Permalink
Commits on Dec 28, 2009
  1. make reindent

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23526 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 28, 2009
Commits on Dec 23, 2009
  1. Declare functions in this header inline to avoid warnings for unused …

    …code.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23518 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  2. Implement server side of PA_PKINIT_KX for anonymous draft.

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23517 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  3. Always supply a padata item to the return callback in a preauth plugi…

    …n so that callback can determine what type of padata it is requested to return. If there is no item in the request, synthesize an empty one.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23516 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  4. Move symbols needed by pkinit pa_pkinit_k x to k5-int-pkinit.h

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23515 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  5. Client side of PA_PKINIT_KX

    The anonymous draft specifies the use of PA_PKINIT_KX to confirm that
    both the client and KDc contributed to the session key and to confirm
    the session key is fresh.  Implement client support for this item.
    
    * krb5.hin: define padata and key usage constants
    * get_in_tkt.c: New function verify_anonymous to perform verification
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23514 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  6. Fix prototype

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23513 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  7. Add support for kadmin -n

    Add support for the -n option to kadmin to support anonymous
    
    * kadm5_init_anonymous: new API
    * kadmin.c: use it
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23512 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  8. Change kinit -n logic to support an interface for both fully and

    partially anonymous principals.
    
    * New API krb5_get_init_creds_opt_set_anonymous
    * In krb5_get_init_creds_init, map @REALM to WELLKNOWN/ANONYMOUS@REALM
    * Change logic for what canonicalization is acceptable to support realm-exposed anonymous principals too
    * Use the above in kinit
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23511 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  9. kadmin: Support canonicalization of client name by KDC

    For fully anonymous kadmin, the KDC will change the realm to the
    anonymous realm.
    
    * kadm5_init_creds_iter: let get_init_creds store the credentials
    * krb5_setup_gss: If we obtained creds (instead of getting them passed in) then use the default client name
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23510 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  10. Per discussion with Greg and Luke, hold an alias to the out_ccache.

    There is some ambiguity in whether it is appropriate for
    get_init_creds_opts to hold an alias.  However if it is going to copy
    the ccache, we all believe that a duplicate routine in ccfns.c is
    preferred.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23509 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  11. Use global constant for string components of anonymous and wellknown

    names.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23508 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  12. Ignore transited realm checking for anonymous realm

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23507 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  13. Add kinit -n for anonymous

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23506 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  14. Permit the realm to be canonicalized from any realm to the anonymous

    realm when anonymous is requested even when the principal is not a TGS
    principal.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23505 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  15. Subject: pkinit authentication only works for TGT

    ticket: 6605
    Pkinit's verification of the KDC SAN requires that the certificate
    have a SAN for the server principal.  That's not correct according to
    RFC 4556.  The KDC should have a SAN for the TGS principal; that's
    independent of whether the TGS principal is actually the server.
    
    Fix to build the TGS principal explicitly.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23504 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  16. Implement support for the anonymous name type in GSS-API

    * Import GSS_C_NT_ANONYMOUS as WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
    * the display text of the anonymous name is the krb5 principal, but the nametype is set to GSS_C_NT_ANONYMOUS
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23503 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  17. Anonymous client side support.

    * Permit realm canonicalization for anonymous principals
    * If we are requesting anonymous tickets, set the KDC option and name type
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23502 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  18. Change krb5_get_ap_tag macro to remove warnings.

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23501 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  19. KDC policy handling for anonymous tickets:

    * In TGS, set the anonymous flag if the anonymous flag is set in the AS
    * Only authdata systems that support anonymous are called for anonymous tickets
    * Currently we copy authdata from request and TGT buth nothing else
    
    Note that if we support anonymous TGS requests in the future, copying
    authdata from the TGT would be the wrong thing to do in that case.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23500 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  20. Also update principal in reply

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23499 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  21. Correct logic in client plugin

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23498 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  22. Set anonymous ticket flag

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23497 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  23. Update flag values for anonymous kdc option and ticket flag

    per discussion with Tom
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23496 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  24. Only check for anonymous if pkinit_identity is given a principal; the…

    … KDC does not pass in a principal
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23495 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  25. Because there is only one realm field in the kdc request, the KDC

    remaps WELLKNOWN/ANONYMOUS@realm to
    WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
    
    In the client pkinit plugin, do not require that the anonymous realm be used for the anonymous principal.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23494 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  26. Implement support for unsigned pkinit messages.

    * cms_signeddata_verify will take a ContentInfo as well as SignedData and returns an indication of whether a message is signed
    * Accept unsigned authpacks in the  anonymous case.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23493 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  27. Subject: ad-initial-verified-cas logic broken

    ticket: 6587
    status: open
    
    In the initial pkinit implementation, the server plugin generates an
    incorrect encoding for ad-initial-verified-cas.  In particular, it
    assumes that ad-if-relevant takes a single authorization data element
    not a sequence of authorization data elements.  Nothing looked at the
    authorization data in 1.6.3 so this was not noticed.  However in 1.7,
    the FAST implementation looks for authorization data.  In 1.8 several
    more parts of the KDC examine authorization data.  The net result is
    that the KDC fails to process the TGT it issues.
    
    However on top of this bug, there is a spec problem.  For many of its intended uses, ad-initial-verified-cas needs to be integrity protected by the KDC in order to prevent a client from injecting it.  So, it should be contained in kdc-issued not ad-if-relevant.
    
    For now we're simply removing the generation of this AD element until the spec is clarified.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23492 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  28. Revert "In case of anonymous client principal, use the realm of the s…

    …erver"
    
    This reverts commit 34d2748e9052debc6a061911c2c786b46507b531.  As the
    entire working group has apparently forgotten, the KDC-REQ body only
    has one realm field.  That's used in an AS REQ for both the server and
    client realm .  So, in the anonymous pkinit case, I think we want to
    send using a client of WELLKNOWN/ANONYMOUS@REAL_REALM.  Waiting to
    hear back from the WG on this.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23491 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  29. In case of anonymous client principal, use the realm of the server

    principal or if not specified the default realm for determining what
    KDC to contact.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23490 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  30. If the anonymous principal is used, then do not initialize the

    identity context.
    
      # Please enter the commit message for your
    changes. Lines starting # with '#' will be ignored, and an empty
    message aborts the commit.  # On branch anonymous # Your branch is
    ahead of 'krb5/trunk' by 3 commits.  # # Changes to be committed: #
    (use "git reset HEAD <file>..." to unstage) # # modified:
    ../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c # modified:
    ../src/plugins/preauth/pkinit/pkinit_identity.c # # Untracked files: #
    (use "git add <file>..." to include in what will be committed) # # ./
    ../src/include/autoconf.stmp # ../static/
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23489 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  31. Add cms_contentinfo_create to create the pkinit content info; this is

    sent directly for anonymous pkinit and is signed as part of normal
    pkinit.
    
    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23488 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  32. signed vs unsigned fixes

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23487 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  33. Add anonymous principal and name type

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23486 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009
  34. anonymous branch

    git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23485 dc483132-0cff-0310-8789-dd5450dbe970
    hartmans committed Dec 23, 2009