_completed)	ret = GSS_S_COMPLETE;//.........这里部分代码省略.........

inthx509_ca_tbs_add_crl_dp_uri(hx509_context context,			    hx509_ca_tbs tbs,			    const char *uri,			    hx509_name issuername){    DistributionPoint dp;    int ret;    memset(&dp, 0, sizeof(dp));    dp.distributionPoint = ecalloc(1, sizeof(*dp.distributionPoint));    {	DistributionPointName name;	GeneralName gn;	size_t size;	name.element = choice_DistributionPointName_fullName;	name.u.fullName.len = 1;	name.u.fullName.val = &gn;	gn.element = choice_GeneralName_uniformResourceIdentifier;	gn.u.uniformResourceIdentifier.data = rk_UNCONST(uri);	gn.u.uniformResourceIdentifier.length = strlen(uri);	ASN1_MALLOC_ENCODE(DistributionPointName,			   dp.distributionPoint->data,			   dp.distributionPoint->length,			   &name, &size, ret);	if (ret) {	    hx509_set_error_string(context, 0, ret,				   "Failed to encoded DistributionPointName");	    goto out;	}	if (dp.distributionPoint->length != size)	    _hx509_abort("internal ASN.1 encoder error");    }    if (issuername) {#if 1	/**	 * issuername not supported	 */	hx509_set_error_string(context, 0, EINVAL,			       "CRLDistributionPoints.name.issuername not yet supported");	return EINVAL;#else	GeneralNames *crlissuer;	GeneralName gn;	Name n;	crlissuer = calloc(1, sizeof(*crlissuer));	if (crlissuer == NULL) {	    return ENOMEM;	}	memset(&gn, 0, sizeof(gn));	gn.element = choice_GeneralName_directoryName;	ret = hx509_name_to_Name(issuername, &n);	if (ret) {	    hx509_set_error_string(context, 0, ret, "out of memory");	    goto out;	}	gn.u.directoryName.element = n.element;	gn.u.directoryName.u.rdnSequence = n.u.rdnSequence;	ret = add_GeneralNames(&crlissuer, &gn);	free_Name(&n);	if (ret) {	    hx509_set_error_string(context, 0, ret, "out of memory");	    goto out;	}	dp.cRLIssuer = &crlissuer;#endif    }    ret = add_CRLDistributionPoints(&tbs->crldp, &dp);    if (ret) {	hx509_set_error_string(context, 0, ret, "out of memory");	goto out;    }out:    free_DistributionPoint(&dp);    return ret;}

krb5_error_code_kdc_add_KRB5SignedPath(krb5_context context,			krb5_kdc_configuration *config,			hdb_entry_ex *krbtgt,			krb5_enctype enctype,			krb5_const_principal server,			KRB5SignedPathPrincipals *principals,			EncTicketPart *tkt){    krb5_error_code ret;    KRB5SignedPath sp;    krb5_data data;    krb5_crypto crypto = NULL;    size_t size;    if (server && principals) {	ret = add_KRB5SignedPathPrincipals(principals, server);	if (ret)	    return ret;    }    {	KRB5SignedPathData spd;		spd.encticket = *tkt;	spd.delegated = principals;		ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,			   &spd, &size, ret);	if (ret)	    return ret;	if (data.length != size)	    krb5_abortx(context, "internal asn.1 encoder error");    }    {	Key *key;	ret = hdb_enctype2key(context, &krbtgt->entry, enctype, &key);	if (ret == 0)	    ret = krb5_crypto_init(context, &key->key, 0, &crypto);	if (ret) {	    free(data.data);	    return ret;	}    }    /*     * Fill in KRB5SignedPath     */    sp.etype = enctype;    sp.delegated = principals;    ret = krb5_create_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 0,			       data.data, data.length, &sp.cksum);    krb5_crypto_destroy(context, crypto);    free(data.data);    if (ret)	return ret;    ASN1_MALLOC_ENCODE(KRB5SignedPath, data.data, data.length, &sp, &size, ret);    free_Checksum(&sp.cksum);    if (ret)	return ret;    if (data.length != size)	krb5_abortx(context, "internal asn.1 encoder error");        /*     * Add IF-RELEVANT(KRB5SignedPath) to the last slot in     * authorization data field.     */    ret = _kdc_tkt_add_if_relevant_ad(context, tkt,				      KRB5_AUTHDATA_SIGNTICKET, &data);    krb5_data_free(&data);    return ret;}

//.........这里部分代码省略.........	if (ret) {	    hx509_set_error_string(context, 0, ret,				   "Failed to set crypto oid "				   "for EnvelopedData");	    goto out;	}	ALLOC(enc_alg->parameters, 1);	if (enc_alg->parameters == NULL) {	    ret = ENOMEM;	    hx509_set_error_string(context, 0, ret,				   "Failed to allocate crypto paramaters "				   "for EnvelopedData");	    goto out;	}	ret = hx509_crypto_get_params(context,				      crypto,				      &ivec,				      enc_alg->parameters);	if (ret) {	    goto out;	}    }    ALLOC_SEQ(&ed.recipientInfos, 1);    if (ed.recipientInfos.val == NULL) {	ret = ENOMEM;	hx509_set_error_string(context, 0, ret,			       "Failed to allocate recipients info "			       "for EnvelopedData");	goto out;    }    ri = &ed.recipientInfos.val[0];    if (flags & HX509_CMS_EV_ID_NAME) {	ri->version = 0;	cmsidflag = CMS_ID_NAME;    } else {	ri->version = 2;	cmsidflag = CMS_ID_SKI;    }    ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);    if (ret) {	hx509_set_error_string(context, 0, ret,			       "Failed to set CMS identifier info "			       "for EnvelopedData");	goto out;    }    ret = hx509_cert_public_encrypt(context,				     &key, cert,				     &ri->keyEncryptionAlgorithm.algorithm,				     &ri->encryptedKey);    if (ret) {	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,			       "Failed to encrypt transport key for "			       "EnvelopedData");	goto out;    }    /*     *     */    ed.version = 0;    ed.originatorInfo = NULL;    ret = der_copy_oid(contentType, &ed.encryptedContentInfo.contentType);    if (ret) {	hx509_set_error_string(context, 0, ret,			       "Failed to copy content oid for "			       "EnvelopedData");	goto out;    }    ed.unprotectedAttrs = NULL;    ASN1_MALLOC_ENCODE(EnvelopedData, content->data, content->length,		       &ed, &size, ret);    if (ret) {	hx509_set_error_string(context, 0, ret,			       "Failed to encode EnvelopedData");	goto out;    }    if (size != content->length)	_hx509_abort("internal ASN.1 encoder error");out:    if (crypto)	hx509_crypto_destroy(crypto);    if (ret)	der_free_octet_string(content);    der_free_octet_string(&key);    der_free_octet_string(&ivec);    free_EnvelopedData(&ed);    return ret;}

static krb5_error_codeget_cred_kdc(krb5_context context,	     krb5_ccache id,	     krb5_kdc_flags flags,	     krb5_addresses *addresses,	     krb5_creds *in_creds,	     krb5_creds *krbtgt,	     krb5_principal impersonate_principal,	     Ticket *second_ticket,	     krb5_creds *out_creds){    TGS_REQ req;    krb5_data enc;    krb5_data resp;    krb5_kdc_rep rep;    KRB_ERROR error;    krb5_error_code ret;    unsigned nonce;    krb5_keyblock *subkey = NULL;    size_t len;    Ticket second_ticket_data;    METHOD_DATA padata;    krb5_data_zero(&resp);    krb5_data_zero(&enc);    padata.val = NULL;    padata.len = 0;    krb5_generate_random_block(&nonce, sizeof(nonce));    nonce &= 0xffffffff;    if(flags.b.enc_tkt_in_skey && second_ticket == NULL){	ret = decode_Ticket(in_creds->second_ticket.data,			    in_creds->second_ticket.length,			    &second_ticket_data, &len);	if(ret)	    return ret;	second_ticket = &second_ticket_data;    }    if (impersonate_principal) {	krb5_crypto crypto;	PA_S4U2Self self;	krb5_data data;	void *buf;	size_t size;	self.name = impersonate_principal->name;	self.realm = impersonate_principal->realm;	self.auth = estrdup("Kerberos");		ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);	if (ret) {	    free(self.auth);	    goto out;	}	ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);	if (ret) {	    free(self.auth);	    krb5_data_free(&data);	    goto out;	}	ret = krb5_create_checksum(context,				   crypto,				   KRB5_KU_OTHER_CKSUM,				   0,				   data.data,				   data.length,				   &self.cksum);	krb5_crypto_destroy(context, crypto);	krb5_data_free(&data);	if (ret) {	    free(self.auth);	    goto out;	}	ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);	free(self.auth);	free_Checksum(&self.cksum);	if (ret)	    goto out;	if (len != size)	    krb5_abortx(context, "internal asn1 error");		ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);	if (ret)	    goto out;    }    ret = init_tgs_req (context,			id,			addresses,			flags,			second_ticket,			in_creds,			krbtgt,			nonce,//.........这里部分代码省略.........

static krb5_error_codecheck_KRB5SignedPath(krb5_context context,		     krb5_kdc_configuration *config,		     hdb_entry_ex *krbtgt,		     EncTicketPart *tkt,		     KRB5SignedPathPrincipals **delegated,		     int require_signedpath){    krb5_error_code ret;    krb5_data data;    krb5_crypto crypto = NULL;    *delegated = NULL;    ret = find_KRB5SignedPath(context, tkt->authorization_data, &data);    if (ret == 0) {	KRB5SignedPathData spd;	KRB5SignedPath sp;	AuthorizationData *ad;	size_t size;	ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);	krb5_data_free(&data);	if (ret)	    return ret;	spd.encticket = *tkt;	/* the KRB5SignedPath is the last entry */	ad = spd.encticket.authorization_data;	if (--ad->len == 0)	    spd.encticket.authorization_data = NULL;	spd.delegated = sp.delegated;	ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,			   &spd, &size, ret);	ad->len++;	spd.encticket.authorization_data = ad;	if (ret) {	    free_KRB5SignedPath(&sp);	    return ret;	}	if (data.length != size)	    krb5_abortx(context, "internal asn.1 encoder error");	{	    Key *key;	    ret = hdb_enctype2key(context, &krbtgt->entry, sp.etype, &key);	    if (ret == 0)		ret = krb5_crypto_init(context, &key->key, 0, &crypto);	    if (ret) {		free(data.data);		free_KRB5SignedPath(&sp);		return ret;	    }	}	ret = krb5_verify_checksum(context, crypto, KRB5_KU_KRB5SIGNEDPATH, 				   data.data, data.length, 				   &sp.cksum);	krb5_crypto_destroy(context, crypto);	free(data.data);	if (ret) {	    free_KRB5SignedPath(&sp);	    return ret;	}	if (sp.delegated) {	    *delegated = malloc(sizeof(*sp.delegated));	    if (*delegated == NULL) {		free_KRB5SignedPath(&sp);		return ENOMEM;	    }	    ret = copy_KRB5SignedPathPrincipals(*delegated, sp.delegated);	    if (ret) {		free_KRB5SignedPath(&sp);		free(*delegated);		*delegated = NULL;		return ret;	    }	}	free_KRB5SignedPath(&sp);	    } else {	if (require_signedpath)	    return KRB5KDC_ERR_BADOPTION;    }    return 0;}