summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth
Commit message (Collapse)AuthorAgeFilesLines
...
* Use type-safe callbacks in preauth interfaceGreg Hudson2011-10-065-107/+50
| | | | | | | | | | | | | | | Replace the generic get_data functions in clpreauth and kdcpreauth with structures containing callback functions. Each structure has a minor version number to allow adding new callbacks. For simplicity, the new fast armor key callbacks return aliases, which is how we would supply the armor key as a function parameter. The new client keys callback is paired with a free_keys callback to reduce the amount of cleanup code needed in modules. ticket: 6971 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
* Remove edata code in sample preauth pluginsGreg Hudson2011-10-052-44/+3
| | | | | | | The code assumes unstructured edata and would be somewhat annoying to reframe in terms of pa-data. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25314 dc483132-0cff-0310-8789-dd5450dbe970
* From: Sam Hartman <hartmans@debian.org>Sam Hartman2011-10-051-0/+2
| | | | | | Pkinit: offer supported KDFs in client git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25308 dc483132-0cff-0310-8789-dd5450dbe970
* Add tests to pkinit_kdf_test to test SHA-256/AES and SHA-512/DES3Sam Hartman2011-10-051-14/+113
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25307 dc483132-0cff-0310-8789-dd5450dbe970
* Make alg agility KDF work properly when the hash length differs from the key ↵Sam Hartman2011-10-051-4/+10
| | | | | | | | length Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25306 dc483132-0cff-0310-8789-dd5450dbe970
* Clean up unused constantsSam Hartman2011-10-051-3/+0
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25305 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit fall back to octetstring2key() if there are not matching KDFsSam Hartman2011-10-051-7/+5
| | | | | | From: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970
* Treat the client's list of supported KDFs as an unordered listSam Hartman2011-10-051-4/+5
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25303 dc483132-0cff-0310-8789-dd5450dbe970
* Make KDF work when length of random data differs from length of hashSam Hartman2011-10-051-16/+9
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25302 dc483132-0cff-0310-8789-dd5450dbe970
* Use an opaque handle in the kdcpreauth callbackGreg Hudson2011-10-057-123/+60
| | | | | | | | | | | | | | Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-045-97/+38
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Make kdcpreauth verify respond via callbackGreg Hudson2011-10-034-63/+76
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
* Update dependenciesEzra Peisach2011-09-261-5/+25
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25235 dc483132-0cff-0310-8789-dd5450dbe970
* Move static function prototypes from header to individual file so headerEzra Peisach2011-09-262-132/+133
| | | | | | | can be used in other files without warning of function defined but never declared. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25234 dc483132-0cff-0310-8789-dd5450dbe970
* Remove variables set but not usedEzra Peisach2011-09-263-7/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25233 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the correct execuatble and object file on make cleanEzra Peisach2011-09-261-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25232 dc483132-0cff-0310-8789-dd5450dbe970
* Recast encrypted challenge as linked built-insGreg Hudson2011-09-234-458/+0
| | | | | | | | Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
* fix pkinit warningsSam Hartman2011-09-212-7/+7
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25221 dc483132-0cff-0310-8789-dd5450dbe970
* Fix typo in pkinit_kdf_test error messageSam Hartman2011-09-211-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25220 dc483132-0cff-0310-8789-dd5450dbe970
* Add newlines to end of status messagesSam Hartman2011-09-211-2/+2
| | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25219 dc483132-0cff-0310-8789-dd5450dbe970
* If the client offers the alg agility KDF, use itSam Hartman2011-09-215-15/+152
| | | | | | | | Signed-off-by: Margaret Wasserman <mrw@painless-security.com> pkinit: changes to call alg-agility KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25218 dc483132-0cff-0310-8789-dd5450dbe970
* Reordered pkinit_server_return_padata(), so that the alg-agilitySam Hartman2011-09-211-8/+20
| | | | | | | | KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970
* Fix Openssl 1.0 function capitalization in pkinitSam Hartman2011-09-201-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25212 dc483132-0cff-0310-8789-dd5450dbe970
* Make pkinit_kdf_test.c compileGreg Hudson2011-09-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25210 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-197-44/+37
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* reindentSam Hartman2011-09-193-71/+71
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25208 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the ticket from the pkinit-alg-agility KDF function, to matchSam Hartman2011-09-193-47/+28
| | | | | | | | | agreed changes to the IETF specification. Includes removing a parameter from the KDF function, removing the ticket from the ASN.1 encoder, and updating the test code. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25197 dc483132-0cff-0310-8789-dd5450dbe970
* Implement encoding and decoding for supportedKDFs and kdfIDSam Hartman2011-09-191-1/+3
| | | | | | pkinit: ASN.1 encoders and decoders for new KDF git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25195 dc483132-0cff-0310-8789-dd5450dbe970
* * Extend auth_packSam Hartman2011-09-191-0/+9
| | | | | | | | | | * extend dh_rep * add krb5_free_octet_data * extend pkinit free functions pkinit: add supportedKDFs and kdfID to structures git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970
* Refactor to use oid instead of algorithm_id in KDF interfaceSam Hartman2011-09-193-12/+16
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25193 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit_crypto_openssl: fix signed vs unsigned comparisonSam Hartman2011-09-191-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25192 dc483132-0cff-0310-8789-dd5450dbe970
* implementation of new function and test program for pkinit agility.Sam Hartman2011-09-195-3/+475
| | | | | | | | | | | Implementation of pkinit_alg_agility_kdf() function to implement the key derivation function defined in draft-ietf-krb-wg-pkinit-alg-agility-04, and implementation of pkinit_kdf_test program to test the new KDF against the test vector in the draft. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25191 dc483132-0cff-0310-8789-dd5450dbe970
* In pkinit_crypto_openssl.c, modified pkinit_octetstring2key() toSam Hartman2011-09-191-4/+4
| | | | | | | | | | | | eliminate a possible memory leak in the error path, where the key_block->length was set to zero but the key_block->contents were not freed. Also, changed calloc() call to a malloc() call to avoid allocating up to 8 times as much buffer space as needed. In keyblocks.c, modified kr5_free_keyblock_contents() to set the key->length to zero after the key->contents have been freed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25189 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit: client: Use SignedData for anonymousSam Hartman2011-09-193-207/+234
| | | | | | | | | Per RFc 6112 use SignedData not ContentInfo for anonymous when the KDC offers support for PKINIT_KX padata. ticket: 6962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25186 dc483132-0cff-0310-8789-dd5450dbe970
* Fix pkinit warningsSam Hartman2011-09-193-5/+5
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25185 dc483132-0cff-0310-8789-dd5450dbe970
* Support pkinit: SignedData with no signers (KDC)Sam Hartman2011-09-192-187/+209
| | | | | | | | | For anonymous, MIT 1.9 sends ContentInfo rather than SignedData. This violates RFc 6112. This patch accepts the RFC 6112 style encoding. ticket: 6961 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25184 dc483132-0cff-0310-8789-dd5450dbe970
* Silence various "may be used uninitialized" warnings from GCC causedKen Raeburn2011-09-051-1/+1
| | | | | | | | | by it not figuring out the control flow (initialization and use both tied to some other variable). DB2 code not included. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25146 dc483132-0cff-0310-8789-dd5450dbe970
* Change output type of pkinit_init_kdc_req_context so as not to requireKen Raeburn2011-09-051-3/+3
| | | | | | gratuitous casting. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25145 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent per krb5-batch-reindent.el.Ken Raeburn2011-09-043-57/+59
| | | | | | | Some minor reformatting added in places to avoid exceeding 80 columns. Used Emacs 22.1 built-in C mode. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25144 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-011-20/+26
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Convert preauth_plugin.h to new plugin frameworkGreg Hudson2011-06-1711-328/+389
| | | | | | | | | | | | | | | | | | | | | | | | The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-104-18/+24
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Adjust most C source files to match the new standards for copyrightGreg Hudson2011-03-095-17/+15
| | | | | | and license comments. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2011-02-252-13/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24662 dc483132-0cff-0310-8789-dd5450dbe970
* When building PKINIT against OpenSSL 1.0 or later, use the CMS APIs forGreg Hudson2011-01-261-46/+93
| | | | | | | | better interoperability. From nalin@redhat.com. ticket: 6851 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24605 dc483132-0cff-0310-8789-dd5450dbe970
* SA-2010-007 Checksum vulnerabilities (CVE-2010-1324 and others)Greg Hudson2010-11-301-10/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix multiple checksum handling bugs, as described in: CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021 * Return the correct (keyed) checksums as the mandatory checksum type for DES enctypes. * Restrict simplified-profile checksums to their corresponding etypes. * Add internal checks to reduce the risk of stream ciphers being used with simplified-profile key derivation or other algorithms relying on the block encryption primitive. * Use the mandatory checksum type for the PKINIT KDC signature, instead of the first-listed keyed checksum. * Use the mandatory checksum type when sending KRB-SAFE messages by default, instead of the first-listed keyed checksum. * Use the mandatory checksum type for the t_kperf test program. * Use the mandatory checksum type (without additional logic) for the FAST request checksum. * Preserve the existing checksum choices (unkeyed checksums for DES enctypes) for the authenticator checksum, using explicit logic. * Ensure that SAM checksums received from the KDC are keyed. * Ensure that PAC checksums are keyed. ticket: 6827 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24538 dc483132-0cff-0310-8789-dd5450dbe970
* Use for loops for recursion in the Windows build, cutting down on theGreg Hudson2010-11-285-5/+5
| | | | | | | | | verbiage in Makefile.in files. For correctness of output, every Makefile.in mydir= definition is changed to use $(S) instead of /. ticket: 6826 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24536 dc483132-0cff-0310-8789-dd5450dbe970
* WhitespaceGreg Hudson2010-10-243-68/+57
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24478 dc483132-0cff-0310-8789-dd5450dbe970
* SecurID build supportSam Hartman2010-10-192-2/+19
| | | | | | | | | | | Integrate SecurID into the build if libaceclnt is found. Add a README file with an example of how to build it. ticket: 6807 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24467 dc483132-0cff-0310-8789-dd5450dbe970
* securID error handling fixSam Hartman2010-10-192-29/+29
| | | | | | | | | | | In porting forward, I incorrectly used krb5_set_error_message instead of com_err. This commit reverts that change. ticket: 6806 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24466 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2025-10-02 14:49:58 +0000