krb5.git/src/plugins/preauth/pkinit, branch proxymech Unnamed repository; edit this file 'description' to name the repository. Simplify pkinit_server_verify_padata slightly 2012-07-05T09:05:13+00:00 Greg Hudson ghudson@mit.edu 2012-07-05T09:05:13+00:00 0d6d2ab3b229f1ddddc60ea01429ae2768f85a34 Eliminate the effectively unused variable tmp_as_req, and eliminate two unnecessary conditionals for freeing pointers. 
Eliminate the effectively unused variable tmp_as_req, and eliminate
two unnecessary conditionals for freeing pointers.
Simplify and fix pkinit_as_req_create cleanup 2012-07-05T09:02:38+00:00 Greg Hudson ghudson@mit.edu 2012-07-05T09:02:38+00:00 174a452878ef5356f5baa3865a2e219a0dad01a0 Avoid dereferencing a null auth_pack pointer if we run out of memory initializing info or auth_pack. Eliminate an unnecessary switch by just cleaning up all of the potentially allocated variables. 
Avoid dereferencing a null auth_pack pointer if we run out of memory
initializing info or auth_pack.  Eliminate an unnecessary switch by
just cleaning up all of the potentially allocated variables.
Fix minor memory leaks in PKINIT code 2012-07-05T08:54:03+00:00 Greg Hudson ghudson@mit.edu 2012-07-05T08:52:39+00:00 7f7fa930f7ca9c06b1afaaa453394755dbddb352 






Fix PKINIT verify_kdc_eku trace logging
2012-07-05T08:50:59+00:00

Greg Hudson
ghudson@mit.edu

2012-07-05T08:50:59+00:00

8af8d5177397d1e0c3f21b9583e63853b921743d

Test the value of the eku_accepted output parameter, not the pointer.





Test the value of the eku_accepted output parameter, not the pointer.







Clean up const usage for supported_kdf_alg_ids
2012-07-03T04:43:45+00:00

Ben Kaduk
kaduk@mit.edu

2012-06-27T21:02:01+00:00

9a586c7e0f4f54eb63c53fccb0988dda4c9bc6b8

The previous declaration had redundant consts and missed making
the actual pointers stored in the array const.





The previous declaration had redundant consts and missed making
the actual pointers stored in the array const.







Handle PKINIT DH replies with no certs
2012-06-22T15:44:17+00:00

Greg Hudson
ghudson@mit.edu

2012-06-21T21:20:29+00:00

db83abc7dcfe369bd4467c78eebb7028ba0c0e0d

If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC.  Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case.  This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.

Code changes suggested by nalin@redhat.com.

ticket: 7183





If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC.  Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case.  This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.

Code changes suggested by nalin@redhat.com.

ticket: 7183







First pass at PKINIT client trace logs
2012-05-08T03:04:22+00:00

Greg Hudson
ghudson@mit.edu

2012-05-08T03:04:22+00:00

e785e6e2204c2cf1e262c92549fa6aea1c020ead

Trace basic decisions about PKINIT client protocol processing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970





Trace basic decisions about PKINIT client protocol processing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970







Improve traced error messages from PKINIT client
2012-05-08T03:04:15+00:00

Greg Hudson
ghudson@mit.edu

2012-05-08T03:04:15+00:00

6d19259c7eb9277c12a7f2eec9aa80563b4c5acc

If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970





If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970







Minimize draft9 PKINIT code by removing dead code
2012-02-11T23:25:12+00:00

Greg Hudson
ghudson@mit.edu

2012-02-11T23:25:12+00:00

beb36f85c88fab20e95c4a0d8f109c3d0ab942f5

The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970





The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970







Make dh_key_info encoder and decoder symmetric
2012-01-09T21:03:58+00:00

Greg Hudson
ghudson@mit.edu

2012-01-09T21:03:58+00:00

2be4076efedd845c04db91d7cbbf57cd86353465

The dh_key_info encoder expects subjectPublicKey to contain the
contents of a bit string, but the decoder outputs the DER encoding of
the bit string including tag.  The PKINIT client code expects this, so
everything works, but the encoder and decoder should be symmetric.
Change the decoder to process the bit string (adding a bit string
decoding primitive) and modify the PKINIT client code to expect only
the bit string contents.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25626 dc483132-0cff-0310-8789-dd5450dbe970





The dh_key_info encoder expects subjectPublicKey to contain the
contents of a bit string, but the decoder outputs the DER encoding of
the bit string including tag.  The PKINIT client code expects this, so
everything works, but the encoder and decoder should be symmetric.
Change the decoder to process the bit string (adding a bit string
decoding primitive) and modify the PKINIT client code to expect only
the bit string contents.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25626 dc483132-0cff-0310-8789-dd5450dbe970