krb5.git/src/plugins/preauth, branch keyring MIT Kerberos patches Use protocol error for PKINIT cert expiry 2013-10-17T18:13:02+00:00 Greg Hudson ghudson@mit.edu 2013-10-14T21:02:31+00:00 cd59782cb32b79e4001a86b0fe47af8b6275ef0c If we fail to create a cert chain in cms_signeddata_create(), return KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code, rather than KRB5_PREAUTH_FAILED, which doesn't. This is also more consistent with other error clauses in the same function. ticket: 7718 (new) target_version: 1.12 tags: pullup 
If we fail to create a cert chain in cms_signeddata_create(), return
KRB5KDC_ERR_PREAUTH_FAILED, which corresponds to a protocol code,
rather than KRB5_PREAUTH_FAILED, which doesn't.  This is also more
consistent with other error clauses in the same function.

ticket: 7718 (new)
target_version: 1.12
tags: pullup
Use constant-time comparisons for checksums 2013-10-03T19:26:00+00:00 Greg Hudson ghudson@mit.edu 2013-10-02T21:58:06+00:00 07d68eec2788bfe80686608813f644838707c168 






Don't ask empty responder questions in PKINIT
2013-07-22T16:25:31+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-19T15:33:20+00:00

b37a0be87e5146d730b89abd1378a3043d5015b2

When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]





When putting together the set of identity prompts for a responder
challenge, if we don't need a PIN or password of some kind, don't ask
an empty question.

[ghudson@mit.edu: squashed commits, modified commit message, merged
PKCS11 test with current Python script]







Add the error to some PKINIT NSS debug messages
2013-07-17T18:57:13+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-03T21:11:09+00:00

bb051a93f31c274cec6c9788558911a0c6b5ddc8












Support PKINIT OpenSSL deferred identity prompting
2013-07-17T18:57:12+00:00

Nalin Dahyabhai
nalin@redhat.com

2013-06-28T21:12:39+00:00

a3abb0bf5fade0009c9899624d4b996a4e12a49f

Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles.  If we're
meant to defer identity prompts, just store the name of the identity
which we're loading.  Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.

Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else.  If not, and we're passed a password, use that.  Otherwise, try to
use the prompter callback to get one.

ticket: 7680





Add a password to the set of things that we can pass to a PEM password
callback and the function we use for loading PKCS12 bundles.  If we're
meant to defer identity prompts, just store the name of the identity
which we're loading.  Otherwise, if we're passed a password, use it.
Otherwise, use the prompter callback.

Add a password to the set of things that we can pass to the function
that we use for logging in to PKCS11 tokens, too, but if we're deferring
identity prompts, just return the identity name without doing anything
else.  If not, and we're passed a password, use that.  Otherwise, try to
use the prompter callback to get one.

ticket: 7680







Support PKINIT NSS deferred identity prompting
2013-07-17T18:57:11+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-08T20:49:16+00:00

c5bf0caa8abf2b931f5ad258463d706d3cfd5f5b

The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found.  If none of that
works, try to use the prompter callback to ask for the password.

ticket: 7680





The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found.  If none of that
works, try to use the prompter callback to ask for the password.

ticket: 7680







Pass PKINIT identity prompts to the responder cb
2013-07-17T18:57:11+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-15T17:11:00+00:00

e8b63198029c632d097822104d6e17c9a67ef1a5

Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.

Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.

Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.

ticket: 7680





Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.

Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.

Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.

ticket: 7680







Make the PKINIT NSS path also check for NULL certs
2013-07-17T16:24:21+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-07-09T18:13:16+00:00

8899397ab78ea09b8d7dbb20347dd12c93eb15ee

When called to free identity information, do what the OpenSSL-based
version does, and error out if the identity information is NULL.





When called to free identity information, do what the OpenSSL-based
version does, and error out if the identity information is NULL.







Use PKCS11_MODNAME for NSS PKINIT by default
2013-07-17T16:24:21+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-06-28T21:12:39+00:00

fc975f6608015c61afc7fcba728344663b015996

Do what the OpenSSL-using code paths do, and load PKCS11_MODNAME if no
module is specified when we're told to use a PKCS11 identity.





Do what the OpenSSL-using code paths do, and load PKCS11_MODNAME if no
module is specified when we're told to use a PKCS11 identity.







Add support for PKINIT deferring identity prompts
2013-07-17T16:24:20+00:00

Nalin Dahyabhai
nalin@redhat.com

2013-06-28T21:12:39+00:00

805cd6078b5970750b979bd97b4b9f6147e1fd0d

Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags.  These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.

ticket: 7680





Learn to manage a list of deferred identities, for which we want to
prompt for passwords or PINs, in pkinit_identity_crypto_context
structures, along with their associated token flags.  These are opaque
outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both
implementations need to provide wrapper functions that can be called
from elsewhere in the module to populate and query the lists.

ticket: 7680