summaryrefslogtreecommitdiffstats
path: root/src/plugins
Commit message (Collapse)AuthorAgeFilesLines
...
* Simplify and fix kdcpreauth request_body callbackGreg Hudson2011-11-141-12/+1
| | | | | | | | | | | | | | | | | | | Alter the contract for the kdcpreauth request_body callback so that it returns an alias to the encoded body instead of a fresh copy. At the beginning of AS request processing, save a copy of the encoded request body, or the encoded inner request body for FAST requests. Previously the request_body callback would re-encode the request structure, which in some cases has been modified by the AS request code. No kdcpreauth modules currently use the request_body callback, but PKINIT will need to start using it in order to handle FAST requests correctly. ticket: 7017 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
* Fix warnings and version check for NSS pkinitGreg Hudson2011-11-071-3/+3
| | | | | | | | | | From nalin@redhat.com. ticket: 6999 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25445 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up more stuff in make cleanGreg Hudson2011-11-041-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25437 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of fake-installGreg Hudson2011-11-0410-10/+10
| | | | | | | | | Instead, use $(BUILDTOP)/plugins as the plugin base for tests. For each real plugin module, create a link in the parent directory if we're doing a shared-library build--so built KDB modules can be found in plugins/kdb, preauth modules in plugins/preauth, etc.. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25436 dc483132-0cff-0310-8789-dd5450dbe970
* Make krb5_find_authdata publicGreg Hudson2011-10-252-15/+5
| | | | | | | | | | Rename krb5int_find_authdata to krb5_find_authdata and make it public. ticket: 6992 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25414 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2011-006 KDC denial of service [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]Tom Yu2011-10-183-2/+25
| | | | | | | | | | | Fix null pointer dereference and assertion failure conditions that could cause a denial of service. ticket: 6981 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25368 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-174-329/+338
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Hide gak_fct interface and arguments in clpreauthGreg Hudson2011-10-153-51/+13
| | | | | | | | | | | | | | | | | | | | | | Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth edata method respond via callbackGreg Hudson2011-10-153-17/+30
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25348 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT NSS supportGreg Hudson2011-10-135-5/+5323
| | | | | | | | | Add an implementation of PKINIT using NSS instead of OpenSSL, from nalin@redhat.com. ticket: 6975 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25327 dc483132-0cff-0310-8789-dd5450dbe970
* Ditch fast_factor.h since it contains only stubsGreg Hudson2011-10-063-13/+5
| | | | | | | | Leave a comment behind where we called fast_set_kdc_verified(). Remove the call to fast_kdc_replace_reply_key() since it's wrong (encrypted challenge doesn't replace the reply key in that sense). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25317 dc483132-0cff-0310-8789-dd5450dbe970
* Use type-safe callbacks in preauth interfaceGreg Hudson2011-10-065-107/+50
| | | | | | | | | | | | | | | Replace the generic get_data functions in clpreauth and kdcpreauth with structures containing callback functions. Each structure has a minor version number to allow adding new callbacks. For simplicity, the new fast armor key callbacks return aliases, which is how we would supply the armor key as a function parameter. The new client keys callback is paired with a free_keys callback to reduce the amount of cleanup code needed in modules. ticket: 6971 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
* Remove edata code in sample preauth pluginsGreg Hudson2011-10-052-44/+3
| | | | | | | The code assumes unstructured edata and would be somewhat annoying to reframe in terms of pa-data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25314 dc483132-0cff-0310-8789-dd5450dbe970
* From: Sam Hartman <hartmans@debian.org>Sam Hartman2011-10-051-0/+2
| | | | | | Pkinit: offer supported KDFs in client git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25308 dc483132-0cff-0310-8789-dd5450dbe970
* Add tests to pkinit_kdf_test to test SHA-256/AES and SHA-512/DES3Sam Hartman2011-10-051-14/+113
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25307 dc483132-0cff-0310-8789-dd5450dbe970
* Make alg agility KDF work properly when the hash length differs from the key ↵Sam Hartman2011-10-051-4/+10
| | | | | | | | length Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25306 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up unused constantsSam Hartman2011-10-051-3/+0
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25305 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit fall back to octetstring2key() if there are not matching KDFsSam Hartman2011-10-051-7/+5
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970
* Treat the client's list of supported KDFs as an unordered listSam Hartman2011-10-051-4/+5
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25303 dc483132-0cff-0310-8789-dd5450dbe970
* Make KDF work when length of random data differs from length of hashSam Hartman2011-10-051-16/+9
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25302 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-057-123/+60
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-0411-105/+54
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth verify respond via callbackGreg Hudson2011-10-034-63/+76
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesEzra Peisach2011-09-261-5/+25
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25235 dc483132-0cff-0310-8789-dd5450dbe970
* Move static function prototypes from header to individual file so headerEzra Peisach2011-09-262-132/+133
| | | | | | | can be used in other files without warning of function defined but never declared. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25234 dc483132-0cff-0310-8789-dd5450dbe970
* Remove variables set but not usedEzra Peisach2011-09-263-7/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25233 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the correct execuatble and object file on make cleanEzra Peisach2011-09-261-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25232 dc483132-0cff-0310-8789-dd5450dbe970
* Recast encrypted challenge as linked built-insGreg Hudson2011-09-234-458/+0
| | | | | | | | Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
* fix pkinit warningsSam Hartman2011-09-212-7/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25221 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typo in pkinit_kdf_test error messageSam Hartman2011-09-211-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25220 dc483132-0cff-0310-8789-dd5450dbe970
* Add newlines to end of status messagesSam Hartman2011-09-211-2/+2
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25219 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-215-15/+152
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Reordered pkinit_server_return_padata(), so that the alg-agilitySam Hartman2011-09-211-8/+20
| | | | | | | | KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Openssl 1.0 function capitalization in pkinitSam Hartman2011-09-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25212 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit_kdf_test.c compileGreg Hudson2011-09-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25210 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-197-44/+37
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* reindentSam Hartman2011-09-193-71/+71
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25208 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the ticket from the pkinit-alg-agility KDF function, to matchSam Hartman2011-09-193-47/+28
| | | | | | | | | agreed changes to the IETF specification. Includes removing a parameter from the KDF function, removing the ticket from the ASN.1 encoder, and updating the test code. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25197 dc483132-0cff-0310-8789-dd5450dbe970
* Implement encoding and decoding for supportedKDFs and kdfIDSam Hartman2011-09-191-1/+3
| | | | | | pkinit: ASN.1 encoders and decoders for new KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25195 dc483132-0cff-0310-8789-dd5450dbe970
* * Extend auth_packSam Hartman2011-09-191-0/+9
| | | | | | | | | | * extend dh_rep * add krb5_free_octet_data * extend pkinit free functions pkinit: add supportedKDFs and kdfID to structures git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor to use oid instead of algorithm_id in KDF interfaceSam Hartman2011-09-193-12/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25193 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit_crypto_openssl: fix signed vs unsigned comparisonSam Hartman2011-09-191-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25192 dc483132-0cff-0310-8789-dd5450dbe970
* implementation of new function and test program for pkinit agility.Sam Hartman2011-09-195-3/+475
| | | | | | | | | | | Implementation of pkinit_alg_agility_kdf() function to implement the key derivation function defined in draft-ietf-krb-wg-pkinit-alg-agility-04, and implementation of pkinit_kdf_test program to test the new KDF against the test vector in the draft. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25191 dc483132-0cff-0310-8789-dd5450dbe970
* In pkinit_crypto_openssl.c, modified pkinit_octetstring2key() toSam Hartman2011-09-191-4/+4
| | | | | | | | | | | | eliminate a possible memory leak in the error path, where the key_block->length was set to zero but the key_block->contents were not freed. Also, changed calloc() call to a malloc() call to avoid allocating up to 8 times as much buffer space as needed. In keyblocks.c, modified kr5_free_keyblock_contents() to set the key->length to zero after the key->contents have been freed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25189 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit: client: Use SignedData for anonymousSam Hartman2011-09-193-207/+234
| | | | | | | | | Per RFc 6112 use SignedData not ContentInfo for anonymous when the KDC offers support for PKINIT_KX padata. ticket: 6962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25186 dc483132-0cff-0310-8789-dd5450dbe970
* Fix pkinit warningsSam Hartman2011-09-193-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25185 dc483132-0cff-0310-8789-dd5450dbe970
* Support pkinit: SignedData with no signers (KDC)Sam Hartman2011-09-192-187/+209
| | | | | | | | | For anonymous, MIT 1.9 sends ContentInfo rather than SignedData. This violates RFc 6112. This patch accepts the RFC 6112 style encoding. ticket: 6961 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25184 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize some more variablesKen Raeburn2011-09-051-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25151 dc483132-0cff-0310-8789-dd5450dbe970
* Fix "may be used uninitialized" warnings in db2 code, even though allKen Raeburn2011-09-056-9/+11
| | | | | | | such cases appear to be safe. This will permit making uninitialized-variable messages fatal. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25147 dc483132-0cff-0310-8789-dd5450dbe970
* Silence various "may be used uninitialized" warnings from GCC causedKen Raeburn2011-09-051-1/+1
| | | | | | | | | by it not figuring out the control flow (initialization and use both tied to some other variable). DB2 code not included. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25146 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-09-28 04:51:35 +0000