summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth/pkinit/pkinit_clnt.c
Commit message (Collapse)AuthorAgeFilesLines
* Use constant-time comparisons for checksumsGreg Hudson2013-10-031-2/+2
|
* Don't ask empty responder questions in PKINITNalin Dahyabhai2013-07-221-0/+7
| | | | | | | | | When putting together the set of identity prompts for a responder challenge, if we don't need a PIN or password of some kind, don't ask an empty question. [ghudson@mit.edu: squashed commits, modified commit message, merged PKCS11 test with current Python script]
* Pass PKINIT identity prompts to the responder cbNalin Dahyabhai2013-07-171-19/+215
| | | | | | | | | | | | | | | | | Use the list of deferred identity prompts and warnings, which we have after calling pkinit_identity_initialize(), to build a list of questions to supply to responder callbacks. Before calling pkinit_identity_prompt() to actually load identities that are protected, save any passwords and PINs which a responder callback may have supplied. Because pkinit_client_prep_questions() can be called multiple times, and we don't want to try to load all of our identities each of those times, take some steps to ensure that we only call pkinit_identity_initialize() and pkinit_identity_prompt() once per request. ticket: 7680
* Split pkinit_identity_initialize into two phasesNalin Dahyabhai2013-07-171-6/+20
| | | | | | | | | | | Split part of pkinit_identity_initialize() into a second piece named pkinit_identity_prompt(). Have each piece pass a new boolean flag to crypto_load_certs() to indicate if it should defer prompting for a password/PIN for client identities that require one. If the flag isn't set, then crypto_load_certs() should attempt to use a responder-supplied value, or call the prompter if there isn't one. ticket: 7680
* Don't leak the reply key's memory during PKINITNalin Dahyabhai2013-07-151-1/+3
|
* Use macro for IANA assigned PA-AS-CHECKSUM numberZhanna Tsitkov2013-04-181-1/+1
| | | | | Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM in preauth plugin.
* Fix various integer issuesGreg Hudson2012-12-101-31/+12
| | | | | | | | | | | | | | | In kdc_util.c and spnego_mech.c, error returns from ASN.1 length functions could be ignored because they were assigned to unsigned values. In spnego_mech.c, two buffer size checks could be rewritten to reduce the likelihood of pointer overflow. In dump.c and kdc_preauth.c, calloc() could be used to simplify the code and avoid multiplication overflow. In pkinit_clnt.c, the wrong value was checked for a null result from malloc(), and the code could be simplified. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>. ticket: 7488
* Don't use PA_PSEUDO in pkinit client codeGreg Hudson2012-10-221-1/+1
| | | | | PA_PSEUDO only has meaning for kdcpreauth modules. Don't use it in the flags method of the pkinit clpreauth module.
* Use config storage for client identity selectionNalin Dahyabhai2012-10-171-2/+17
| | | | | | | | * Keep track of the names of client identities when we load them. * Store the client identity we just used when we create or retry a client request. * If we read a client identity from the configuration, treat it like the KDC does: pick the "this is it, there is no other" logic branch.
* Simplify and fix pkinit_as_req_create cleanupGreg Hudson2012-07-051-11/+5
| | | | | | Avoid dereferencing a null auth_pack pointer if we run out of memory initializing info or auth_pack. Eliminate an unnecessary switch by just cleaning up all of the potentially allocated variables.
* Fix PKINIT verify_kdc_eku trace loggingGreg Hudson2012-07-051-1/+1
| | | | Test the value of the eku_accepted output parameter, not the pointer.
* First pass at PKINIT client trace logsGreg Hudson2012-05-081-3/+34
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Minimize draft9 PKINIT code by removing dead codeGreg Hudson2012-02-111-8/+0
| | | | | | | | | | | | | | | | The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unneeded kdcRealm field in PKINIT structureGreg Hudson2012-01-081-3/+0
| | | | | | | | krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the client code but never encoded or decoded. Remove it. Eliminating this field exposed a bug in auth_pack_draft9_optional; fix that. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-211-19/+31
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* ticket: newSam Hartman2011-11-231-5/+1
| | | | | | | | | | | | | | | | | subject: FAST PKINIT target_version: 1.10 tags: pullup Per RFC 6113 fast should use the inner request body for the pkinit checksum. We did that on the KDC; now do so on the client. Remove code that explicitly blocked pkinit under FAST. Also, use the reply key *before* the strengthen key is applied when verifying the PADATA_PKINIT_KX. Add FAST pkinit test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-211-61/+52
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-171-2/+2
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Hide gak_fct interface and arguments in clpreauthGreg Hudson2011-10-151-8/+6
| | | | | | | | | | | | | | | | | | | | | | Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
* Ditch fast_factor.h since it contains only stubsGreg Hudson2011-10-061-3/+0
| | | | | | | | Leave a comment behind where we called fast_set_kdc_verified(). Remove the call to fast_kdc_replace_reply_key() since it's wrong (encrypted challenge doesn't replace the reply key in that sense). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25317 dc483132-0cff-0310-8789-dd5450dbe970
* Use type-safe callbacks in preauth interfaceGreg Hudson2011-10-061-22/+8
| | | | | | | | | | | | | | | Replace the generic get_data functions in clpreauth and kdcpreauth with structures containing callback functions. Each structure has a minor version number to allow adding new callbacks. For simplicity, the new fast armor key callbacks return aliases, which is how we would supply the armor key as a function parameter. The new client keys callback is paired with a free_keys callback to reduce the amount of cleanup code needed in modules. ticket: 6971 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
* From: Sam Hartman <hartmans@debian.org>Sam Hartman2011-10-051-0/+2
| | | | | | Pkinit: offer supported KDFs in client git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25308 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-051-1/+1
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-211-5/+29
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-191-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit: client: Use SignedData for anonymousSam Hartman2011-09-191-5/+32
| | | | | | | | | Per RFc 6112 use SignedData not ContentInfo for anonymous when the KDC offers support for PKINIT_KX padata. ticket: 6962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25186 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-171-73/+67
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-10/+20
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-281-9/+28
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* Mark and reindent the pkinit plugin code, except for the header filesGreg Hudson2009-11-251-761/+755
| | | | | | which are kind of difficult. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23354 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-10/+10
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Minor code cleanups in pkinit plugin, mostly around malloc/freeGreg Hudson2009-08-181-28/+19
| | | | | | invocations. No functional changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22534 dc483132-0cff-0310-8789-dd5450dbe970
* Narrow the contract of pkinit_client_profile by passing in the realmGreg Hudson2009-08-101-13/+14
| | | | | | instead of the whole request. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22515 dc483132-0cff-0310-8789-dd5450dbe970
* In pkinit_clnt.c, make private functions static. There and inGreg Hudson2009-08-101-72/+10
| | | | | | | | | pkinit_srv.c, only declare static functions when necessary for forward references (as is consistent with the other pkinit sources). Remove the empty functions pkinit_init_client_profile and pkinit_fini_client_profile. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22514 dc483132-0cff-0310-8789-dd5450dbe970
* Restore limited support for static linkingGreg Hudson2009-06-081-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add enough static linking support to run the test suite without shared libraries, to facilitate gcov and other kinds of instrumentation. The necessary changes include: * Undo some of the changes which removed static linking support, and cannibalize the defunct krb5_force_static conditional block in aclocal.m4. * Add --enable-static-only configure option. * For plugins, use a different symbol name for static and dynamic builds, via a macro in k5plugin.h. * Add build machinery for building static libraries for plugins (somewhat grotty due to the difference in names). * Move plugin subdirs earlier in SUBDIRS in src/Makefile.in. * Make the in-tree KDB5 plugins dependencies of libkdb5 in a static build (aclocal.m4 has to know what they are). * In kdb5.c, cannibalize the broken _KDB5_STATIC_LINK support to allow "loading" of statically linked plugin libraries. Preauth, authdata, locate, and GSSAPI plugins are not handled by this change, as they are not currently necessary to the test suite. Supporting GSSAPI plugins may be a bit tricky but the others should be straightforward if they become needed. $(STLIBEXT) changes from .a-nobuild to .a in a normal shared build as a result of these changes (except on AIX where aclocal.m4 changes it). This does not seem to be important as we avoid selecting the static library for building via other means. ticket: 6510 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22406 dc483132-0cff-0310-8789-dd5450dbe970
* Temporarily disable FAST PKINIT for 1.7 releaseGreg Hudson2009-05-251-0/+12
| | | | | | | | | | | | | There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. ticket: 6501 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22381 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r21880 which included k5-int.h in several pkinit source files.Greg Hudson2009-03-241-1/+0
| | | | | | | | Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and add duplicate definitions of the non-pkinit-specific macros used by the pkinit code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22113 dc483132-0cff-0310-8789-dd5450dbe970
* Include k5-int.h in several pkinit source files, in order to defineGreg Hudson2009-02-041-0/+1
| | | | | | the KRB5_CONFIG symbols now used by those files. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21880 dc483132-0cff-0310-8789-dd5450dbe970
* Use macros for config parametersZhanna Tsitkov2009-02-041-11/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21879 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-011-0/+1492
Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-06 03:05:49 +0000