krb5.git/src/plugins/preauth, branch master-mechdconf Unnamed repository; edit this file 'description' to name the repository. Use anonymous OIDs in pkinit_crypto_openssl.c 2014-03-25T21:53:00+00:00 Greg Hudson ghudson@mit.edu 2014-03-25T02:42:02+00:00 6b9e570a7e98470b806a26c5119e53b2145e2586 Stop adding OIDs to the global OpenSSL table. It isn't thread-safe (even with locking callbacks registered), and calling OBJ_cleanup could break other uses of OpenSSL. Instead, use anonymous OIDs created with OBJ_txt2oid. Anonymous OIDs need to be managed more careful to avoid double-freeing, so create a copy before calling PKCS7_add_signed_attribute, and don't free the result of pkinit_pkcs7type2oid in cms_contentinfo_create. ticket: 7889 
Stop adding OIDs to the global OpenSSL table.  It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL.  Instead, use anonymous OIDs
created with OBJ_txt2oid.  Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.

ticket: 7889
Stop shadowing id-pkcs7-data OID 2014-03-25T21:52:59+00:00 Greg Hudson ghudson@mit.edu 2014-03-24T22:26:50+00:00 8ee1790ba6e3468d7ed53ed46123dc9545a4216f pkinit_crypto_openssl.c currently creates a shadow entry for id-pkcs7-data so that OpenSSL will expect to see the corresponding octet string in d.other instead than d.data. This shadowing is very unfriendly to other uses of OpenSSL and we should stop. Eliminate the shadowing and rewrite create_contentinfo so that it sets up the PKCS7 object correctly if the OID is id-pkcs7-data. ticket: 7889 
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data.  This shadowing is very
unfriendly to other uses of OpenSSL and we should stop.  Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.

ticket: 7889
Improve PKINIT client memory management 2014-03-18T17:01:13+00:00 Greg Hudson ghudson@mit.edu 2014-03-14T16:53:50+00:00 3c14324baffdc1848f75924deaf69e43f30e6621 In pkinit_as_req_create, create and encode stack-allocated auth-pack structures containing only alias pointers, instead of heap-allocated structures containing a mix of alias pointers, owner pointers, and appropriated caller memory. Keep everything we temporarily allocate in separate local variables and free them through those variables. In pa_pkinit_gen_req, use safer memory practices to avoid problems like issue #7878. Free the checksum since pkinit_as_req_create no longer takes ownership it. Remove a broken overly defensive check after calling pkinit_as_req_create. Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are no longer required. 
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory.  Keep everything we temporarily allocate
in separate local variables and free them through those variables.

In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878.  Free the checksum since pkinit_as_req_create no
longer takes ownership it.  Remove a broken overly defensive check
after calling pkinit_as_req_create.

Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
Fix unlikely double free in PKINIT client code 2014-03-18T17:01:13+00:00 Greg Hudson ghudson@mit.edu 2014-03-13T22:34:22+00:00 cc002d6c1ccfc08356d01ba83e72a46855d0302c In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero retval and non-null out_data, out_data is freed, then dereferenced, then freed again. This can only happen if one of the small fixed-size malloc requests fails after pkinit_as_req_create succeeds, so it is unlikely to occur in practice. ticket: 7878 (new) target_version: 1.12.2 tags: pullup 
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
Move OTP sockets to KDC_RUN_DIR 2014-02-06T21:17:27+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-05T15:59:46+00:00 1e4bdcfed2c7bda94d5c135cc32a5993ca032501 Some system configurations expect Unix-domain sockets to live under /run or /var/run, and not other parts of /var where persistent application state lives. Define a new directory KDC_RUN_DIR using $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run if it's not set) and use that for the default socket path. [ghudson@mit.edu: commit message, otp.rst formatting fix] ticket: 7859 (new) 
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives.  Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.

[ghudson@mit.edu: commit message, otp.rst formatting fix]

ticket: 7859 (new)
make depend 2013-12-11T03:24:03+00:00 Tom Yu tlyu@mit.edu 2013-12-11T03:24:03+00:00 88bc9cfb9bcbdb0daffe02db5bdb8e22d14b6853 






Use protocol error for PKINIT cert expiry
2013-10-17T18:13:02+00:00

Greg Hudson
ghudson@mit.edu

2013-10-14T21:02:31+00:00

cd59782cb32b79e4001a86b0fe47af8b6275ef0c

If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
consistent with other error clauses in the same function.

ticket: 7718 (new)
target_version: 1.12
tags: pullup





If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
consistent with other error clauses in the same function.

ticket: 7718 (new)
target_version: 1.12
tags: pullup







Use constant-time comparisons for checksums
2013-10-03T19:26:00+00:00

Greg Hudson
ghudson@mit.edu

2013-10-02T21:58:06+00:00

07d68eec2788bfe80686608813f644838707c168












Don't ask empty responder questions in PKINIT
2013-07-22T16:25:31+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-19T15:33:20+00:00

b37a0be87e5146d730b89abd1378a3043d5015b2

When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]





When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]







Add the error to some PKINIT NSS debug messages
2013-07-17T18:57:13+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-03T21:11:09+00:00

bb051a93f31c274cec6c9788558911a0c6b5ddc8