-: 0:Source:pkinit_identity.c -: 0:Graph:/var/tsitkova/Sources/v10/trunk/src/plugins/preauth/pkinit/pkinit_identity.so.gcno -: 0:Data:/var/tsitkova/Sources/v10/trunk/src/plugins/preauth/pkinit/pkinit_identity.so.gcda -: 0:Runs:291 -: 0:Programs:1 -: 1:/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -: 2:/* -: 3: * COPYRIGHT (C) 2007 -: 4: * THE REGENTS OF THE UNIVERSITY OF MICHIGAN -: 5: * ALL RIGHTS RESERVED -: 6: * -: 7: * Permission is granted to use, copy, create derivative works -: 8: * and redistribute this software and such derivative works -: 9: * for any purpose, so long as the name of The University of -: 10: * Michigan is not used in any advertising or publicity -: 11: * pertaining to the use of distribution of this software -: 12: * without specific, written prior authorization. If the -: 13: * above copyright notice or any other identification of the -: 14: * University of Michigan is included in any copy of any -: 15: * portion of this software, then the disclaimer below must -: 16: * also be included. -: 17: * -: 18: * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION -: 19: * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY -: 20: * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF -: 21: * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING -: 22: * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF -: 23: * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE -: 24: * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE -: 25: * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR -: 26: * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING -: 27: * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN -: 28: * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF -: 29: * SUCH DAMAGES. -: 30: */ -: 31: -: 32:#include -: 33:#include -: 34:#include -: 35:#include -: 36:#include -: 37:#include -: 38:#include -: 39: -: 40:#include "pkinit.h" -: 41: -: 42:static void 1904: 43:free_list(char **list) -: 44:{ -: 45: int i; -: 46: 1904: 47: if (list == NULL) 1900: 48: return; -: 49: 8: 50: for (i = 0; list[i] != NULL; i++) 4: 51: free(list[i]); 4: 52: free(list); -: 53:} -: 54: -: 55:static krb5_error_code 609: 56:copy_list(char ***dst, char **src) -: 57:{ -: 58: int i; -: 59: char **newlist; -: 60: 609: 61: if (dst == NULL) #####: 62: return EINVAL; 609: 63: *dst = NULL; -: 64: 609: 65: if (src == NULL) 609: 66: return 0; -: 67: #####: 68: for (i = 0; src[i] != NULL; i++); -: 69: #####: 70: newlist = calloc(1, (i + 1) * sizeof(*newlist)); #####: 71: if (newlist == NULL) #####: 72: return ENOMEM; -: 73: #####: 74: for (i = 0; src[i] != NULL; i++) { #####: 75: newlist[i] = strdup(src[i]); #####: 76: if (newlist[i] == NULL) #####: 77: goto cleanup; -: 78: } #####: 79: newlist[i] = NULL; #####: 80: *dst = newlist; #####: 81: return 0; -: 82:cleanup: #####: 83: free_list(newlist); #####: 84: return ENOMEM; -: 85:} -: 86: -: 87:char * 6: 88:idtype2string(int idtype) -: 89:{ 6: 90: switch(idtype) { 6: 91: case IDTYPE_FILE: return "FILE"; break; #####: 92: case IDTYPE_DIR: return "DIR"; break; #####: 93: case IDTYPE_PKCS11: return "PKCS11"; break; #####: 94: case IDTYPE_PKCS12: return "PKCS12"; break; #####: 95: case IDTYPE_ENVVAR: return "ENV"; break; -: 96:#ifdef PKINIT_CRYPTO_IMPL_NSS -: 97: case IDTYPE_NSS: return "NSS"; break; -: 98:#endif #####: 99: default: return "INVALID"; break; -: 100: } -: 101:} -: 102: -: 103:char * 8: 104:catype2string(int catype) -: 105:{ 8: 106: switch(catype) { 8: 107: case CATYPE_ANCHORS: return "ANCHORS"; break; #####: 108: case CATYPE_INTERMEDIATES: return "INTERMEDIATES"; break; #####: 109: case CATYPE_CRLS: return "CRLS"; break; #####: 110: default: return "INVALID"; break; -: 111: } -: 112:} -: 113: -: 114:krb5_error_code 494: 115:pkinit_init_identity_opts(pkinit_identity_opts **idopts) -: 116:{ 494: 117: pkinit_identity_opts *opts = NULL; -: 118: 494: 119: *idopts = NULL; 494: 120: opts = calloc(1, sizeof(pkinit_identity_opts)); 494: 121: if (opts == NULL) #####: 122: return ENOMEM; -: 123: 494: 124: opts->identity = NULL; 494: 125: opts->anchors = NULL; 494: 126: opts->intermediates = NULL; 494: 127: opts->crls = NULL; 494: 128: opts->ocsp = NULL; 494: 129: opts->dn_mapping_file = NULL; -: 130: 494: 131: opts->cert_filename = NULL; 494: 132: opts->key_filename = NULL; -: 133:#ifndef WITHOUT_PKCS11 494: 134: opts->p11_module_name = NULL; 494: 135: opts->slotid = PK_NOSLOT; 494: 136: opts->token_label = NULL; 494: 137: opts->cert_id_string = NULL; 494: 138: opts->cert_label = NULL; -: 139:#endif -: 140: 494: 141: *idopts = opts; -: 142: 494: 143: return 0; -: 144:} -: 145: -: 146:krb5_error_code 203: 147:pkinit_dup_identity_opts(pkinit_identity_opts *src_opts, -: 148: pkinit_identity_opts **dest_opts) -: 149:{ -: 150: pkinit_identity_opts *newopts; -: 151: krb5_error_code retval; -: 152: 203: 153: *dest_opts = NULL; 203: 154: retval = pkinit_init_identity_opts(&newopts); 203: 155: if (retval) #####: 156: return retval; -: 157: 203: 158: retval = ENOMEM; -: 159: 203: 160: if (src_opts->identity != NULL) { #####: 161: newopts->identity = strdup(src_opts->identity); #####: 162: if (newopts->identity == NULL) #####: 163: goto cleanup; -: 164: } -: 165: 203: 166: retval = copy_list(&newopts->anchors, src_opts->anchors); 203: 167: if (retval) #####: 168: goto cleanup; -: 169: 203: 170: retval = copy_list(&newopts->intermediates,src_opts->intermediates); 203: 171: if (retval) #####: 172: goto cleanup; -: 173: 203: 174: retval = copy_list(&newopts->crls, src_opts->crls); 203: 175: if (retval) #####: 176: goto cleanup; -: 177: 203: 178: if (src_opts->ocsp != NULL) { #####: 179: newopts->ocsp = strdup(src_opts->ocsp); #####: 180: if (newopts->ocsp == NULL) #####: 181: goto cleanup; -: 182: } -: 183: 203: 184: if (src_opts->cert_filename != NULL) { #####: 185: newopts->cert_filename = strdup(src_opts->cert_filename); #####: 186: if (newopts->cert_filename == NULL) #####: 187: goto cleanup; -: 188: } -: 189: 203: 190: if (src_opts->key_filename != NULL) { #####: 191: newopts->key_filename = strdup(src_opts->key_filename); #####: 192: if (newopts->key_filename == NULL) #####: 193: goto cleanup; -: 194: } -: 195: -: 196:#ifndef WITHOUT_PKCS11 203: 197: if (src_opts->p11_module_name != NULL) { #####: 198: newopts->p11_module_name = strdup(src_opts->p11_module_name); #####: 199: if (newopts->p11_module_name == NULL) #####: 200: goto cleanup; -: 201: } -: 202: 203: 203: newopts->slotid = src_opts->slotid; -: 204: 203: 205: if (src_opts->token_label != NULL) { #####: 206: newopts->token_label = strdup(src_opts->token_label); #####: 207: if (newopts->token_label == NULL) #####: 208: goto cleanup; -: 209: } -: 210: 203: 211: if (src_opts->cert_id_string != NULL) { #####: 212: newopts->cert_id_string = strdup(src_opts->cert_id_string); #####: 213: if (newopts->cert_id_string == NULL) #####: 214: goto cleanup; -: 215: } -: 216: 203: 217: if (src_opts->cert_label != NULL) { #####: 218: newopts->cert_label = strdup(src_opts->cert_label); #####: 219: if (newopts->cert_label == NULL) #####: 220: goto cleanup; -: 221: } -: 222:#endif -: 223: -: 224: 203: 225: *dest_opts = newopts; 203: 226: return 0; -: 227:cleanup: #####: 228: pkinit_fini_identity_opts(newopts); #####: 229: return retval; -: 230:} -: 231: -: 232:void 476: 233:pkinit_fini_identity_opts(pkinit_identity_opts *idopts) -: 234:{ 476: 235: if (idopts == NULL) #####: 236: return; -: 237: 476: 238: if (idopts->identity != NULL) 2: 239: free(idopts->identity); 476: 240: free_list(idopts->anchors); 476: 241: free_list(idopts->intermediates); 476: 242: free_list(idopts->crls); 476: 243: free_list(idopts->identity_alt); -: 244: 476: 245: free(idopts->cert_filename); 476: 246: free(idopts->key_filename); -: 247:#ifndef WITHOUT_PKCS11 476: 248: free(idopts->p11_module_name); 476: 249: free(idopts->token_label); 476: 250: free(idopts->cert_id_string); 476: 251: free(idopts->cert_label); -: 252:#endif 476: 253: free(idopts); -: 254:} -: 255: -: 256:#ifndef WITHOUT_PKCS11 -: 257:static krb5_error_code #####: 258:parse_pkcs11_options(krb5_context context, -: 259: pkinit_identity_opts *idopts, -: 260: const char *residual) -: 261:{ -: 262: char *s, *cp, *vp, *save; #####: 263: krb5_error_code retval = ENOMEM; -: 264: #####: 265: if (residual == NULL || residual[0] == '\0') #####: 266: return 0; -: 267: -: 268: /* Split string into attr=value substrings */ #####: 269: s = strdup(residual); #####: 270: if (s == NULL) #####: 271: return retval; -: 272: #####: 273: for (cp = strtok_r(s, ":", &save); cp; cp = strtok_r(NULL, ":", &save)) { #####: 274: vp = strchr(cp, '='); -: 275: -: 276: /* If there is no "=", this is a pkcs11 module name */ #####: 277: if (vp == NULL) { #####: 278: free(idopts->p11_module_name); #####: 279: idopts->p11_module_name = strdup(cp); #####: 280: if (idopts->p11_module_name == NULL) #####: 281: goto cleanup; #####: 282: continue; -: 283: } #####: 284: *vp++ = '\0'; #####: 285: if (!strcmp(cp, "module_name")) { #####: 286: free(idopts->p11_module_name); #####: 287: idopts->p11_module_name = strdup(vp); #####: 288: if (idopts->p11_module_name == NULL) #####: 289: goto cleanup; #####: 290: } else if (!strcmp(cp, "slotid")) { #####: 291: long slotid = strtol(vp, NULL, 10); #####: 292: if ((slotid == LONG_MIN || slotid == LONG_MAX) && errno != 0) { #####: 293: retval = EINVAL; #####: 294: goto cleanup; -: 295: } -: 296: if ((long) (int) slotid != slotid) { -: 297: retval = EINVAL; -: 298: goto cleanup; -: 299: } #####: 300: idopts->slotid = slotid; #####: 301: } else if (!strcmp(cp, "token")) { #####: 302: free(idopts->token_label); #####: 303: idopts->token_label = strdup(vp); #####: 304: if (idopts->token_label == NULL) #####: 305: goto cleanup; #####: 306: } else if (!strcmp(cp, "certid")) { #####: 307: free(idopts->cert_id_string); #####: 308: idopts->cert_id_string = strdup(vp); #####: 309: if (idopts->cert_id_string == NULL) #####: 310: goto cleanup; #####: 311: } else if (!strcmp(cp, "certlabel")) { #####: 312: free(idopts->cert_label); #####: 313: idopts->cert_label = strdup(vp); #####: 314: if (idopts->cert_label == NULL) #####: 315: goto cleanup; -: 316: } -: 317: } #####: 318: retval = 0; -: 319:cleanup: #####: 320: free(s); #####: 321: return retval; -: 322:} -: 323:#endif -: 324: -: 325:static krb5_error_code 2: 326:parse_fs_options(krb5_context context, -: 327: pkinit_identity_opts *idopts, -: 328: const char *residual) -: 329:{ -: 330: char *certname, *keyname, *save; 2: 331: krb5_error_code retval = ENOMEM; -: 332: 2: 333: if (residual == NULL || residual[0] == '\0') #####: 334: return 0; -: 335: 2: 336: certname = strdup(residual); 2: 337: if (certname == NULL) #####: 338: goto cleanup; -: 339: 2: 340: certname = strtok_r(certname, ",", &save); 2: 341: keyname = strtok_r(NULL, ",", &save); -: 342: 2: 343: idopts->cert_filename = strdup(certname); 2: 344: if (idopts->cert_filename == NULL) #####: 345: goto cleanup; -: 346: 2: 347: idopts->key_filename = strdup(keyname ? keyname : certname); 2: 348: if (idopts->key_filename == NULL) #####: 349: goto cleanup; -: 350: 2: 351: retval = 0; -: 352:cleanup: 2: 353: free(certname); 2: 354: return retval; -: 355:} -: 356: -: 357:static krb5_error_code #####: 358:parse_pkcs12_options(krb5_context context, -: 359: pkinit_identity_opts *idopts, -: 360: const char *residual) -: 361:{ #####: 362: krb5_error_code retval = ENOMEM; -: 363: #####: 364: if (residual == NULL || residual[0] == '\0') #####: 365: return 0; -: 366: #####: 367: idopts->cert_filename = strdup(residual); #####: 368: if (idopts->cert_filename == NULL) #####: 369: goto cleanup; -: 370: #####: 371: idopts->key_filename = strdup(residual); #####: 372: if (idopts->key_filename == NULL) #####: 373: goto cleanup; -: 374: #####: 375: pkiDebug("%s: cert_filename '%s' key_filename '%s'\n", -: 376: __FUNCTION__, idopts->cert_filename, -: 377: idopts->key_filename); #####: 378: retval = 0; -: 379:cleanup: #####: 380: return retval; -: 381:} -: 382: -: 383:static krb5_error_code 2: 384:process_option_identity(krb5_context context, -: 385: pkinit_plg_crypto_context plg_cryptoctx, -: 386: pkinit_req_crypto_context req_cryptoctx, -: 387: pkinit_identity_opts *idopts, -: 388: pkinit_identity_crypto_context id_cryptoctx, -: 389: const char *value) -: 390:{ -: 391: const char *residual; -: 392: int idtype; 2: 393: krb5_error_code retval = 0; -: 394: 2: 395: pkiDebug("%s: processing value '%s'\n", -: 396: __FUNCTION__, value ? value : "NULL"); 2: 397: if (value == NULL) #####: 398: return EINVAL; -: 399: 2: 400: residual = strchr(value, ':'); 2: 401: if (residual != NULL) { -: 402: unsigned int typelen; 2: 403: residual++; /* skip past colon */ 2: 404: typelen = residual - value; 2: 405: if (strncmp(value, "FILE:", typelen) == 0) { 2: 406: idtype = IDTYPE_FILE; -: 407:#ifndef WITHOUT_PKCS11 #####: 408: } else if (strncmp(value, "PKCS11:", typelen) == 0) { #####: 409: idtype = IDTYPE_PKCS11; -: 410:#endif #####: 411: } else if (strncmp(value, "PKCS12:", typelen) == 0) { #####: 412: idtype = IDTYPE_PKCS12; #####: 413: } else if (strncmp(value, "DIR:", typelen) == 0) { #####: 414: idtype = IDTYPE_DIR; #####: 415: } else if (strncmp(value, "ENV:", typelen) == 0) { #####: 416: idtype = IDTYPE_ENVVAR; -: 417:#ifdef PKINIT_CRYPTO_IMPL_NSS -: 418: } else if (strncmp(value, "NSS:", typelen) == 0) { -: 419: idtype = IDTYPE_NSS; -: 420:#endif -: 421: } else { #####: 422: pkiDebug("%s: Unsupported type while processing '%s'\n", -: 423: __FUNCTION__, value); #####: 424: krb5_set_error_message(context, KRB5_PREAUTH_FAILED, #####: 425: _("Unsupported type while processing " -: 426: "'%s'\n"), value); #####: 427: return KRB5_PREAUTH_FAILED; -: 428: } -: 429: } else { #####: 430: idtype = IDTYPE_FILE; #####: 431: residual = value; -: 432: } -: 433: 2: 434: idopts->idtype = idtype; 2: 435: pkiDebug("%s: idtype is %s\n", __FUNCTION__, idtype2string(idopts->idtype)); 2: 436: switch (idtype) { -: 437: case IDTYPE_ENVVAR: #####: 438: return process_option_identity(context, plg_cryptoctx, req_cryptoctx, #####: 439: idopts, id_cryptoctx, getenv(residual)); -: 440: break; -: 441: case IDTYPE_FILE: 2: 442: retval = parse_fs_options(context, idopts, residual); 2: 443: break; -: 444: case IDTYPE_PKCS12: #####: 445: retval = parse_pkcs12_options(context, idopts, residual); #####: 446: break; -: 447:#ifndef WITHOUT_PKCS11 -: 448: case IDTYPE_PKCS11: #####: 449: retval = parse_pkcs11_options(context, idopts, residual); #####: 450: break; -: 451:#endif -: 452: case IDTYPE_DIR: #####: 453: idopts->cert_filename = strdup(residual); #####: 454: if (idopts->cert_filename == NULL) #####: 455: retval = ENOMEM; #####: 456: break; -: 457:#ifdef PKINIT_CRYPTO_IMPL_NSS -: 458: case IDTYPE_NSS: -: 459: idopts->cert_filename = strdup(residual); -: 460: if (idopts->cert_filename == NULL) -: 461: retval = ENOMEM; -: 462: break; -: 463:#endif -: 464: default: #####: 465: krb5_set_error_message(context, KRB5_PREAUTH_FAILED, #####: 466: _("Internal error parsing " -: 467: "X509_user_identity\n")); #####: 468: retval = EINVAL; -: 469: break; -: 470: } 2: 471: return retval; -: 472:} -: 473: -: 474:static krb5_error_code 4: 475:process_option_ca_crl(krb5_context context, -: 476: pkinit_plg_crypto_context plg_cryptoctx, -: 477: pkinit_req_crypto_context req_cryptoctx, -: 478: pkinit_identity_opts *idopts, -: 479: pkinit_identity_crypto_context id_cryptoctx, -: 480: const char *value, -: 481: int catype) -: 482:{ -: 483: char *residual; -: 484: unsigned int typelen; -: 485: int idtype; -: 486: 4: 487: pkiDebug("%s: processing catype %s, value '%s'\n", -: 488: __FUNCTION__, catype2string(catype), value); 4: 489: residual = strchr(value, ':'); 4: 490: if (residual == NULL) { #####: 491: pkiDebug("No type given for '%s'\n", value); #####: 492: return EINVAL; -: 493: } 4: 494: residual++; /* skip past colon */ 4: 495: typelen = residual - value; 4: 496: if (strncmp(value, "FILE:", typelen) == 0) { 4: 497: idtype = IDTYPE_FILE; #####: 498: } else if (strncmp(value, "DIR:", typelen) == 0) { #####: 499: idtype = IDTYPE_DIR; -: 500:#ifdef PKINIT_CRYPTO_IMPL_NSS -: 501: } else if (strncmp(value, "NSS:", typelen) == 0) { -: 502: idtype = IDTYPE_NSS; -: 503:#endif -: 504: } else { #####: 505: return ENOTSUP; -: 506: } 4: 507: return crypto_load_cas_and_crls(context, -: 508: plg_cryptoctx, -: 509: req_cryptoctx, -: 510: idopts, id_cryptoctx, -: 511: idtype, catype, residual); -: 512:} -: 513: -: 514:krb5_error_code 4: 515:pkinit_identity_initialize(krb5_context context, -: 516: pkinit_plg_crypto_context plg_cryptoctx, -: 517: pkinit_req_crypto_context req_cryptoctx, -: 518: pkinit_identity_opts *idopts, -: 519: pkinit_identity_crypto_context id_cryptoctx, -: 520: int do_matching, -: 521: krb5_principal princ) -: 522:{ 4: 523: krb5_error_code retval = EINVAL; -: 524: int i; -: 525: 4: 526: pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx); 4: 527: if (!(princ && krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal()))) { 2: 528: if (idopts == NULL || id_cryptoctx == NULL) -: 529: goto errout; -: 530: -: 531: /* -: 532: * If identity was specified, use that. (For the kdc, this -: 533: * is specified as pkinit_identity in the kdc.conf. For users, -: 534: * this is specified on the command line via X509_user_identity.) -: 535: * If a user did not specify identity on the command line, -: 536: * then we will try alternatives which may have been specified -: 537: * in the config file. -: 538: */ 2: 539: if (idopts->identity != NULL) { 2: 540: retval = process_option_identity(context, plg_cryptoctx, -: 541: req_cryptoctx, idopts, 2: 542: id_cryptoctx, idopts->identity); #####: 543: } else if (idopts->identity_alt != NULL) { #####: 544: for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) { #####: 545: retval = process_option_identity(context, plg_cryptoctx, -: 546: req_cryptoctx, idopts, -: 547: id_cryptoctx, #####: 548: idopts->identity_alt[i]); -: 549: } -: 550: } else { #####: 551: pkiDebug("%s: no user identity options specified\n", __FUNCTION__); #####: 552: goto errout; -: 553: } 2: 554: if (retval) #####: 555: goto errout; -: 556: 2: 557: retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, -: 558: idopts, id_cryptoctx, princ); 2: 559: if (retval) #####: 560: goto errout; -: 561: 2: 562: if (do_matching) { #####: 563: retval = pkinit_cert_matching(context, plg_cryptoctx, -: 564: req_cryptoctx, id_cryptoctx, princ); #####: 565: if (retval) { #####: 566: pkiDebug("%s: No matching certificate found\n", __FUNCTION__); #####: 567: crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, -: 568: id_cryptoctx); #####: 569: goto errout; -: 570: } -: 571: } else { -: 572: /* Tell crypto code to use the "default" */ 2: 573: retval = crypto_cert_select_default(context, plg_cryptoctx, -: 574: req_cryptoctx, id_cryptoctx); 2: 575: if (retval) { #####: 576: pkiDebug("%s: Failed while selecting default certificate\n", -: 577: __FUNCTION__); #####: 578: crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, -: 579: id_cryptoctx); #####: 580: goto errout; -: 581: } -: 582: } -: 583: 2: 584: retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, -: 585: id_cryptoctx); 2: 586: if (retval) #####: 587: goto errout; -: 588: } /* Not anonymous principal */ -: 589: 8: 590: for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { 4: 591: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, -: 592: idopts, id_cryptoctx, 4: 593: idopts->anchors[i], CATYPE_ANCHORS); 4: 594: if (retval) #####: 595: goto errout; -: 596: } 8: 597: for (i = 0; idopts->intermediates != NULL #####: 598: && idopts->intermediates[i] != NULL; i++) { #####: 599: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, -: 600: idopts, id_cryptoctx, #####: 601: idopts->intermediates[i], -: 602: CATYPE_INTERMEDIATES); #####: 603: if (retval) #####: 604: goto errout; -: 605: } 4: 606: for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) { #####: 607: retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, #####: 608: idopts, id_cryptoctx, idopts->crls[i], -: 609: CATYPE_CRLS); #####: 610: if (retval) #####: 611: goto errout; -: 612: } 4: 613: if (idopts->ocsp != NULL) { #####: 614: retval = ENOTSUP; -: 615: goto errout; -: 616: } -: 617: -: 618:errout: 4: 619: return retval; -: 620:}