| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19676 dc483132-0cff-0310-8789-dd5450dbe970
|
|
returns a different OID.
Fix a typo in the doc pointed out by Olga Kornievskaia
Add a comment about why SILLYDECRYPT is there.
Fix some formatting to prevent line-wrapping.
Encapsulate all the work-arounds for working against a
Longhorn server within #ifdef LONGHORN_BETA_COMPAT so they
are easily recognized and can be removed when the issues
are fixed in released versions of Longhorn.
Fix a memory leak in the server. (Change the client code
to copy OID values rather than returning pointers to static
memory so that no special cases are required when freeing
structures which reference them.)
Remove an fprintf() from the pkinit_matching code.
Change functino definitions in pkinit_lib.c to match the
coding style.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19610 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19581 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Fix copyright statement.
Add encode routine for an authorization data element so pkinit
authz data can be encoded and wrapped in if-relevant.
Add accessor for new encode function.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19579 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19578 dc483132-0cff-0310-8789-dd5450dbe970
|
|
kinit man-page
admin-guide: krb5.conf options
admin-guide: kdc.conf options
---
Add more functions to accessor structure.
---
Patch from Ken Raeburn, minus the README changes.
README needs major updating or should be removed.
Hopefully, it is now all captured in the doc changes.
Log:
r807@dh169: raeburn | 2007-05-30 19:23:15 -0400
dev
r810@dh169: raeburn | 2007-05-31 15:44:25 -0400
Add crypto lib check at top level, to make maintainer mode happier.
No comma at end of enum lists.
Remove extraneous ';'.
Fix uninitialized variable.
No variadic macros.
---
returning authorization data only for pa-type 16
---
return signed attributes only for pa-type 16
---
Don't segfault if we fail to decode the PKCS7 message in
cms_signeddata_verify().
---
append PIN warnings to PIN prompt
---
translate pkcs11 error codes to text
---
Change get_cert() and get_key() to return an error code so we can
give a better reason why they failed.
---
Fix more compiler warnings.
---
In crypto_cert_select_default(), enforce that there is exactly one
cert to choose from.
---
add (currently-hardcoded des3) supportedCMSTypes to pa-type 16 request
---
accept various oids in the envelopeddata for pa-type 15 request
---
fix ad_type for authorization data
---
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19577 dc483132-0cff-0310-8789-dd5450dbe970
|
|
src/lib/krb5/krb/preauth2.c
Add new file pkinit_matching.c which implements the ability
for an admin to configure things such that the "right" certificate
from several available ones will be used for pkinit.
Fix a couple of things the Solaris compiler doesn't like.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19562 dc483132-0cff-0310-8789-dd5450dbe970
|
|
parsing and processing code outside the crypto-spcecific code
into common code. Some of this came out of pkinit_lib.c and
some came out of pkinit_crypto_openssl.c.
- Move some corresponding #defines from pkinit_crypto_openssl.h
into pkinit.h.
- Moved some of the identity values out of the id_cryptoctx and
into the idopts. (Some are later duplicated into the id_cryptoctx.)
- Create "new" crypto functions, crypto_load_certs() and
crypto_load_cas_and_crls(). These are slight modifications of
the pre-existing functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19561 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19560 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19559 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19552 dc483132-0cff-0310-8789-dd5450dbe970
|
|
we are talking to a Longhorn KDC and allows the necessary
hacks to work with a Longhorn (beta 3) server
- Add pkcs12 support (required for gssmonger testing)
- Modify SAN and EKU processing so that it does not use
pa_type and so that it allows checking with certificates
containing more than one SAN
- add new configuration file option, "pkinit_eku_checking"
for the kdc, this can be specified as [kpClientAuth | scLogin | none]
for the client, this can be specified as [kpKDC | kpServerAuth | none]
- Restructure code to make DN and SAN matching possible.
Still need the actual matching code.
- Fix from Ken Renard re: using ENV: for identity processing
- Create new header, pkinit_crypto.h separating out the crypto
interface definition.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19549 dc483132-0cff-0310-8789-dd5450dbe970
|
|
- define two macros to deal with implicitly tagged
octet strings
- modified begin_choice() macro and removed
begin_explicit_choice()
- use the get_implicit_octet_string() and
opt_implicit_octet_string() macros to clean up
a lot of hand-coded stuff.
- remove (almost) all the "#if 0" stuff (see below)
- asn1_decode_trusted_ca() still needs testing and cleanup
of "#if 0" code!
[lib/krb5/asn.1/asn1_k_decode.h]
- add prototype for asn1_decode_sequence_of_algorithm_identifier
[lib/krb5/asn.1/asn1_k_encode.cs]
- Fix up some comments for our added macros
[pkinit directory changes]
- Move parsing of filesystem identity location into a separate function,
parse_fs_options(), like parse_pkcs11_options().
- Add the ability to specify ENV: as suggested by Doug Engert.
- Add the ability to specify alternatives to use for finding identity.
(This adds a pkinit_identity_alt config file option that specifies
alternative locations to try and find user identity information.
This config file option may be specified multiple times, and the
alternatives are tried in the order given in the config file.)
For example:
[libdefaults]
pkinit_identity_alt = ENV:X509_USER_IDENTITY
pkinit_identity_alt = ENV:X509_USER_PROXY
pkinit_identity_alt = PKCS11:opensc-pkcs11.so
If the user does not specify -X X509_user_identity on the command
line, then the code will check if the environment variable
X509_USER_IDENTITY is defined. If it is not defined, or does not
specify a valid identity, then envvar X509_USER_PROXY will be tried.
If that fails, then it will attempt PKCS11 with module opensc-pkcs11.so.
If all the alternatives fail, then pkinit preauth is not available
and password authentication is attempted.
- Many changes to clean up almost all compiler warnings
- Add config option, pkinit_win2k_hostname, to specify win2k
hostname(s) to be checked in the certificate.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19512 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19511 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19210 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Allow per-realm pkinit configuration.
- include/krb5/preauth_plugin.h
Add NULL-terminated realm name list to preauth_server_init_proc interface.
- kdc/kdc_preauth.c
Construct realm name list and pass it to preauth_server_init_proc
(and free it).
- plugins/preauth/pkinit/pkinit.h
Add realmname and name length to kdc (per-realm) plugin context.
Change interface to config/profile routines to pass the realm name.
- plugins/preauth/pkinit/pkinit_crypto_openssl.c
Restructure the init/fini functions a bit.
Make sure OBJ_cleanup() is only called once by using a refcount.
- plugins/preauth/pkinit/pkinit_profile.c
Change routines to pass in realm name rather than depending on
default_realm being set in the context.
- plugins/preauth/pkinit/pkinit_srv.c
Create a plugin context for each realm that should be supported.
Add function to find the correct realm context. Call it at the
beginning of each major preauth function (get_edata,
verify_padata, return_padata).
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19209 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19184 dc483132-0cff-0310-8789-dd5450dbe970
|
|
---
Ignore the mechanism list, always use CKM_RSA_PKCS and calculate the sha1
digest ourselves.
Works for Cryptoflex, Activcard, and (I think) CAC.
---
don't specify a usage when looking for a private key, it confuses
some cards (coolkey)
---
send invalid certificate instead of trusted certifiers for
the TD-INVALID-CERTIFICATE typed data
---
include the right oid for the draft9 reply
---
Remove all traces of krb5_get_init_creds_opt_set_pkinit()
---
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19164 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The KDC may alter the original request after decoding it.
We need to do the checksum on the original request contents
from the client. Use the original packet data to calculate
the checksum.
-- client now sends the certificate chain in the request
-- added a debug message for when we fail to create a certificate
chain on the client and fail the request
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19058 dc483132-0cff-0310-8789-dd5450dbe970
|
|
- Remove saved code which had been previously #ifdef'd out.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19057 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19054 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Update pkinit code to include changes for separation of the
crypto interface.
pkinit also updated to use configuration files and command-line
options rather than environment variables.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@19053 dc483132-0cff-0310-8789-dd5450dbe970
|
|
just set the environment variable!
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18938 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Pull in changes to add get_init_creds_opt_set_pa(),
get_init_creds_opt_get_pa(), and get_init_creds_opt_free_pa()
Change client interface to pass in the get_init_creds_opt structure
to the process and tryagain functions.
Pull in changes to kinit to pass preauth options entered with "-X"
Create typedefs for all the preauth plugin client and server
interface functions and use them. Eliminates mismatches
and enables better type checking of the interface paremeters.
Add *temporary* code to client side of pkinit to handle preauth options
and set the appropriate environment variables.
(Currently only X509_user_identity, X509_anchors, and
flag_RSA_PROTOCOL are handled.)
Add code to use krb5int_accessor to obtain pointers to internal functions
for ASN.1 encode/decode routines rather than exporting them from
libkrb5.
Various updates and improvements in the pkinit smartcard code.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18937 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18920 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Implements e-data and client_tryagain.
Implements reading of config/profile parameters.
Some smartcard improvements.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18917 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18916 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18874 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18866 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18861 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/pkinit@18860 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Change debugging messages so they print salt value correctly
and clean up warnings when compiling with DEBUG.
ticket: new
Tags: pullup
Target_Version: 1.6
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18859 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Call krb5_clear_error_message() to free any allocated error message
before freeing the context.
The condition that triggered this was a plugin library which fails to
load because of unresolved references. It appears dlopen() on Linux
leaks four bytes for each failing library in this situation.
ticket: new
Target_Version: 1.6
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18858 dc483132-0cff-0310-8789-dd5450dbe970
|
|
function to fetch ops vector given ccache prefix string.
(krb5_cc_new_unique): New function to generate a new unique
ccache of a given type.
* src/include/krb5/krb5.hin: Prototype for krb5_cc_new_unique().
* src/lib/krb5/libkrb5.exports:
* src/lib/krb5_32.def: Add krb5_cc_new_unique().
ticket: 3091
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18857 dc483132-0cff-0310-8789-dd5450dbe970
|
|
remove unintentionally committed code not meant for 1.4 branch
ticket: 4802
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18842 dc483132-0cff-0310-8789-dd5450dbe970
|
|
- when the krb5 prompter callback function is called,
set the focus to the first input field provided by
the caller.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18841 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18840 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18839 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 4799
Target_Version: 1.6
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18837 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Modify the keylength function to return both keybytes and keylength.
Change the name of the function and source file to reflect this.
Add a function, krb5_c_random_to_key() that takes random input data
of the right length (keybytes) and produce a valid key for a given
enctype.
ticket: new
Target_Version: 1.6
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18836 dc483132-0cff-0310-8789-dd5450dbe970
|
|
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
ticket: new
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18828 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Fixed krb5_stdccv3_generate_new so it no longer returns a NULL ccache.
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18820 dc483132-0cff-0310-8789-dd5450dbe970
|
|
(krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC
and NOPERM_ETYPE errors.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18817 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* locate_kdc.c (krb5int_locate_server): Store an error message for
REALM_CANT_RESOLVE error that lists the realm.
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18816 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* krb5/krb/vfy_increds.c (krb5_verify_init_creds): If krb5_cc_gen_new fails,
don't both close and destroy the template ccache.
* gssapi/krb5/accept_sec_context.c (rd_and_store_for_creds): Likewise.
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18815 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* preauth_plugin.h (enum krb5plugin_preauth_client_request_type): Omit trailing
comma.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18814 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* libkdb_ldap/ldap_realm.c (ignore_duplicates, compare): Unused functions deleted.
(krb5_ldap_modify_realm, krb5_ldap_read_realm_params): Conditionalize declarations of
automatic variables that are only used for eDirectory.
* libkdb_ldap/ldap_service_stash.c (tohex): Use one sprintf call instead of two.
(dec_password): Use an unsigned type to fetch values with %x.
* libkdb_ldap/ldap_realm.h (ldap_filter_correct): Declare.
* libkdb_dlap/ldap_misc.c (my_strndup): Only define if HAVE_LDAP_STR2DN.
(populate_krb5_db_entry): Remove unused automatic variable.
* ldap_util/kdb5_ldap_util.c (cmd_table): Fix typo in preprocessing conditional.
* ldap_util/kdb5_ldap_realm.c (get_ticket_policy): Declarations first, then code.
* ldap_util/kdb5_ldap_services.c (kdb5_ldap_stash_service_password): On error, increment
exit_status; don't return a value.
* ldap_util/kdb5_ldap_services.h (kdb5_ldap_stash_service_password): Update decl.
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18813 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Patch from 13 November from Savitha R:
> Fix for delpol deleting ticket policies
> Removed references to old schema
> Moved some unused code under #ifdef HAVE_EDIRECTORY
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18812 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Added KRB5INT_KRB4_DEPRECATED and KRB5INT_DES_DEPRECATED.
ticket: new
target_version: 1.6
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18811 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Update copyrights and acknowledgments for 1.6.
ticket: new
target_version: 1.6
component: krb5-doc
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18805 dc483132-0cff-0310-8789-dd5450dbe970
|
