summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth
Commit message (Collapse)AuthorAgeFilesLines
* Simplify pkinit_server_verify_padata slightlyGreg Hudson2012-07-051-7/+2
| | | | | Eliminate the effectively unused variable tmp_as_req, and eliminate two unnecessary conditionals for freeing pointers.
* Simplify and fix pkinit_as_req_create cleanupGreg Hudson2012-07-051-11/+5
| | | | | | Avoid dereferencing a null auth_pack pointer if we run out of memory initializing info or auth_pack. Eliminate an unnecessary switch by just cleaning up all of the potentially allocated variables.
* Fix minor memory leaks in PKINIT codeGreg Hudson2012-07-051-0/+2
|
* Fix PKINIT verify_kdc_eku trace loggingGreg Hudson2012-07-051-1/+1
| | | | Test the value of the eku_accepted output parameter, not the pointer.
* Clean up const usage for supported_kdf_alg_idsBen Kaduk2012-07-032-2/+2
| | | | | The previous declaration had redundant consts and missed making the actual pointers stored in the array const.
* Handle PKINIT DH replies with no certsGreg Hudson2012-06-221-1/+8
| | | | | | | | | | | | | | | If a PKINIT Diffie-Hellman reply contains no certificates in the SignedData object, that may be because the signer certificate was a trust anchor as transmitted to the KDC. Heimdal's KDC, for instance, filters client trust anchors out of the returned set of certificates. Match against idctx->trustedCAs and idctx->intermediateCAs to handle this case. This fix only works with OpenSSL 1.0 or later; when built against OpenSSL 0.9.x, the client will still require a cert in the reply. Code changes suggested by nalin@redhat.com. ticket: 7183
* First pass at PKINIT client trace logsGreg Hudson2012-05-084-25/+156
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Improve traced error messages from PKINIT clientGreg Hudson2012-05-082-2/+9
| | | | | | | | If we have no configured PKINIT client identity, or if we fail to create a certificate chain, set a reasonable error code (not EINVAL or ENOMEM) and a useful error message to appear in trace log output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25854 dc483132-0cff-0310-8789-dd5450dbe970
* Make it easier to test SAM-2 client codeGreg Hudson2012-04-266-120/+407
| | | | | | | | | | | | | Add a method to the securid_sam2 plugin, built with alternate compile-time flags, which supplies a plain-text challenge to the client to be used as the OTP value. This lets us manually exercise the SAM-2 client code and a little bit of the KDC code. securid_make_sam_challenge_2_and_cksum is moved into the method- independent code and renamed. get_securid_edata_2 has its sc2b parameter removed as it was not used by the caller. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25832 dc483132-0cff-0310-8789-dd5450dbe970
* Minimize draft9 PKINIT code by removing dead codeGreg Hudson2012-02-118-156/+9
| | | | | | | | | | | | | | | | The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
* Make dh_key_info encoder and decoder symmetricGreg Hudson2012-01-092-56/+7
| | | | | | | | | | | | The dh_key_info encoder expects subjectPublicKey to contain the contents of a bit string, but the decoder outputs the DER encoding of the bit string including tag. The PKINIT client code expects this, so everything works, but the encoder and decoder should be symmetric. Change the decoder to process the bit string (adding a bit string decoding primitive) and modify the PKINIT client code to expect only the bit string contents. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25626 dc483132-0cff-0310-8789-dd5450dbe970
* Remove unneeded kdcRealm field in PKINIT structureGreg Hudson2012-01-081-3/+0
| | | | | | | | krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the client code but never encoded or decoded. Remove it. Eliminating this field exposed a bug in auth_pack_draft9_optional; fix that. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
* Convert securid module edata methodGreg Hudson2012-01-071-4/+9
| | | | | | | | | | | | r25348 made modified the edata method of the kdcpreauth interface to be async-capable, but neglected to convert the securid_sam2 module's edata function. Do that now. ticket: 7060 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25621 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unneeded accessor fieldsGreg Hudson2012-01-072-13/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25620 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_typed_data structure typeGreg Hudson2011-12-214-17/+0
| | | | | | | | | | | | Use the krb5_pa_data structure type when encoding or decoding TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h with a comment saying not to use it. Remove krb5_free_typed_data (which was never declared in krb5.h). Remove some vestigial accessor stuff related to PKINIT encoding and decoding TYPED-DATA, which was unneeded since r25483. Bump the accessor structure version to 19 accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-219-130/+157
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* ticket: newSam Hartman2011-11-232-38/+2
| | | | | | | | | | | | | | | | | subject: FAST PKINIT target_version: 1.10 tags: pullup Per RFC 6113 fast should use the inner request body for the pkinit checksum. We did that on the KDC; now do so on the client. Remove code that explicitly blocked pkinit under FAST. Also, use the reply key *before* the strengthen key is applied when verifying the PADATA_PKINIT_KX. Add FAST pkinit test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up client-side preauth error data handlingGreg Hudson2011-11-211-61/+52
| | | | | | | | | | | | | | | | | | | | | | | | Change the clpreauth tryagain method to accept a list of pa-data, taken either from the FAST response or from decoding the e_data as either pa-data or typed-data. Also change the in_padata argument to contain just the type of the request padata rather than the whole element, since modules generally shouldn't care about the contents of their request padata (or they can remember it). In krb5int_fast_process_error, no longer re-encode FAST pa-data as typed-data for the inner error e_data, but decode traditional error e_data for all error types, and try both pa-data and typed-data encoding. In PKINIT, try all elements of the new pa-data list, since it may contain FAST elements as well as the actual PKINIT array. (Fixes an outstanding bug in FAST PKINIT.) ticket: 7023 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25483 dc483132-0cff-0310-8789-dd5450dbe970
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-141-12/+1
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Fix warnings and version check for NSS pkinitGreg Hudson2011-11-071-3/+3
| | | | | | | | | | From nalin@redhat.com. ticket: 6999 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25445 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of fake-installGreg Hudson2011-11-042-2/+2
| | | | | | | | | Instead, use $(BUILDTOP)/plugins as the plugin base for tests. For each real plugin module, create a link in the parent directory if we're doing a shared-library build--so built KDB modules can be found in plugins/kdb, preauth modules in plugins/preauth, etc.. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25436 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-174-329/+338
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Hide gak_fct interface and arguments in clpreauthGreg Hudson2011-10-153-51/+13
| | | | | | | | | | | | | | | | | | | | | | Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth edata method respond via callbackGreg Hudson2011-10-153-17/+30
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT NSS supportGreg Hudson2011-10-135-5/+5323
| | | | | | | | | Add an implementation of PKINIT using NSS instead of OpenSSL, from nalin@redhat.com. ticket: 6975 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25327 dc483132-0cff-0310-8789-dd5450dbe970
* Ditch fast_factor.h since it contains only stubsGreg Hudson2011-10-063-13/+5
| | | | | | | | Leave a comment behind where we called fast_set_kdc_verified(). Remove the call to fast_kdc_replace_reply_key() since it's wrong (encrypted challenge doesn't replace the reply key in that sense). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25317 dc483132-0cff-0310-8789-dd5450dbe970
* Use type-safe callbacks in preauth interfaceGreg Hudson2011-10-065-107/+50
| | | | | | | | | | | | | | | Replace the generic get_data functions in clpreauth and kdcpreauth with structures containing callback functions. Each structure has a minor version number to allow adding new callbacks. For simplicity, the new fast armor key callbacks return aliases, which is how we would supply the armor key as a function parameter. The new client keys callback is paired with a free_keys callback to reduce the amount of cleanup code needed in modules. ticket: 6971 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
* Remove edata code in sample preauth pluginsGreg Hudson2011-10-052-44/+3
| | | | | | | The code assumes unstructured edata and would be somewhat annoying to reframe in terms of pa-data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25314 dc483132-0cff-0310-8789-dd5450dbe970
* From: Sam Hartman <hartmans@debian.org>Sam Hartman2011-10-051-0/+2
| | | | | | Pkinit: offer supported KDFs in client git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25308 dc483132-0cff-0310-8789-dd5450dbe970
* Add tests to pkinit_kdf_test to test SHA-256/AES and SHA-512/DES3Sam Hartman2011-10-051-14/+113
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25307 dc483132-0cff-0310-8789-dd5450dbe970
* Make alg agility KDF work properly when the hash length differs from the key ↵Sam Hartman2011-10-051-4/+10
| | | | | | | | length Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25306 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up unused constantsSam Hartman2011-10-051-3/+0
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25305 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit fall back to octetstring2key() if there are not matching KDFsSam Hartman2011-10-051-7/+5
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970
* Treat the client's list of supported KDFs as an unordered listSam Hartman2011-10-051-4/+5
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25303 dc483132-0cff-0310-8789-dd5450dbe970
* Make KDF work when length of random data differs from length of hashSam Hartman2011-10-051-16/+9
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25302 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-057-123/+60
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-045-97/+38
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth verify respond via callbackGreg Hudson2011-10-034-63/+76
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesEzra Peisach2011-09-261-5/+25
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25235 dc483132-0cff-0310-8789-dd5450dbe970
* Move static function prototypes from header to individual file so headerEzra Peisach2011-09-262-132/+133
| | | | | | | can be used in other files without warning of function defined but never declared. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25234 dc483132-0cff-0310-8789-dd5450dbe970
* Remove variables set but not usedEzra Peisach2011-09-263-7/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25233 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the correct execuatble and object file on make cleanEzra Peisach2011-09-261-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25232 dc483132-0cff-0310-8789-dd5450dbe970
* Recast encrypted challenge as linked built-insGreg Hudson2011-09-234-458/+0
| | | | | | | | Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
* fix pkinit warningsSam Hartman2011-09-212-7/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25221 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typo in pkinit_kdf_test error messageSam Hartman2011-09-211-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25220 dc483132-0cff-0310-8789-dd5450dbe970
* Add newlines to end of status messagesSam Hartman2011-09-211-2/+2
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25219 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-215-15/+152
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Reordered pkinit_server_return_padata(), so that the alg-agilitySam Hartman2011-09-211-8/+20
| | | | | | | | KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Openssl 1.0 function capitalization in pkinitSam Hartman2011-09-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25212 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit_kdf_test.c compileGreg Hudson2011-09-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25210 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-04 17:35:49 +0000