krb5 commit: Add SPAKE preauth support

Greg Hudson ghudson at mit.edu
Mon Mar 26 21:26:54 EDT 2018


https://github.com/krb5/krb5/commit/7447259401569c92b1fb2e31cb02edbbffd67d35
commit 7447259401569c92b1fb2e31cb02edbbffd67d35
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Sep 25 17:47:35 2015 -0400

    Add SPAKE preauth support
    
    This is an implementation of draft-ietf-kitten-krb-spake-preauth-05.
    SPAKE preauth authenticates using the client principal long-term key,
    but protects against offline dictionary attacks.
    
    SPAKE preauth negotiates a group for use by the SPAKE2 algorithm.  The
    edwards25519 group is implemented using code adapted from BoringSSL.
    The P-256, P-384, and P-521 groups are implemented against OpenSSL.
    edwards25519 is enabled by default on the client; no groups are
    enabled by default on the KDC.
    
    SPAKE preauth can also include a second factor.  Second factor support
    isn't included in this implementation; comments have been left to
    indicate what should change when it is added in.
    
    Integration tests (tests/t_spake.py) are included with good coverage
    of the negotiation scenarios.
    
    Test vectors from the draft are checked against the group's "result"
    operation.  The "keygen" operation is inherently random and is
    therefore not tested against the vectors, but is effectively exercised
    by the integration tests.
    
    KDC optimistic challenge is implemented.  In the future we should
    implement client optimistic SPAKE as well; this will require changes
    to the generic client preauth framework.
    
    In the future we should add per-realm configuration to deny encrypted
    timestamp and encrypted challenge on a per-realm basis.  This
    configuration should stick across client realm referrals.
    
    In the future we should avoid attempting encrypting timestamp or
    encrypted challenge if the KDC replies to a single-factor
    SPAKEResponse message with PREAUTH_FAILED.  This will require a change
    to the generic client preauth framework.
    
    In the future we should make SPAKE support apply to the Windows build,
    either by adding support for building plugin DLLs or by moving the
    edwards25519 and client code to libkrb5.
    
    [npmccallum at redhat.com: split up internal headers; split out group
    registry contents; implemented P-384 and P-521]
    
    ticket: 8647 (new)

 NOTICE                                          |   51 +
 doc/admin/conf_files/kdc_conf.rst               |   22 +-
 doc/admin/conf_files/krb5_conf.rst              |   15 +
 doc/admin/index.rst                             |    1 +
 doc/admin/spake.rst                             |   46 +
 doc/formats/cookie.rst                          |   37 +
 doc/notice.rst                                  |   47 +
 src/Makefile.in                                 |    2 +
 src/config/pre.in                               |    6 +
 src/configure.in                                |   20 +
 src/include/k5-int.h                            |    3 +
 src/include/krb5/krb5.hin                       |    2 +
 src/kdc/kdc_preauth.c                           |    2 +
 src/lib/krb5/krb/preauth2.c                     |    2 +
 src/lib/krb5/os/trace.c                         |    1 +
 src/plugins/preauth/spake/AUTHORS               |   16 +
 src/plugins/preauth/spake/Makefile.in           |   39 +
 src/plugins/preauth/spake/deps                  |   73 +
 src/plugins/preauth/spake/edwards25519.c        | 2651 ++++++++
 src/plugins/preauth/spake/edwards25519_tables.h | 7881 +++++++++++++++++++++++
 src/plugins/preauth/spake/groups.c              |  442 ++
 src/plugins/preauth/spake/groups.h              |  148 +
 src/plugins/preauth/spake/iana.c                |  108 +
 src/plugins/preauth/spake/iana.h                |   65 +
 src/plugins/preauth/spake/openssl.c             |  315 +
 src/plugins/preauth/spake/spake.exports         |    2 +
 src/plugins/preauth/spake/spake_client.c        |  363 ++
 src/plugins/preauth/spake/spake_kdc.c           |  590 ++
 src/plugins/preauth/spake/t_krb5.conf           |    2 +
 src/plugins/preauth/spake/t_vectors.c           |  476 ++
 src/plugins/preauth/spake/trace.h               |   74 +
 src/plugins/preauth/spake/util.c                |  211 +
 src/plugins/preauth/spake/util.h                |   56 +
 src/tests/Makefile.in                           |    1 +
 src/tests/t_spake.py                            |  151 +
 35 files changed, 13917 insertions(+), 4 deletions(-)

Diff larger than 5000 lines; suppressing.


More information about the cvs-krb5 mailing list