krb5.git/src/plugins/preauth, branch proxymech

Simplify pkinit_server_verify_padata slightly

2012-07-05T09:05:13+00:00

Eliminate the effectively unused variable tmp_as_req, and eliminate
two unnecessary conditionals for freeing pointers.

Simplify and fix pkinit_as_req_create cleanup

2012-07-05T09:02:38+00:00

Avoid dereferencing a null auth_pack pointer if we run out of memory
initializing info or auth_pack.  Eliminate an unnecessary switch by
just cleaning up all of the potentially allocated variables.

Fix minor memory leaks in PKINIT code

2012-07-05T08:54:03+00:00

Fix PKINIT verify_kdc_eku trace logging

2012-07-05T08:50:59+00:00

Test the value of the eku_accepted output parameter, not the pointer.

Clean up const usage for supported_kdf_alg_ids

2012-07-03T04:43:45+00:00

The previous declaration had redundant consts and missed making
the actual pointers stored in the array const.

Handle PKINIT DH replies with no certs

2012-06-22T15:44:17+00:00

If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC.  Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case.  This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.

Code changes suggested by nalin@redhat.com.

ticket: 7183

First pass at PKINIT client trace logs

2012-05-08T03:04:22+00:00

Trace basic decisions about PKINIT client protocol processing.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970

Improve traced error messages from PKINIT client

2012-05-08T03:04:15+00:00

If we have no configured PKINIT client identity, or if we fail to
create a certificate chain, set a reasonable error code (not EINVAL or
ENOMEM) and a useful error message to appear in trace log output.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970

Make it easier to test SAM-2 client code

2012-04-26T21:47:05+00:00

Add a method to the securid_sam2 plugin, built with alternate
compile-time flags, which supplies a plain-text challenge to the
client to be used as the OTP value.  This lets us manually exercise
the SAM-2 client code and a little bit of the KDC code.

securid_make_sam_challenge_2_and_cksum is moved into the method-
independent code and renamed.  get_securid_edata_2 has its sc2b
parameter removed as it was not used by the caller.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25832 dc483132-0cff-0310-8789-dd5450dbe970

Minimize draft9 PKINIT code by removing dead code

2012-02-11T23:25:12+00:00

The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.

For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode.  So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970