Commit Graph

1941 Commits

Author SHA1 Message Date
Ed Maste
8ef0071d96 Remove duplicate symbols from libhx509 version-script.map
Commit 7758a5d0 (r21331) added semiprivate function
_hx509_request_to_pkcs10 twice.
2016-07-21 14:39:37 -04:00
Viktor Dukhovni
1017a594ef Use OpenSSL include path as needed
For consistency make "-I" part of the macro value set by autoconf.

For now, don't attempt to handle OpenSSL rpath in cf/crypto.m4.
That's much easier by just setting LDFLAGS when running configure.
Otherwise too many Makefiles to edit and libtool and automake do
their best to undo the rpath.
2016-05-07 05:29:12 -04:00
Viktor Dukhovni
131c8dd30e Export new ASN1 oid symbols and fix build
We added some new OID symbols in libasn1, make them public.

When an older Heimdal is already installed and its libraries don't
have some newly created symbols we run into build or test problems,
if libtool decides to use installed rather than just-built libraries.
This was happening with a few of test programs in libhx509.  Fixed.
2016-05-06 21:09:03 -04:00
Viktor Dukhovni
8078e089f1 Add support for ECDSA w/ SHA-2 signature algs 2016-04-15 10:32:50 -05:00
Nicolas Williams
490337f4f9 Make OpenSSL an hcrypto backend proper
This adds a new backend for libhcrypto: the OpenSSL backend.

Now libhcrypto has these backends:

 - hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
 - Common Crypto (OS X)
 - PKCS#11 (specifically for Solaris, but not Solaris-specific)
 - Windows CNG (Windows)
 - OpenSSL (generic)

The ./configure --with-openssl=... option no longer disables the use of
hcrypto.  Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto.  The libhcrypto framework is now always used.

OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.

Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC.  Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
2016-04-15 00:16:17 -05:00
Nicolas Williams
9df88205ba Fix double-free in lib/hx509/crypto.c 2016-04-15 00:16:16 -05:00
Nicolas Williams
97425a44a2 hx509/crypto.c: fix invalid pointer deref 2016-02-29 19:13:11 -06:00
Luke Howard
f789d8403e hx509: explicitly include ref/pkcs11.h
review comment from Nico Williams: explicitly include ref/pkcs11.h to
avoid any conflict with system PKCS#11 header
2015-12-09 11:03:48 +11:00
Luke Howard
ed3e748c75 hx509: update to newer PKCS#11 header
newer PKCS#11 reference header file, sourced from SoftHSM
2015-12-09 10:59:08 +11:00
Timothy Pearson
042b1ee7cb Do not crash if private key not found 2015-09-24 15:48:14 -05:00
Timothy Pearson
1d07f08351 Add ability to specifiy PKCS#11 slot number when using hx509
Example usage: kinit -C PKCS11:/usr/lib/opensc-pkcs11.so,slot=3 foo@BAR.TLD
2015-09-24 15:34:51 -05:00
HenryJacques
5a4e9d1539 Fix typo 2015-07-20 10:45:06 +02:00
HenryJacques
35a569bd83 Allow to use more than one token
This is needed if the first is not usable
2015-07-20 10:14:38 +02:00
HenryJacques
1639697c97 add error codes related to User PIN 2015-07-20 10:12:50 +02:00
HenryJacques
75a304c452 Fix typo 2015-07-20 10:08:57 +02:00
HenryJacques
5cf302def7 Add new error codes related to PIN
Not all error codes have been added, only the most common ones.
2015-07-20 10:07:08 +02:00
Love Hörnquist Åstrand
a26007cebc (keychain_init): free ctx on error 2015-04-18 17:08:09 -07:00
Viktor Dukhovni
745eeb1252 Ensure DER form of hxtool ca random serial numbers 2015-03-05 03:57:30 -05:00
Viktor Dukhovni
b7ca6bbc7a Revert "make sure that serial number is valid DER when done ..."
A simpler fix will be the next commit.

This reverts commit 35add96d37.
2015-03-05 03:56:04 -05:00
Love Hörnquist Åstrand
35add96d37 make sure that serial number is valid DER when done (found by Viktor Dukhovni) 2015-03-05 00:26:03 -08:00
Viktor Dukhovni
ba39f42b81 TBS vs Certificate sigalg consistency for RSA 2015-03-04 19:51:11 -05:00
Love Hörnquist Åstrand
30768c75bb make quiet 2014-08-22 21:25:01 -07:00
Love Hörnquist Åstrand
37afa01be3 rename roken base64, fixes #107 2014-08-22 20:57:24 -07:00
Jelmer Vernooij
70e43e9808 Fix some typos. 2014-04-25 02:42:17 +02:00
Jelmer Vernooij
c5e8e049cb Fix some typos. 2014-04-23 03:05:23 +02:00
Jelmer Vernooij
cc495fd78d Avoid breaking symbol names for all previously present functions.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2014-03-24 22:45:13 -05:00
Viktor Dukhovni
46e0bd3c68 Use P-256 for EC tests
Fedora/RedHat OpenSSL supports only P-256, P-384 and P-521.

The new mkcert.sh script can create updated certs when these
expire on Jan 17th 2038.
2014-03-12 21:18:03 -04:00
Jeffrey Altman
f3d9d4119e export hx509_ca_tbs_set_signature_algorithm
hx509_ca_tbs_set_signature_algorithm was added by commit
c69c4634ad.  It must be exported
for use by hxtool on Windows.

Change-Id: I14b927abde96814ae2e0a90f232ab00915a9f29e
2014-02-16 21:01:57 -05:00
Love Hörnquist Åstrand
dbf523a15d clean files 2014-02-16 11:52:22 -08:00
Love Hörnquist Åstrand
762a72d650 use noinst_HEADERS for hx509-private.h 2014-02-16 09:15:48 -08:00
Love Hörnquist Åstrand
cae2e6f168 include hx509-private.h 2014-02-16 09:15:39 -08:00
Love Hörnquist Åstrand
c69c4634ad allow setting signature algorithm 2014-02-12 09:46:02 -08:00
Jelmer Vernooij
906922b990 Include heimbase.h in hx509.h; required for heim_err_t.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2013-11-20 00:42:26 +00:00
Love Hornquist Astrand
7439cb7c54 check the EE if its a proxy certificate and fail up front 2013-10-21 08:43:24 -07:00
Nicolas Williams
704a8a1d37 Don't use %zu
Eventually we'll need to make sure that a) libroken's stdint.h defines
the max integer types, b) the libroken *printf()s can handle all the
standard length and conversion specifiers.
2013-10-04 18:58:31 -04:00
Love Hornquist Astrand
dba64ce7f5 Increment array when comparing, from Harald Barth 2013-09-30 21:15:35 -07:00
Jeffrey Altman
ab72ccbab3 Export missing asn1 and hx509 functions on Windows
der_copy_unsigned64
der_free_unsigned64
der_get_integer64
encode_KDCFastCookie
encode_KDCFastState
free_KDCFastCookie
free_KDCFastState
hx509_revoke_print

Change-Id: I29d96705d1ac811109719b6358dc0932c72e8df8
2013-06-22 21:17:16 -04:00
Love Hornquist Astrand
4e44171a28 cast away enum warnings 2013-06-03 22:05:09 -07:00
Love Hornquist Astrand
80fe143874 remove deprected warnings until we can move to non deprecated api 2013-06-03 22:03:20 -07:00
Love Hornquist Astrand
ebe9b82b8d Fix warning (from Victor) 2013-06-03 21:56:34 -07:00
Love Hornquist Astrand
060474df16 quel 64bit warnings, fixup implicit encoding for template, fix spelling 2013-06-03 21:46:20 -07:00
Patrik Lundin
0ff637618e add version print 2013-05-01 13:46:35 -07:00
Love Hornquist Astrand
bcbd477a20 support parsing PEM CRL files and printing revoke contexts 2013-04-27 12:42:12 -07:00
Roland C. Dowdeswell
1b5b82183c In lib/hx509/cert.c, fix cases where errors are returned as certs.
In both hx509_cert_init() and hx509_cert_init_data(), there is an
output parameter for the error code but there are cases where the
error is used as a return value instead of the specified hx509_cert.
We fix these issues.  We also check if error is non-NULL and only
set the error in this case, allowing the functions to be called
with error == NULL without segfault.
2012-12-03 14:12:52 +08:00
Love Hornquist Astrand
353ac10863 fix use after free 2012-11-27 21:58:04 -08:00
Love Hornquist Astrand
029de6cfa4 pass back an heim_error from hx509_cert_init 2012-10-07 06:33:13 -07:00
Love Hornquist Astrand
846f6e0e7b always produce a signature that is the size of the modulus 2012-09-11 20:45:43 -07:00
Philip Boulain
12f7c3248b dd include flags for test cases.
When building with OpenSSL at a custom prefix, some test cases will fail
 to compile due to missing include path compiler options. This patch adds
 them, as well as defining CPPFLAGS and LDADD for test_expr.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-09-10 08:39:42 -07:00
Roland C. Dowdeswell
be5afdbf7f Make concurrent builds work.
To stop the errors when building concurrently, we make a number of
changes:

        1.  stop including generated files in *_SOURCES,

        2.  make *-protos.h and *-private.h depend on the *_SOURCES,

        3.  make all objects depend on *-{protos,private}.h,

        4.  in a few places change dir/header.h to $(srcdir)/dir/header.h,

This appears to work for me with make -j16 on a 4-way box.
2012-08-08 00:04:04 +01:00
Roland C. Dowdeswell
13a6ac59ad Fix memory leak in hx509_context_init().
OpenSSL_add_all_algorithms() should only be run once per application
or it will cause data structures to expand.  It's not a classic
memory leak as all of the memory will be free(3)d when EVP_cleanup()
is called but as we are a library we cannot call this.  We provide
a short term fix here which is using heim_base_once_f() to ensure
that we only call it once.

But the long term fix should be to stop using OpenSSL_add_all_algorithms()
entirely because it both has side effects outside our library and
the caller may destroy our OpenSSL global variables by calling
EVP_cleanup() on his own.  It is suboptimal to have potential
interactions between our library and other code in this way.
2012-07-17 19:38:46 +01:00