krb5.git/src/plugins/preauth/pkinit, branch master

make depend

2014-07-08T23:36:32+00:00

Include autoconf.h before system headers

2014-07-08T23:19:24+00:00

Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace.  Where include order was changed, eliminate some
redundant or unnecessary includes.

ticket: 7961

Fix error checking in PKINIT authdata creation

2014-06-20T18:42:25+00:00

In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup.  Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error.  Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error.  Eliminate the retval variable as it was not used
safely.  Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).

ticket: 7943 (new)
target_version: 1.12.2
tags: pullup

Remove pkinit_win2k_require_binding option

2014-06-13T04:31:27+00:00

When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.

For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.

ticket: 7933

Remove PKINIT longhorn compatibility option

2014-06-12T17:16:24+00:00

Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable.  It is not required to
interoperate with any released version of Windows.

ticket: 7934 (new)

Remove stub pkinit_win2k code

2014-06-11T20:38:38+00:00

As contributed, the PKINIT module contained code to read the
pkinit_win2k variable, but never used it.  Get rid of the structure
field and the code to populate it.

Remove stub pkinit_mapping_file code

2014-06-03T16:08:36+00:00

As contributed, the PKINIT code contained code to read a mapping
filename, but never used the resulting structure variable.  Get rid of
the structure field and the code to populate it.

Properly handle PKCS11 label in PKINIT

2014-05-25T02:28:54+00:00

The CK_TOKEN_INFO label field is defined to be zero-filled, but it may
not be zero-terminated if all bytes of the field are used.  Use only
length-counted operations to process it.  Also avoid underrunning the
buffer pointer if the label is empty or contains only whitespace.

ticket: 7917
target_version: 1.12.2
tags: pullup

Don't blindly use PKCS11 slot IDs in PKINIT

2014-05-24T15:18:30+00:00

Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash.  If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.

ticket: 7916
target_version: 1.12.2
tags: pullup

Use case insensitive DNS SAN matching in PKINIT

2014-05-19T17:45:15+00:00

Matching Subject Alternative Name from certificate with
pkinit_kdc_hostname value from krb5.conf should disregard case.

ticket: 7913 (new)