summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth/pkinit
Commit message (Collapse)AuthorAgeFilesLines
...
* Make kdcpreauth verify respond via callbackGreg Hudson2011-10-031-24/+22
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesEzra Peisach2011-09-261-5/+25
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25235 dc483132-0cff-0310-8789-dd5450dbe970
* Move static function prototypes from header to individual file so headerEzra Peisach2011-09-262-132/+133
| | | | | | | can be used in other files without warning of function defined but never declared. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25234 dc483132-0cff-0310-8789-dd5450dbe970
* Remove variables set but not usedEzra Peisach2011-09-263-7/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25233 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the correct execuatble and object file on make cleanEzra Peisach2011-09-261-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25232 dc483132-0cff-0310-8789-dd5450dbe970
* fix pkinit warningsSam Hartman2011-09-212-7/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25221 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typo in pkinit_kdf_test error messageSam Hartman2011-09-211-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25220 dc483132-0cff-0310-8789-dd5450dbe970
* Add newlines to end of status messagesSam Hartman2011-09-211-2/+2
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25219 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-215-15/+152
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Reordered pkinit_server_return_padata(), so that the alg-agilitySam Hartman2011-09-211-8/+20
| | | | | | | | KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Openssl 1.0 function capitalization in pkinitSam Hartman2011-09-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25212 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit_kdf_test.c compileGreg Hudson2011-09-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25210 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-197-44/+37
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* reindentSam Hartman2011-09-193-71/+71
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25208 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the ticket from the pkinit-alg-agility KDF function, to matchSam Hartman2011-09-193-47/+28
| | | | | | | | | agreed changes to the IETF specification. Includes removing a parameter from the KDF function, removing the ticket from the ASN.1 encoder, and updating the test code. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25197 dc483132-0cff-0310-8789-dd5450dbe970
* Implement encoding and decoding for supportedKDFs and kdfIDSam Hartman2011-09-191-1/+3
| | | | | | pkinit: ASN.1 encoders and decoders for new KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25195 dc483132-0cff-0310-8789-dd5450dbe970
* * Extend auth_packSam Hartman2011-09-191-0/+9
| | | | | | | | | | * extend dh_rep * add krb5_free_octet_data * extend pkinit free functions pkinit: add supportedKDFs and kdfID to structures git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor to use oid instead of algorithm_id in KDF interfaceSam Hartman2011-09-193-12/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25193 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit_crypto_openssl: fix signed vs unsigned comparisonSam Hartman2011-09-191-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25192 dc483132-0cff-0310-8789-dd5450dbe970
* implementation of new function and test program for pkinit agility.Sam Hartman2011-09-195-3/+475
| | | | | | | | | | | Implementation of pkinit_alg_agility_kdf() function to implement the key derivation function defined in draft-ietf-krb-wg-pkinit-alg-agility-04, and implementation of pkinit_kdf_test program to test the new KDF against the test vector in the draft. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25191 dc483132-0cff-0310-8789-dd5450dbe970
* In pkinit_crypto_openssl.c, modified pkinit_octetstring2key() toSam Hartman2011-09-191-4/+4
| | | | | | | | | | | | eliminate a possible memory leak in the error path, where the key_block->length was set to zero but the key_block->contents were not freed. Also, changed calloc() call to a malloc() call to avoid allocating up to 8 times as much buffer space as needed. In keyblocks.c, modified kr5_free_keyblock_contents() to set the key->length to zero after the key->contents have been freed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25189 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit: client: Use SignedData for anonymousSam Hartman2011-09-193-207/+234
| | | | | | | | | Per RFc 6112 use SignedData not ContentInfo for anonymous when the KDC offers support for PKINIT_KX padata. ticket: 6962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25186 dc483132-0cff-0310-8789-dd5450dbe970
* Fix pkinit warningsSam Hartman2011-09-193-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25185 dc483132-0cff-0310-8789-dd5450dbe970
* Support pkinit: SignedData with no signers (KDC)Sam Hartman2011-09-192-187/+209
| | | | | | | | | For anonymous, MIT 1.9 sends ContentInfo rather than SignedData. This violates RFc 6112. This patch accepts the RFC 6112 style encoding. ticket: 6961 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25184 dc483132-0cff-0310-8789-dd5450dbe970
* Silence various "may be used uninitialized" warnings from GCC causedKen Raeburn2011-09-051-1/+1
| | | | | | | | | by it not figuring out the control flow (initialization and use both tied to some other variable). DB2 code not included. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25146 dc483132-0cff-0310-8789-dd5450dbe970
* Change output type of pkinit_init_kdc_req_context so as not to requireKen Raeburn2011-09-051-3/+3
| | | | | | gratuitous casting. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25145 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent per krb5-batch-reindent.el.Ken Raeburn2011-09-041-1/+1
| | | | | | | Some minor reformatting added in places to avoid exceeding 80 columns. Used Emacs 22.1 built-in C mode. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25144 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-011-20/+26
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-173-123/+129
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-104-18/+24
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-091-1/+1
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-02-251-9/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24662 dc483132-0cff-0310-8789-dd5450dbe970
* When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs forGreg Hudson2011-01-261-46/+93
| | | | | | | | better interoperability. From nalin@redhat.com. ticket: 6851 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)Greg Hudson2010-11-301-10/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix multiple checksum handling bugs, as described in: CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021 * Return the correct (keyed) checksums as the mandatory checksum type for DES enctypes. * Restrict simplified-profile checksums to their corresponding etypes. * Add internal checks to reduce the risk of stream ciphers being used with simplified-profile key derivation or other algorithms relying on the block encryption primitive. * Use the mandatory checksum type for the PKINIT KDC signature, instead of the first-listed keyed checksum. * Use the mandatory checksum type when sending KRB-SAFE messages by default, instead of the first-listed keyed checksum. * Use the mandatory checksum type for the t_kperf test program. * Use the mandatory checksum type (without additional logic) for the FAST request checksum. * Preserve the existing checksum choices (unkeyed checksums for DES enctypes) for the authenticator checksum, using explicit logic. * Ensure that SAM checksums received from the KDC are keyed. * Ensure that PAC checksums are keyed. ticket: 6827 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-281-1/+1
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* In the PKINIT OpenSSL crypto code, use a signed int to hold the resultGreg Hudson2010-09-151-3/+3
| | | | | | | | | of X509_get_ext_by_NID so we can detect negative return values. Reported by nalin@redhat.com. ticket: 6774 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24323 dc483132-0cff-0310-8789-dd5450dbe970
* In the PKINIT OpenSSL code, ensure that appropriate cerficiate fieldsGreg Hudson2010-09-151-0/+2
| | | | | | | | have been set before using ku_reject. Patch from nalin@redhat.com. ticket: 6775 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24313 dc483132-0cff-0310-8789-dd5450dbe970
* Use correct CRL stack macros in pkinit OpenSSL code. Patch from OlafGreg Hudson2010-09-151-3/+3
| | | | | | | | Flebbe. ticket: 6776 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24312 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-081-6/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* X509_verify_cert can return without setting cert_ctx.current_cert. IfGreg Hudson2010-09-081-2/+5
| | | | | | | it does, don't dereference a null pointer when creating the pkiDebug message. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24296 dc483132-0cff-0310-8789-dd5450dbe970
* In PKINIT, notice if DH_compute_key() returns a value less than theGreg Hudson2010-06-141-2/+18
| | | | | | | | | | buffer size, and pad it on the left if so. ticket: 6738 target_version: 1.8.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24137 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust the PKINIT DH debugging code:Greg Hudson2010-06-141-7/+8
| | | | | | | | | | * Use %p and void * for pointers instead of %x and int * Don't call the computed symmetric key the "secret key" since that's easily confused with the private key g^x. * Print the private key when printing DH parameters, instead of the q value (not even sure what they is). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24136 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-071-9/+10
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Other changes in this ticket guarantee that the padata argument toSam Hartman2010-01-041-1/+1
| | | | | | | | return callbacks is non-null; don't check for null in pkinit_srv.c. ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23582 dc483132-0cff-0310-8789-dd5450dbe970
* NetBSD 5.0.1 uses an OpenSSL snapshot that describes itself as 0.9.9,Ken Raeburn2009-12-311-1/+1
| | | | | | | and has the EVP_PKEY_decrypt API change that was already being worked around for OpenSSL 1.0.0. Work around it for 0.9.9 too. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23553 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an inoperable error check in return_pkinit_kxGreg Hudson2009-12-291-2/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23536 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-285-68/+90
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-286-190/+354
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* Mark and reindent the pkinit plugin code, except for the header filesGreg Hudson2009-11-258-4813/+4815
| | | | | | which are kind of difficult. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23354 dc483132-0cff-0310-8789-dd5450dbe970
* Consolidate Makefile variables now that we have only a single globalGreg Hudson2009-11-222-39/+38
| | | | | | | | | | | | | configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-02 15:06:02 +0000