diff options
| author | Sam Hartman <hartmans@mit.edu> | 2011-11-23 01:00:27 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2011-11-23 01:00:27 +0000 |
| commit | adfcfdce396468f93dce5fb56c7509d138a11e5c (patch) | |
| tree | 74daa40bd00c461da828adfef8fcf9ed28399eea /src/plugins | |
| parent | 01bd1cedd0fb24b7578b3c4b563f065dd113e3d7 (diff) | |
| download | krb5-adfcfdce396468f93dce5fb56c7509d138a11e5c.tar.gz krb5-adfcfdce396468f93dce5fb56c7509d138a11e5c.tar.xz krb5-adfcfdce396468f93dce5fb56c7509d138a11e5c.zip | |
ticket: new
subject: FAST PKINIT
target_version: 1.10
tags: pullup
Per RFC 6113 fast should use the inner request body for the pkinit
checksum. We did that on the KDC; now do so on the client. Remove
code that explicitly blocked pkinit under FAST.
Also, use the reply key *before* the strengthen key is applied when
verifying the PADATA_PKINIT_KX.
Add FAST pkinit test.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25486 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 6 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 34 |
2 files changed, 2 insertions, 38 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index ad354cf0bd..e574c3c8f9 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1029,15 +1029,11 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, int processing_request = 0; pkinit_context plgctx = (pkinit_context)moddata; pkinit_req_context reqctx = (pkinit_req_context)modreq; - krb5_keyblock *armor_key = cb->fast_armor(context, rock), as_key; + krb5_keyblock as_key; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); - /* Remove (along with armor_key) when FAST PKINIT is settled. */ - /* Don't use PKINIT if also using FAST. */ - if (armor_key != NULL) - return EINVAL; if (plgctx == NULL || reqctx == NULL) return EINVAL; diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 44e310cf98..3322310bf5 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -107,16 +107,9 @@ pkinit_server_get_edata(krb5_context context, { krb5_error_code retval = 0; pkinit_kdc_context plgctx = NULL; - krb5_keyblock *armor_key = cb->fast_armor(context, rock); pkiDebug("pkinit_server_get_edata: entered!\n"); - /* Remove (along with armor_key) when FAST PKINIT is settled. */ - /* Don't advertise PKINIT if the client used FAST. */ - if (armor_key != NULL) { - (*respond)(arg, EINVAL, NULL); - return; - } /* * If we don't have a realm context for the given realm, @@ -309,7 +302,6 @@ pkinit_server_verify_padata(krb5_context context, krb5_kdc_req *tmp_as_req = NULL; krb5_data k5data; int is_signed = 1; - krb5_keyblock *armor_key = cb->fast_armor(context, rock); krb5_pa_data **e_data = NULL; krb5_kdcpreauth_modreq modreq = NULL; @@ -319,12 +311,6 @@ pkinit_server_verify_padata(krb5_context context, return; } - /* Remove (along with armor_key) when FAST PKINIT is settled. */ - /* Don't allow PKINIT if the client used FAST. */ - if (armor_key != NULL) { - (*respond)(arg, EINVAL, NULL, NULL, NULL); - return; - } if (moddata == NULL) { (*respond)(arg, EINVAL, NULL, NULL, NULL); @@ -462,23 +448,7 @@ pkinit_server_verify_padata(krb5_context context, "value not supported.")); goto cleanup; } - /* - * The KDC may have modified the request after decoding it. - * We need to compute the checksum on the data that - * came from the client. Therefore, we use the original - * packet contents. - */ - retval = k5int_decode_krb5_as_req(req_pkt, &tmp_as_req); - if (retval) { - pkiDebug("decode_krb5_as_req returned %d\n", (int)retval); - goto cleanup; - } - - retval = k5int_encode_krb5_kdc_req_body(tmp_as_req, &der_req); - if (retval) { - pkiDebug("encode_krb5_kdc_req_body returned %d\n", (int) retval); - goto cleanup; - } + der_req = cb->request_body(context, rock); retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, der_req, &cksum); if (retval) { @@ -566,8 +536,6 @@ cleanup: case KRB5_PADATA_PK_AS_REQ: free_krb5_pa_pk_as_req(&reqp); free(cksum.contents); - if (der_req != NULL) - krb5_free_data(context, der_req); break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: |