|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /usr/share/doc/pkinit-nss-0.7.6/ |
Upload File : |
commit f346647f10773a4e9a07c4ea0bb1c44f7d72a4b2
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 15:56:24 2008 -0400
- fix distdir
- add a LINGUAS file
- update the .pot file
M Makefile.am
A po/LINGUAS
M po/pkinit-nss.pot
commit 88cc292a69b644cb29921850b4b24bec1eddc43c
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 15:51:17 2008 -0400
fix tag name generation
M Makefile.am
commit c26afaeedde2aa22cf5ef81c7e7a62ecf3be1534
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 15:46:44 2008 -0400
- try to get the tagging/release targets to work right now that we've moved to
git as the SCM
M Makefile.am
commit 66227fc86891cebe49e419c0f49fe44492ff10a1
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 15:42:09 2008 -0400
- accept and parse a set of whitespace-separated rules for "pkinit_cert_match"
M doc/CONFIGURATION
M src/certs.c
commit 54c3c05bad1ef922956caa279fbd183a2492811a
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 15:14:08 2008 -0400
- warn if no rules match
M src/certs.c
commit 11585520a307192e01174834f685f2e92405612e
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 14:47:24 2008 -0400
- change the order of things so that we search for matches for all rules in a
particular slot or bag before moving on to another slot or bag, instead of
searching all slots and bags for the first rule before searching all slots
and bags for the second rule
M src/certs.c
commit 5387a2d103f38eb0f03f2c516f32c204e466437e
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 14:38:51 2008 -0400
- start on support for handling lists of matching rules
M src/certs.c
commit 908805648540ac2b1fe696334e0ee106c385dd7e
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Fri Aug 22 12:30:15 2008 -0400
- add more detail about when things match or don't match matching rules
M src/certs.c
commit bd2560642efc3c6d56e5a22514f4b4f51afd4dea
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 21 20:13:48 2008 -0400
- free extension values when we finish examining them
- free rules retrieved from appdefaults when we finish parsing them
M src/certs.c
commit 81592c1841a372ed93bfcb6a5eb5d2a30f776e2f
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 21 20:10:15 2008 -0400
- also free the draft PA-PK-AS-REQ, and both when retrying
M src/pkinit.c
commit abeaf0ae351393a44f8c079cd22869e7b52e5fe4
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 21 20:07:25 2008 -0400
- free preauth arguments when we're finished with them
- don't leak our local copies of configuration settings
- free the PA-PK-AS-REQ after we've copied it into the preauth structure
M src/pkinit.c
commit d9c3de79c2316a703fc881d6bc85ab9c40ccaf82
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 21 20:06:51 2008 -0400
- free the keys in the list of keys
M src/aabag.c
commit c5f4855fdb10b6c90035f09dd41e74edbb267e8e
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 21 20:06:25 2008 -0400
- move the value of a signature from the heap into a pool so that we don't leak
M src/bcmst.c
commit eaee97a7d6f34c47f7058d8408187445fb640c3b
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 18:11:30 2008 -0400
- doc updates on fixes and new additions
M NEWS
M configure.ac
M doc/CONFIGURATION
M doc/README
commit 70665e622f6c55e67898b2faacbd4909821090e2
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 18:11:05 2008 -0400
- stop reversing subject names
M doc/openssl/make-certs.sh
commit 1f91effea75db74bdcba6e05c69f51cea5ea9b27
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 17:37:01 2008 -0400
- tweak some debugging log messages
M src/certs.c
commit b7e3dc53ab5cf998aef20ea3a4bc96a4521093c7
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 17:27:59 2008 -0400
- change certificate selection so that we look for acceptable certificates in
* the preferred slot
* the bag
* each logged-in slot
* each not-logged-in slot
and if we find exactly one right certificate in any of these places, we use it
M src/certs.c
commit bc2b033c79d069f6659987cd1568ba730d7c8dc0
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 17:27:36 2008 -0400
- try to avoid holding more than one copy of a given key or certificate
M src/aabag.c
commit eb294d2d8c9884a775f1762bbd7774ada3fceda8
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 20 17:26:58 2008 -0400
- heed a request for a minimum DH prime size more than a preferred group number
M src/oakley.c
M src/oakley.h
M src/pkinitt.c
commit 95573e8271763181cdc9855579e181e819731d2b
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Aug 19 18:52:11 2008 -0400
- add logic for certificate matching using "pkinit_cert_match"
M src/certs.c
commit 09e6b9e7c5c5e7f66600880769880c5ff8303d74
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Aug 19 18:51:09 2008 -0400
- provide a flag to change matching behavior to match the configuration (so
that we don't make the KDC start matching based on client-only preferences)
M src/certs.h
M src/pkinit.c
commit 62722299b1ed63f8f166055fdd3d0bedba07ea76
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Aug 19 16:19:21 2008 -0400
- add cert_eku_matches_text, for checking if a certificate contains any subset
of
pkinit
msScLogin
clientAuth
emailProtection
- add cert_ku_matches_text, for checking if a certificate contains any subset of
digitalSignature
keyEncipherment
M src/certs.c
commit 365cba328277153e9ab90350e6730baeb4a2e9c5
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Aug 19 15:17:38 2008 -0400
- accept "pkinit_kdc_hostname" as an alias for "trusted_hosts", as a way to
specify an acceptable DNS name in a KDC's certificate's SAN list or subject
name
- support "pkinit_eku_checking" in combination with "pkinit_kdc_hostname"
M src/certs.c
commit 29bd5a6182c55306671641924981ccebf7a962e6
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Aug 19 15:15:46 2008 -0400
- accept "pkinit_require_ocsp_checking" as an alias for "ocsp_checking", to
more closely mimic the "pkinit_require_crl_checking" option
- accept "pkinit_dh_min_bits" as an alias for "minimum_dh_prime_size"
M src/pkinit.c
commit 2186f7616938cf938c99bc0224547474ef57b274
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Mon Aug 18 19:28:03 2008 -0400
- update copyright date
M src/bcmst.c
commit 161fd438aa4f7767ba66784b51f1d44f623281c6
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Mon Aug 18 19:23:16 2008 -0400
- decode server_dh_nonce correctly
- add rsa-with-sha256/384/512 signature types to what we advertise being
able to cope with
- add rsa as a public encryption type we advertise supporting
- add aes/des/rc2 as symmetric encryption types we advertise supporting
- handle encapsulated signed-data wrapped in ANY rather than OctetString
M src/pkinitt.c
commit 10052c429bb95380f0f76f86910e0abc068b5823
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Mon Aug 18 19:22:47 2008 -0400
- generate signed-data items with version=3 rather than version=1, which
WS2008 seems to prefer
M src/bcmst.c
commit 2d7c3188e16b10ad810e2431f4b7d8d136a52e9f
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 14 17:30:00 2008 -0400
- up the default key size
- generate an ocsp signing cert
- allow keyusage "all"
- mark keyusage and ca extensions as critical
M doc/openssl/make-certs.sh
commit 919f4acc7560e5ade3c7a9cf8272ed756ba7f755
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Aug 14 17:28:28 2008 -0400
- accept either "pkinit-rkey-data" or "data" as signed payload when we're
expecting reply data data
M src/pkinitt.c
commit bf391d429ea6033e42f5743d4dc14876f00bddba
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Wed Aug 13 19:03:02 2008 -0400
- handle cases where the signed data in an enveloped data item is encoded as
a ANY rather than as an OctetString, which is what we'd expected, by
rewrapping data ourselves and attempting to parse it as a ContentInfo
before falling back on our previous behavior
M src/pkinitt.c
commit 5e2a037b2b1dafcd0a65e7f6ffe3159933e1e595
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Jul 29 17:56:17 2008 -0400
- add certificate policies
M doc/openssl/make-certs.sh
commit 256ae33c6afd34fd7b8a058c1ec45ae997c23ff6
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Jul 29 17:35:35 2008 -0400
- advertise that we know about sha256/384/512
M src/pkinitt.c
commit 0e251eb25dc5437f5b065209f274c5df55bc953e
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Jul 29 17:35:15 2008 -0400
- add the LINGUAS file
M po/Makefile.in.in
commit 31f2cf0278ceb14077a5a653104fa2fb00aba68f
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Tue Jul 29 17:33:10 2008 -0400
- build the CA cert after we've parsed arguments for ocsp and crl locations
- generate an empty crl whenever we run
M doc/openssl/make-certs.sh
commit ffba4dea43dd901aa9497e27c9d622ff9eede574
Author: Nalin Dahyabhai <nalin.dahyabhai@pobox.com>
Date: Thu Jul 24 14:42:37 2008 -0400
- fix an error decoding a kdc request
M src/pkinitt.c
commit 2f8ffb6a16e9d8d145601ebc2d4fe1aa6eb11f07
Author: Peter Sulyok <peti@sulyok.hu>
Date: Wed Apr 30 05:15:28 2008 +0000
2008-04-30 Peter Sulyok <peti@sulyok.hu> (via peti@fedoraproject.org)
* po/hu.po: Initial Hungarian translation
A po/hu.po
commit a852f5ff42394e3298517f7fce7ae8cee2988acf
Author: Miloš Komarčević <kmilos@gmail.com>
Date: Fri Apr 4 09:06:00 2008 +0000
2008-04-04 Miloš Komarčević <kmilos@gmail.com> (via kmilos@fedoraproject.org)
* po/sr@latin.po: Initial commit of Serbian Latin translation
A po/sr@latin.po
commit 5fd4f24cfd2e35e64671f241bec4dfe7725badcd
Author: Miloš Komarčević <kmilos@gmail.com>
Date: Fri Apr 4 09:03:58 2008 +0000
2008-04-04 Miloš Komarčević <kmilos@gmail.com> (via kmilos@fedoraproject.org)
* po/sr.po: Initial commit of Serbian translation
A po/sr.po
commit a7da3416a361f2ac1794414569a090913746800d
Author: Diego Búrigo Zacarão <diegobz@gmail.com>
Date: Sat Mar 22 18:30:06 2008 +0000
2008-03-22 Diego Búrigo Zacarão <diegobz@gmail.com> (via
diegobz@fedoraproject.org)
* po/pt_BR.po: Added initial pt_BR translation
A po/pt_BR.po
commit dfa948a997884986f4745d21d84d83595cdae756
Author: Rondeau Matt <rondeau.matthieu.r@gmail.com>
Date: Fri Mar 21 14:44:02 2008 +0000
2008-03-21 Rondeau Matt <rondeau.matthieu.r@gmail.com> (via
mattr@fedoraproject.org)
* po/fr.po: Updated french translation
A po/fr.po
commit 2a1b6b09807086fd08a3e69713bf9d807761ab59
Author: Francesco Tombolini <tombo@adamantio.net>
Date: Fri Mar 21 02:05:54 2008 +0000
2008-03-21 Francesco Tombolini <tombo@adamantio.net> (via
tombo@fedoraproject.org)
* po/it.po: first it trans
A po/it.po
commit 9ddda0794efc38c9d05077be25f4423d8dfd51f8
Author: Mostafa Daneshvar <mostafa@daneshvar.org.uk>
Date: Thu Mar 20 10:42:38 2008 +0000
2008-03-20 Mostafa Daneshvar <mostafa@daneshvar.org.uk> (via
lashar@fedoraproject.org)
* po/bal.po: Balochi
A po/bal.po
commit ab94c971380d746885773323050ff5e6e35a27d0
Author: Alexander Todorov <atodorov@redhat.com>
Date: Thu Mar 20 09:49:17 2008 +0000
2008-03-20 Alexander Todorov <atodorov@redhat.com> (via
atodorov@fedoraproject.org)
* po/bg.po: Added Bulgarian translation
A po/bg.po
commit e8d4e98b86599c6a92277c8d3efb5bfd0a8901e6
Author: Piotr Drąg <piotrdrag@gmail.com>
Date: Wed Mar 19 17:51:10 2008 +0000
2008-03-19 Piotr Drąg <piotrdrag@gmail.com> (via raven@fedoraproject.org)
* po/pl.po: Initial Polish translation
A po/pl.po
commit 73f25bb51e75f487fa5fdf126faae57ffff10899
Author: Fabian Affolter <fabian@bernewireless.net>
Date: Tue Mar 18 00:07:23 2008 +0000
2008-03-18 Fabian Affolter <fabian@bernewireless.net> (via
fab@fedoraproject.org)
* po/de.po: Initial German version
A po/de.po
commit cbf8bfa18032e5211605ab5604d10344515f58a4
Author: Miloslav Trmac <mitr@redhat.com>
Date: Mon Mar 17 21:23:17 2008 +0000
2008-03-17 Miloslav Trmac <mitr@redhat.com> (via mitr@fedoraproject.org)
* po/cs.po: Add Czech translation.
A po/cs.po
commit c92d317ba378aeee4b1b95e6c700fabc384479c7
Author: nalin <nalin>
Date: Tue Oct 23 21:03:02 2007 +0000
update NEWS
M NEWS
commit 89f903534f1b518be6a2c1f5542e76ab57e86137
Author: nalin <nalin>
Date: Tue Oct 23 20:58:56 2007 +0000
- whoops, add a missing header file to the tarball
M Makefile.am
M po/pkinit-nss.pot
2007-10-22 nalin
* configure.ac: check for 1.6.3.
* backport-1.6.3: add.
2007-07-11 nalin
* src/pkinit.c: initialize "name" to avoid displaying a garbage pointer
when using software certs (#247889)
* configure.ac: bump version to 0.7.3, tag
2007-06-21 nalin
* configure.ac: bump version to 0.7.2, tag
2007-06-21 nalin
* src/pkinit.c: don't leak appdefault strings.
2007-06-21 nalin
* src/pkinit.c(struct module_context): add locations to store typed
data which we get back from the KDC during try-again processing. A
KDC is only expected to hand back one type of data per error, but in
case we get multiple errors back (for example, unacceptable DH
parameters AND unverifiable certificates), we need to keep track of
things it's told us before.
* src/pkinit.c(client_gic_opts,client_try_again): note which
parameters we currently ignore.
* src/pkinit.c(client_process): let "minimum_dh_prime_size" be
specified on the command line as well.
* src/pkinit.c(client_try_again): store typed-data which we get as
edata for possible use in future iterations.
2007-06-20 nalin
* src/pkinit.c: learn to spew debug at stdout, and to pick up debug
settings from the command line
2007-06-20 nalin
* src/aabag.c: rework caching of encrypted items so that we don't
spew confusing error messages, and so that we prompt using the
filename.
2007-06-20 nalin
* src/aabag.c(aa_item_copy,aa_item_in_list): add, to avoid attempts
to decrypt any given chunk of encrypted data more than once.
2007-06-08 nalin
* src/pkinit.c: un-"const" a couple of initialization data lists,
to quiet some compiler warnings which showed up when they were made
const.
2007-06-08 nalin
* src/pkinit.c: add CMS enctypes to our requests to be helpful.
2007-06-08 nalin
* src/pkinitt.c(pkinit_create_auth_pack): pass a NULL item in as the
algorithm parameters for the supportedCMStypes algorithmInfo list for
SEC_OID_CMS_3DES_KEY_WRAP and SEC_OID_MD5, instead of just omitting
them as we had been doing.
2007-06-08 nalin
* src/bcmst.c,src/certs.c: move find_key_for_cert to certs and make
it non-static.
* src/certs.c(cert_ku_matches_mask): remove; should have just been
using CERT_CheckCertUsage(), which does the same thing.
* src/certs.c(cert_validate_kdc_certificate,
cert_validate_client_certificate): call out
SEC_ERROR_INADEQUATE_CERT_TYPE as a known error, log a debug message
when we reject a certificate because it can't be used for signing.
* src/certs.c(cert_have_key_for_cert): add.
* src/certs.c(cert_verify_cert_for_encryption): don't leak a ref
to the cert when the certificate passes the check.
2007-06-08 nalin
* doc/openssl/make-certs.sh: be able to make DSA certs, even if we
mightn't support them just yet.
2007-06-05 nalin
* configure.ac: bump version to 0.7.1, tag
2007-05-31 nalin
* src/get-pkinit-san.c(pkinit_from_other_names): expand the list of
returned values correctly.
2007-05-31 nalin
* src/aabag.c(PKINIT_CA_TRUST_FLAGS): add CERTDB_VALID_PEER to the
list of flags we add to CA certificates.
2007-05-30 nalin
* src/certs.c(cert_find_preferred_cert_using_slot_or_bag): don't barf
on empty certificate lists.
2007-05-30 nalin
* src/pkinit.c(server_verify): load text certs and keys before
verifying the client's request, not before generating our response
when it might be too late for the client.
2007-05-30 nalin
* src/bcmst.c: handle the should-never-happen list-with-nothing-in-it
case.
2007-05-30 nalin
* src/aacat.c: handle the should-never-happen list-with-nothing-in-it
case.
2007-05-30 nalin
* src/aabag.c(aa_bag_find_cert_by_subject): don't barf on empty lists.
2007-05-30 nalin
* configure.ac: bump version to 0.7.0, tag.
2007-05-30 nalin
* src/pkinit.c(pkinit_init): read locations of cert and key files
from the configuration.
* src/pkinit.c(client_gic_opt): add, for scanning options.
* src/pkinit.c(client_process): override locations of cert and key
files from options, load up the bag.
* src/pkinit.c(server_get_edata,server_return): load up the bag.
2007-05-30 nalin
* src/certs.c(cert_find_cert_issuer): search the bag, too.
* src/certs.c(cert_find_preferred_cert_using_slot_or_bag): rename
from cert_find_preferred_cert_using_slot, search the bag if there's
no slot provided.
* src/certs.c(cert_find_preferred_cert): search bags, too.
2007-05-30 nalin
* src/bcmsutil.c: prescreen certificates. Use the right list of
directories for loading CA certificates.
2007-05-30 nalin
* src/bcmst.c: dump trust values when we walk the certifying chain.
2007-05-30 nalin
* src/aabag.c: don't use glob(), which doesn't pick up symlinks. Fix
reference counting of keys and certificates. Fix trust flags given to
certificates we read.
2007-05-30 nalin
* src/get-pkinit-san.c: add.
2007-05-30 nalin
* doc/openssl/make-certs.sh: add dataEncipherment when encryption
is requested.
2007-05-30 nalin
* configure.ac: fix checking for working --as-needed flag, avoid
pulling in libkrb5 more than once when checking if certain functions
are provided.
2007-05-29 nalin
* doc/openssl/make-certs.sh: always create a ca.client.crt file,
2007-05-28 nalin
* doc/openssl/make-certs.sh: move subordinate CAs into subdirectories,
add nsComment to the top-level CA, create certificate chain files.
2007-05-28 nalin
* autogen: pick up $CFLAGS from the environment, too
2007-05-28 nalin
* src/pkinit.c: create bags.
2007-05-28 nalin
* src/pkinitt.c: update for API changes elsewhere.
2007-05-28 nalin
* src/bcmsutil.c: use bags.
2007-05-28 nalin
* src/bcmst.c: update for API changes elsewhere.
2007-05-28 nalin
* src/certs.c(cert_find_cert_issuer): add, wrapping up the internal
NSS database with a bag.
* src/certs.c(cert_find_preferred_cert,cert_validate_client_cert,
cert_validate_kdc_cert): take a searchable bag.
2007-05-28 nalin
* src/aabag.c,src/aacat.c: redesign the whole thing so that I don't
end up having to cart multiple bags around later.
* src/aacat.c: load non-directories as we would files.
2007-05-30 nalin
* src/aabag.c: don't use glob(), which doesn't pick up symlinks. Fix
reference counting of keys and certificates. Fix trust flags given to
certificates we read.
2007-05-30 nalin
* src/get-pkinit-san.c: add.
2007-05-30 nalin
* doc/openssl/make-certs.sh: add dataEncipherment when encryption
is requested.
2007-05-30 nalin
* configure.ac: fix checking for working --as-needed flag, avoid
pulling in libkrb5 more than once when checking if certain functions
are provided.
2007-05-29 nalin
* doc/openssl/make-certs.sh: always create a ca.client.crt file,
2007-05-28 nalin
* doc/openssl/make-certs.sh: move subordinate CAs into subdirectories,
add nsComment to the top-level CA, create certificate chain files.
2007-05-28 nalin
* autogen: pick up $CFLAGS from the environment, too
2007-05-28 nalin
* src/pkinit.c: create bags.
2007-05-28 nalin
* src/pkinitt.c: update for API changes elsewhere.
2007-05-28 nalin
* src/bcmsutil.c: use bags.
2007-05-28 nalin
* src/bcmst.c: update for API changes elsewhere.
2007-05-28 nalin
* src/certs.c(cert_find_cert_issuer): add, wrapping up the internal
NSS database with a bag.
* src/certs.c(cert_find_preferred_cert,cert_validate_client_cert,
cert_validate_kdc_cert): take a searchable bag.
2007-05-28 nalin
* src/aabag.c,src/aacat.c: redesign the whole thing so that I don't
end up having to cart multiple bags around later.
2007-05-25 nalin
* src/aacat.c(main): clean up the certificate and key lists before
shutting down NSS.
2007-05-23 nalin
* src/bcmsutil.c(main),src/aacat.c(main): fix "bag" being uninitialized.
2007-05-23 nalin
* src/fragment/openp12.c,src/fragment/openmod.c: correct a couple of
compiler warnings.
2007-05-22 nalin
* src/pkinit.c: update for api changes elsewhere.
2007-05-22 nalin
* src/bcmsutil.c: open a bag if we're told to open one.
2007-05-22 nalin
* src/pkinitt.c(pkinit_create_draft_pa_pk_as_req,
pkinit_create_pa_pk_as_req,pkinit_build_reply_key_pack,
pkinit_build_dh_key_info,pkinit_create_pa_pk_as_rep,
pkinit_verify_enc_key_pack_common,pkinit_verify_draft_pa_pk_as_rep,
pkinit_process_enc_key_pack,pkinit_verify_pa_pk_as_rep): pass in a
bag and password callback.
2007-05-22 nalin
* src/bcmst.c(find_key_for_cert): search the usual locations for the
private key which corresponds to a cert, and then search a passed-in
bag.
* src/bcmst.c(bcms_add_signer_to_signed_data,bcms_create_signed_data,
bcms_recover_enveloped_data_key,bcms_extract_enveloped_data): take a
certdb, a bag, and a password callback.
2007-05-22 nalin
* src/certs.c(cert_find_preferred_cert): add a debug message when
we determine that we need to log into a device.
2007-05-22 nalin
* src/commont.c: add a comment to the location of the definition of
an AES IV. Remove unused variables.
2007-05-22 nalin
* src/certhash.c: read a certificate, and produce a hash of its
subject.
2007-05-22 nalin
* src/aacat.c: exercise the aabag APIs.
2007-05-22 nalin
* src/aabag.c: add a container for holding temporary certs and keys
read from flat files.
2007-05-22 nalin
* src/bpk5.c(bpk5_pbkdf1): add pkcs5 password-based key derivation.
2007-05-17 nalin
* tag 0.6.1
2007-05-17 nalin
* src/pkinit.c(server_get_flags): if "is_hw" is true, advertise that
we can do hardware preauthentication to the KDC.
2007-05-04 nalin
* tag 0.6.0
* Makefile.am: define %{dist} to %{nil} before querying for the
release number from the .spec file
* NEWS: add.
2007-04-25 nalin
* src/bcmst.c: add definition/template/encoder/decoder for
EncryptedData.
2007-04-25 nalin
* src/pkinitt.c: remove a few unused variables, remove an unnecessary
typecast.
2007-04-25 nalin
* configure.ac,src/pkinit.c: handle cases where preauth_plugin.h
requires the krb5_gic_opt_pa_data data type and krb5.h didn't provide
it, even as a stub, yet.
2007-04-25 nalin
* src/pkinit.c: fix argument order for the client_process() function,
from Jacob Berkman. Fix arguments for client_tryagain().
2007-04-25 nalin
* backport-1.6.1: actually commit the new files.
2007-04-24 nalin
* configure.ac: define PKINIT_CLIENT_MISSING_GIC_OPTS instead of
PKINIT_DONT_USE_GIC_OPTS.
* src/pkinit.c: key off of PKINIT_CLIENT_MISSING_GIC_OPTS instead
of PKINIT_DONT_USE_GIC_OPTS.
2007-04-24 nalin
* Makefile.am,backport-1.6.1: add headers from 1.6.1.
* configure.ac: check for 1.5/1.6/1.6.1. Provide a --with-krb5-version
option to override autodetection. Define PKINIT_USE_PAL_BACKPORT
and PKINIT_DONT_USE_GIC_OPTS instead of the more not namespaced
USE_PAL_BACKPORT and DONT_USE_GIC_OPTS defines.
* src/pkinit.c(client_gic_opts): add a stub.
* src/pkinit.c(client_process): expect an "opts" argument if
PKINIT_CLIENT_PROCESS_MISSING_OPT isn't defined.
* src/pkinit.c(preauthentication_client_0): point to client_gic_opts
if PKINIT_DONT_USE_GIC_OPTS isn't defined.
2007-04-24 nalin
* autogen: drop --enable-debugging -- we're always debuggable now.
2007-04-24 nalin
* src/bcmst.c(compare_issuer_and_sn,find_cert_by_issuer_and_sn): add.
From Jacob Berkman.
* src/bcmst.c(find_cert_from_rid): use find_cert_by_issuer_and_sn()
instead of CERT_FindCertByIssuerAndSN(). From Jacob Berkman.
2007-04-23 nalin
* ChangeLog: er, 2007, not 2006.
* src/pkinitt.c: add routines specifically for decoding typed_data.
2007-04-23 nalin
* src/pkinit.c(client_process): accept host names in various places.
Rename authorization_data variables to indicate that they're really
typed_data.
2007-04-23 nalin
* src/certs.c(cert_get_oid_pkinit_rkey_data_oid,
cert_get_oid_pkinit_auth_data_oid): add.
* src/certs.c(check_item_in_list): factor out a routine for checking
for a value in a list.
* src/certs.c(cert_san_matches_dns_for_realm): add a check to see if
the certificate in question contains a commonName in its subject or a
dnsName subjectAltName with a value which matches the realm's
"trusted_servers" setting.
* src/certs.c(cert_is_preferred): check for a matching DNS name.
* src/certs.c(cert_validate_kdc_certificate): check for a matching
DNS name for the KDC in combination with SSL ServerAuth or KDC key
EKU values.
* doc/CONFIGURATION: note "trusted_servers"
2007-02-06 nalin
* src/bcmst.c(external_principal_identifier_template): mark the
subject_key_identifier as explicit, even though it's not, so that
NSS will add and strip the octet-string wrapper for us, making it
easier to use and compare values in CERTCertificate structures.
2007-02-06 nalin
* src/commont.c(common_generate_content_encryption_key_aes): Add.
* src/bcmst.c(bcms_extract_enveloped_data): Learn to parse AES
parameters (an IV).
* src/bcmsutil.c(main): add options for specifying use of
AES128/AES256 keys for bulk encrypting the enveloped data.
* src/bcmsutil.c(usage): document the new AES options, plus the old
DES and RC2 options.
* src/certs.c(cert_is_preferred): debug log when we find a banned cert
or one which chains up to a trusted certifiers.
* src/pkinit.c(client_try_again): debug log how many trusted
certifiers or invalid certificates the KDC told us about.
* src/pkinitt.c,src/bcmst.c: debug log key sizes when handling
enveloped data.
2007-02-06 nalin
* src/certs.c(bcms_extract_enveloped_data): note what the unsupported
encryption algorithm is, for troubleshooting.
* src/pkinitt.c(pkinit_create_trusted_certifiers_edata): fix encoding
of trusted-certifiers.
2007-02-06 nalin
* src/bcmst.c(bcms_add_signer_to_signed_data): insert the signing time
into the list so that the encoding comes out with the items sorted, as
required by CMS.
* src/certs.c(cert_validate_{client,kdc}_certificate): add a specific
log for unknown-issuer errors.
* src/certs.c(cert_validate_client_certificate): catch and add e-data
for revoked-certificate errors. Return KDC_ERR_CLIENT_NAME_MISMATCH
instead of KDC_ERR_CERTIFICATE_MISMATCH in the event of name a mismatch.
2007-02-05 nalin
* src/certs.c,src/pkinit.c: certificate nicknames can be NULL; guard
against that.
* src/pkinitt.c(pkinit_encode_authorization_data): use the right
template, correctly pass the array to the encoder.
* src/pkinitt.c(pkinit_create_typed_datum): return a datum structure,
which the caller will have an easier time processing.
* src/pkinitt.c(pkinit_create_invalid_certificates_edata,
pkinit_create_trusted_certifiers_edata,
pkinit_create_dh_parameters_edata): encode the error data correctly.
* src/pkinitt.c(pkinit_verify_pa_pk_as_req): fix checking of the DH
prime length.
* src/pkinit.c(client_try_again): fix parsing of error data from the
KDC: it's a sequence of typed-data, not just one.
* src/certs.c(cert_validate_kdc_certificate): directly interpret some
of the more expected errors for the log.
* src/certs.c(cert_validate_client_certificate): directly interpret
some of the more expected errors for the log. Report invalid cert
with e_data for revoked certificates.
* src/bcmst.c: use the subjectName, not the possibly-NULL nickname, in
a debug message.
* src/commont.c: take care that integers are encoded so that they come
out unsigned.
2007-02-05 nalin
* src/pkinit.c: make the location of the client and server
key/cert/token database configurable.
2007-02-05 nalin
* configure.ac: check for 1.7-specific gic_opts callback functions.
* configure.ac: bump version to 0.5.0.
2007-02-05 nalin
* configure.ac: fixup logic so that we can tell the difference between
1.5 without preauth_plugin.h (where the backport forces changes in the
symbol names for safety's sake) and 1.6 without preauth_plugin.h.
* src/bcmst.c: fix naming of sequence_of_algorithm_identifier.
* src/bcmst.c(bcms_decode_sequence_of_algorithm_identifier): Add.
* src/bcmst.c(bcms_get_trusted_{client_,kdc_,}certifier_list): Add.
* src/certs.c(cert_matches_epi): factor this out, because it's getting
too large for repeated code.
* src/certs.c(cert_is_preferred): also provide an option to specify a
list of banned external_principal_identifier structures, for cases
where the KDC sends back info that one had an invalid signature.
* src/certs.c(cert_validate_{client,kdc}_certificate): use the verify
function which gives us a log, and log the failure entries. Also
return the SEC_ERROR_BAD_SIGNATURE certs if we're returning a
KDC_ERR_INVALID_CERTIFICATE error.
* src/commont.c(common_decode_sequence_of_algorithm_identifier): Add.
* src/map-file.c: log when we encounter errors opening/reading the file.
* src/oakley.c(oakley_parse_group): factor this out.
* src/oakley.c(oakley_get_groups): Add, for retrieving all parameters
with prime at least a certain size.
* src/oakley.c: return a domain_parameters structure instead of the
NSS DHParamaters and an extra q, because it's less work.
* src/pkinit.c: add a "minimum_dh_prime_size" option. Set the
prompt callback before we attempt to open the database.
* src/pkinit.c(client_try_again): add, decoding the error data and
using it to guide attempts to find another certificate and generate
an auth_pack.
* src/pkinitt.c(pkinit_get_trusted_{client,kdc}_certifier_list): Retire.
* src/pkinitt.c(pkinit_create_dh_parameters_edata): Add, for sending
along with KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED errors.
* src/pkinitt.c(pkinit_create_client_public_value): Allow a prescribed
list of acceptable parameters from the KDC and a locally-specified
minimum size.
* src/pkinitt.c(pkinit_create_{draft_,}auth_pack): handle cases where
pkinit_create_client_public_value() can't give us anything.
* src/pkinitt.c(pkinit_verify_pa_pk_as_req): set e_data for
KDC_ERR_CANT_VERIFY_CERTIFICATE, KDC_ERR_INVALID_CERTIFICATE, and
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED.
2007-01-26 nalin
* src/pkinitt.c(pkinit_time_from_signing_time): try to parse the raw
timestamp (without the type and length) as a timestamp.
* src/pkinitt.c(pkinit_time_from_utc_time): fix scanning of the time.
* src/pkinitt.c(pkinit_create_trusted_certifiers_edata): add.
* src/pkinitt.c(pkinit_create_invalid_certificates_edata): add.
* src/pkinitt.c(pkinit_verify_pa_pk_as_req): reuse code to build the
list of trusted CAs to clean this area up a bit.
* src/certs.c(cert_find_preferred_cert): take the list of restricted
CAs as an external_principal_identifier list instead of an array of
DER-encoded certificates.
2007-01-26 nalin
* src/pkinitt.c(pkinit_signing_time_from_time): add function to
convert to encoded signing time to time_t, using UTC time or
generalized time, as appropriate.
* src/pkinitt.c(pkinit_utctime_from_time): add function to
convert to raw UTC time to time_t.
* src/pkinitt.c(pkinit_generalizedtime_from_time): rename, make public
function to convert to raw generalized time to time_t.
* src/pkinitt.c(pkinit_time_from_signing_time): add function to
convert from encoded signing time to time_t.
* src/pkinitt.c(pkinit_from_utctime_time): add function to
convert from raw UTC time to time_t.
* src/pkinitt.c(pkinit_from_generalizedtime_time): rename, make public
function to convert from raw generalized time to time_t.
* src/pkinitt.c(pkinit_verify_pa_pk_as_req): if the client included a
signing time attribute as part of its request, check that date for
clock skew as well.
* src/commont.c: add encoder/decoder pairs for UTCTime and
GeneralizedTime items.
* src/bcmst.c(bcms_verify_signed_data): provide a way to stash the
signing time as a time_t for the caller.
* src/bcmst.c(bcms_make_external_principal_identifier_list): add.
* src/bcmsutil.c: add a -v (verbosity) option to crank up debug
logging.
2007-01-25 nalin
- make pkinit_debug() take a module_context and a debug priority level
- thread module_context pointers through many, many functions
2007-01-22 nalin
* src/bcmst.c(bcms_make_certificate_list): take a deep copy of the
certificate, in case the current origin gets pulled out from under
us before we go to encode this list.
* src/commont.c(common_make_algorithm_identifier_list): take a deep
copy of the parameters field, in case the one we're using gets pulled
out from under us before we go to encode this list.
2007-01-19 nalin
* src/bcmst.c, src/certs.c: use CERT_DestroyCertArray() instead of
a home-grown function which actually leaks the array pointer (oops).
* src/certs.c(cert_validate_kdc_certificate,
cert_validate_client_certificate): provide a way to pass in a
certificate pool when we're verifying certificates, and import that
pool into the temporary database to help us fill in the gaps in
certificate chains.
* src/pkinitt.c(pkinit_validate_kdc_certificate): provide a way to
pass in the pool of certs which may include intermediate CAs.
2007-01-12 nalin
* src/bcmst.c, src/certs.c: give destroy_array_of_certs() an
upper-bound on the array size.
2007-01-12 nalin
* backport: update to base off of the final 1.6 sources.
2007-01-12 nalin
* src/pkinit.c: release slots and certificates when they're no longer
going to be used. Note if NSS shutdown fails.
2007-01-12 nalin
* doc/CONFIGURATION: note which Oakley groups we know about already.
2007-01-12 nalin
* src/show-cert-guid.c: note if NSS shutdown fails.
2007-01-12 nalin
* src/pkinitt.c: release keys, certificates, contexts, and slots.
2007-01-12 nalin
* src/certs.c: release certificates when they're no longer going to be
used.
2007-01-12 nalin
* src/bcmsutil.c: add a -t option to allow forcing a token login.
* src/bcmst.c: release keys, certificates, contexts, and slots.
2007-01-12 nalin
* src/oakley.c, src/prime2sub: add q values for the rest of the DH
parameter sets.
2007-01-08 nalin
* src/bcmst.c(bcms_add_cert_chain_to_signed_data): walk the chain
correctly (#221917).
2006-12-21 nalin
* src/map-file.c: add a mapping-file module. Hopefully at some point
we'll be able to just call out to something smarter, but for now this
may have to do.
* src/show-cert-guid.c: rename an unused parameter so that it is easy
to tell that we knew it would be unused.
* src/bcmst.c: rename an unused parameter so that it is easy
to tell that we knew it would be unused.
* src/pkinitt.c: take a flag indicating whether or not we should trust
SAN values for cases where we have to find the cert by ourselves.
Change create_rep to take the cert instead of searching directly.
* src/certs.c: support the passing-in of additional acceptible
subject DN values when we need to find a certificate.
* src/pkinit.c: support mappings files, and being told to not trust
SAN values.
2006-12-20 nalin
* src/pkinit.c: add an "is_hw" flag to control whether or not we
consider ourselves hardware preauth.
* src/certs.c: make cert_certificate_is_preferred() module-local.
Provide a way to require that the cert being checked is issued (at
some point) by one of some provided DER certs.
2006-12-20 nalin
* src/certs.c(cert_verify_cert_for_encryption): add, to check if the
client's key is allowed to be used to encrypt enc-key-pack replies.
* src/pkinit.c(server_return): ensure that we either have DH params or
a client cert which can be used for encryption before building the
reply.
2006-12-20 nalin
* src/certs.c(cert_validate_kdc_certificate,
cert_validate_client_certificate,cert_is_preferred): don't barf if we
can't find the certificate's issuer.
* src/certs.c(cert_certificate_get_is_ca): make the message about not
having basicConstraints less emphatic.
* src/pkinit.c,backport/: update backport to 1.6 branch, rev. 18998
2006-12-19 nalin
* src/bcmst.c(bcms_add_cert_chain_to_signed_data): use
CERT_FindCertIssuer() to walk the certifying chain because it's
simpler and seems to work better.
* src/pkinit.c(server_verify): initialize some pointers we didn't
used to clear.
* src/pkinitt.c(pkinit_kdc_dh_key_info_template): the nonce isn't
optional. Set it correctly, too.
2006-12-18 nalin
* src/pkinit.c: don't use the non-existent appdefault_integer() call,
use our own.
* src/commont.c: provide an alternate integer decoder.
2006-12-18 nalin
* po: refresh
* src/pkinitt.c: remove redundant validation calls, since we do the
same in the cert...() functions we call
* src/bcmst.c: change things so that we expect constructed data as
the content in content-info structures, but continue to decode both.
Generate signed-attributes by default; handle signed-attributes when
verifying signed messages.
* src/bcmsutil.c: update for bcmst changes.
* src/commont.c: update for bcmst changes. Encode the
private_value_length field of DH parameters, if it's there, likewise
for the validation_parms field of domain parameters.
* src/pkinit.c: rework module init/cleanup to use the hooks provided
by newer versions of the plugin layer, properly shut down NSS when
we were the ones who initialized it. Pick up "try_dh" and
"preferred_group" options to affect how the client tries to get creds
from the KDC. (Note: the default modulus file distributed with Heimdal
is group 2.)
* src/certs.c: fail validation of either client or server certs if we
can't build a chain from the cert to a "root" certificate. Assume that
such a certificate is unsuitable for our use, too.
* src/oakley.c: track subprime values for groups for which they are
defined, and provide a way for the caller to get them, too.
* src/pkinitt.c: encode the parts of a PA-PK-AS-REQ as octet strings,
not structures, per the spec.
2006-11-01 nalin
* src/pkinit.c: don't try to free that duplicate cert
* tag 0.2.1
2006-11-01 nalin
* tag 0.2.0
2006-11-01 nalin
* src/certs.c: remove no-longer-used certdb parameter from
find_preferred_cert. Clean up use of SAN matching flags. Use
CERT_DupCertificate instead of malloc to save the certificate.
2006-10-31 Jeff Moyer <jmoyer@redhat.com>
* src/certs.c, src/pkinit.c: It turns out that using
CERT_FindCertByNickname is not a reliable method for listing
certificates. Instead, get a list of slots, and a list of
certificates for each slot. This fixes a problem with pkinit not
allowing one to renew credentials after a kdestroy or expiry.
2006-10-30 nalin
* src/certs.c: if the certificate we get back from
CERT_FindCertByNickname() isn't the one we wanted, log a debug message.
From Jeff Moyer.
* backport/krb5-1.5.1-pal-18695.patch: remove
* backport/krb5-1.5.1-pal-18750.patch: add updated
* backport/krb5-trunk-edata.patch: add proposal for e-data changes
* backport/krb5-trunk-free_plugin_dir_data.patch: add to fix a memleak
* backport/krb5-trunk-module-global.patch: add to make module contexts
shared across preauth systems. Placeholder until Kevin's rework is
ready.
* backport/krb5-trunk-preauth-sort.patch: add to fix a crasher.
* doc/openssl/make-certs.sh: add, for generating test certs without
a full-blown CA installation.
* src/certs.c: don't bail if we don't match the Kerberos name if we're
also going to try to match a UPN.
* src/pkinit.c: use a single call to find the KDC's certificate.
2006-10-30 nalin
* src/certs.c: use the principal name templates from pkinitt, and not
the local out-of-date-and-wrong ones, so that we properly recognize
the value in a certificate.
* src/pkinit.c: disable ocsp in the client by default, leaving it
enabled by default in the KDC. Only search for a certificate once.
This means that we'll prefer a UPN cert over a KPN(?) cert if we
see it first, but it cuts down on the number of prompts.
* src/pkinitt.c: export only the one ASN.1 template.
2006-10-26 jmoyer
* src/pkinit.c: report the error when NSS_Init() fails.
2006-10-26 nalin
* doc/TODO: updates
* src/bcmst.c: make the members of external_principal_identifier
real OctetStrings and not pointers to Any. Provide a way for
code which creates enveloped_data to specify which bulk encryption
algorithm we should use.
* src/bcmsutil.c: provide -D and -R, to select the enveloped-data
cipher.
* src/commont.c: learn to generate/encode/use 3DES parameters (the IV).
* src/pkinit.c: learn how to add auth_data to the list in the ticket
provided by the KDC.
* src/pkinitt.c: learn to encode the initial-verified authorization
data. Encode the authorization data when we verify a client's request,
passing in items between the client and the end of its chain. Get the
bit- vs. byte-length stuff sorted out for DH keys.
* src/oakley.c: add Oakley groups 1, 2, 5, 14, 15, 16.
* src/pkinitt.c: default to using Oakley group 14.
2006-10-23 nalin
* src/pkinit.c: track the client DH public key and nonce in the
request context as well.
* src/pkinitt.c: save the client DH public key and nonce from
create_client_public_value. Break KDC certificate validation into
a shared subroutine. Move enc-key-pack processing into a single
function, and call it from the AS-REP verification function. Try
to get the client processing of a DH AS reply going.
* src/certs.c: add OID information for dhPublicNumber and dhKeyAgreement
* src/commont.c: add encoders/decoders for dhParameters, which might
be what Windows expects.
* src/pkinitt.c: follow examples more closely in calling the secret
derivation functions. Interpret the results of SECITEM_ItemsAreEqual
properly, because it looks like yes, I am that dumb.
* src/pkinit.c: be more careful about the request context pointer.
* src/pkinitt.c: be more careful about assuming that we have access
to the right client state.
* src/pkinit.c: assume the module context is truly global, and use
that so that we can access DH keying information for non-draft requests.
* src/commont.c: add dump functions. Add encoders/decoders for
bit strings and integers.
* src/pkinit.c: print the error message which goes with the return code.
Encode the client's public value as an integer before passing it in
for encoding as a bit string. Catch errors decoding DH parameters
sent by the client. Encode the server's public value as an integer
before passing it in for encoding as a bit string. Return the server
nonce iff we have a client nonce, not the other way around. Decode
the server's reply before using it as a public value.
2006-10-19 nalin
* src/pkinit.c: track the client's private DH keying info in the client
context.
* src/pkinitt.c: add first pass at having the client supply DH
parameters and keying data to the KDC.
* src/commont.c: fix the template for the subject_public_key so that
we encode it correctly.
* src/pkinit.c: debug log when we save DH-related information in the
server verify callback.
* src/pkinitt.c: make the client's public key info in the auth_pack
structures opaque at this level. Forcibly disable DH in the draft
version -- Windows either doesn't like it at all, or just this
implementation. Use CKM_DH_PKCS_KEY_PAIR_GEN instead of
CKM_X9_42_DH_KEY_PAIR_GEN for generating DH keying data. Call
PK11_ExtractKeyValue before PK11_GetKeyData so that we actually
get the keying data back.
* src/pkinitt.c: catch a problem in my implementation.
2006-10-18 nalin
* backport/backport-errors.h: wrap definitions of errors in #ifndef
* src/commont.c: remove duplicate "j" reference in the template for
domain parameters. Add encode/decode function for domain_parameter
structures. Add common_make_random_item() for generating DH nonces.
* src/pkinitt.c: correct the offset of client_public_value in the
template for auth_pack. Change client_dh_nonce in auth_pack to a
pointer. Change server_dh_nonce in dh_rep_info to a pointer. Move
create_auth_pack and create_draft_auth_pack to the right namespace.
Teach pkinit_octet_string_to_aeskey() about the client and server
nonces. Flesh out pkinit_build_dh_key_info() implementation.
2006-10-16 nalin
* src/pkinit.c(server_return): don't crash if the client didn't provide
subject_public_key_info.
2006-10-16 nalin
* src/pkinitt.c(kerberos_time_from_time): factor this out.
2006-10-16 nalin
* src/bcmst.c(bcms_create_signed_data): the encapsulated content OID
can be const.
* src/commont.c: add encode/decode functions for subject_public_key_info
* src/pkinit.c: store the pkauthenticator nonce, a re-encoded copy of
the client's DH subject_public_key_info, and the DH nonce in the server-
side context.
* src/pkinitt.c: add encode/decode functions for kdc_dh_key_info. Save
the nonces and DH info when verifying a client AS_REQ, and if we have
them when we go to create an AS_REQ, try to use DH first, failing
miserably (for now).
2006-10-16 nalin
* configure.ac: adjust status output to note that support != 1 header.
* doc/README: don't use me as an example
* src/certs.c(oid_pkinit_dhkey_data,oid_pkinit_dhkey,
cert_get_oid_pkinit_dhkey_data): add.
* commont.c: add templates and definitions for validation_parms and
domain_parameters
* pkinitt.c: add templates and definitions for kdc_dh_key_info. The
server_dh_nonce isn't ANY, it's an OctetString. Add an AES-specific
pkinit_octet_string_to_aeskey() for converting a DH key to an AES key.
2006-10-13 nalin
* backport/krb5-1.5.1-pal-18687.patch: remove.
* backport/krb5-1.5.1-pal-18695.patch: add.
* src/pkinit.c: update for changes in trunk version of module interface.
* backport/krb5/preauth_plugin.h: update to latest from trunk.
* Makefile.am: add backport/backport-errors.h to dist files.
* src/pkinit.c: use the right symbol names for backports.
2006-10-12 nalin
* backport/backport-errors.h: add.
* src/certs.c(cert_ku_matches_mask): add.
* src/certs.c(cert_validate_kdc_certificate): return a Kerberos error
code.
* src/certs.c(cert_validate_client_certificate): return a Kerberos
error code.
* src/pkinitt.c(pkinit_verify_pa_pk_as_rep_shared): use routines in
certs for validating the response again.
2006-09-26 nalin
* src/pkinit.c: flag that we replace the key on reply
2006-09-21 nalin
* src/pkinit.c: turn on OCSP checking everywhere.
2006-09-20 nalin
* src/bcms.c, src/pkinit.c: prototype updates for current rev of the
pal patch, which is hopefully stable now
2006-09-15 nalin
* configure.ac,Makefile.am,po/: add the beginnings of translation
support for our one user-visible string.
* src/pkinit.c: pull up the maximum allowed time skew by abusing the
get-entry-data interface.
* doc/krb5-1.5.1-pal.patch: add a means of querying for the maximum
clock skew -- it's not per-entry, but the get-entry-data interface
will do fine. Unload plugins at KDC shutdown. Skip over client
modules which provide a NULL client_process() callback.
2006-09-14 nalin
* doc/README.CVS: add
* doc/Makefile.am: add README.CVS
* doc/krb5-1.5.1-pal.patch: remove PA_VIRTUAL -- it's way more invasive
to get it working right in the KDC.
Client: skip preauth modules we've used more than once, and add sorting
of the options the server presents, subject to the
"preferred_preauth_types" setting. Document "preferred_preauth_types"
in the krb5.conf man page. Fixup definitions of PADATA_PK_AS_REP_OLD,
PADATA_PK_AS_REQ_OLD, and their not-old counterparts to match RFC 4120.
Add a bunch of other preauth type definitions to krb5.h.
* configure.ac: bump to 0.0.4
* src/pkinit.c: use symbolic names for the preauth types. Advertise
PADATA_PK_AS_REQ from the server, not PADATA_PK_AS_REP. In the client,
treat PADATA_PK_AS_REQ as an invitation to do PKINIT, and
PADATA_PK_AS_REP as the server response. Now that we can sort out
the preauth type order, don't rely on claiming to be both a PA_INFO
and a PA_REAL module to get to run first.
2006-09-13 nalin
* src/certs.c: don't leak the user's unparsed name
* src/pkinit.c: debug-log whether or not we got a cert value from the
realm database
2006-09-13 nalin
* (all files) initial check-in