diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-06-06 23:24:00 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-06-13 00:31:27 -0400 |
| commit | 823bad7f3f314647feb14284bc36fa231c9c7875 (patch) | |
| tree | 0fd73dec5eed3de3e60af83fb1939d0a046fc5ef | |
| parent | cd06659844f9671d6ca9955fa6d3ee6e0806c7f1 (diff) | |
| download | krb5-823bad7f3f314647feb14284bc36fa231c9c7875.tar.gz krb5-823bad7f3f314647feb14284bc36fa231c9c7875.tar.xz krb5-823bad7f3f314647feb14284bc36fa231c9c7875.zip | |
Remove pkinit_win2k_require_binding option
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
ticket: 7933
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 5 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit.h | 2 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 38 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_lib.c | 1 |
4 files changed, 4 insertions, 42 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index c6ded33d1..008ca4ce8 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -1083,11 +1083,6 @@ PKINIT krb5.conf options of the KDC certificate presented. This option may be specified multiple times. -**pkinit_win2k_require_binding** - If this flag is set to true, it expects that the target KDC is - patched to return a reply with a checksum rather than a nonce. - The default is false. - .. _parameter_expansion: diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index e21fc81be..3ed43c052 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -77,7 +77,6 @@ #define KRB5_CONF_PKINIT_POOL "pkinit_pool" #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" #define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" -#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding" /* Make pkiDebug(fmt,...) print, or not. */ #ifdef DEBUG @@ -162,7 +161,6 @@ typedef struct _pkinit_req_opts { int require_crl_checking; int dh_size; /* initial request DH modulus size (default=1024) */ int require_hostname_match; - int win2k_require_cksum; } pkinit_req_opts; /* diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 742564b27..6c2316298 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -174,13 +174,7 @@ pa_pkinit_gen_req(krb5_context context, return_pa_data[0]->contents = (krb5_octet *) out_data->data; *out_data = empty_data(); - /* - * LH Beta 3 requires the extra pa-data, even for RFC requests, - * in order to get the Checksum rather than a Nonce in the reply. - * This can be removed when LH SP1 is released. - */ - if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD && - reqctx->opts->win2k_require_cksum) { + if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) { return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval); if (return_pa_data[1] == NULL) goto cleanup; @@ -650,7 +644,6 @@ pkinit_as_rep_parse(krb5_context context, krb5_pa_pk_as_rep *kdc_reply = NULL; krb5_kdc_dh_key_info *kdc_dh = NULL; krb5_reply_key_pack *key_pack = NULL; - krb5_reply_key_pack_draft9 *key_pack9 = NULL; krb5_data dh_data = { 0, 0, NULL }; unsigned char *client_key = NULL, *kdc_hostname = NULL; unsigned int client_key_len = 0; @@ -813,27 +806,10 @@ pkinit_as_rep_parse(krb5_context context, print_buffer_bin(dh_data.data, dh_data.length, "/tmp/client_key_pack"); #endif - if ((retval = k5int_decode_krb5_reply_key_pack(&k5data, - &key_pack)) != 0) { + retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack); + if (retval) { pkiDebug("failed to decode reply_key_pack\n"); - if (pa_type == KRB5_PADATA_PK_AS_REP) - goto cleanup; - retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data, - &key_pack9); - if (retval) { - pkiDebug("failed to decode reply_key_pack_draft9\n"); - goto cleanup; - } - pkiDebug("decode reply_key_pack_draft9\n"); - if (key_pack9->nonce != request->nonce) { - pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", - key_pack9->nonce, request->nonce); - retval = -1; - goto cleanup; - } - krb5_copy_keyblock_contents(context, &key_pack9->replyKey, - key_block); - break; + goto cleanup; } /* * This is hack but Windows sends back SHA1 checksum @@ -901,8 +877,6 @@ cleanup: free_krb5_reply_key_pack(&key_pack); free(cksum.contents); } - if (key_pack9 != NULL) - free_krb5_reply_key_pack_draft9(&key_pack9); free(kdc_hostname); @@ -926,10 +900,6 @@ pkinit_client_profile(krb5_context context, context, plgctx, reqctx, realm); pkinit_libdefault_boolean(context, realm, - KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING, - reqctx->opts->win2k_require_cksum, - &reqctx->opts->win2k_require_cksum); - pkinit_libdefault_boolean(context, realm, KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING, reqctx->opts->require_crl_checking, &reqctx->opts->require_crl_checking); diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index 1cbbed7f0..077080afe 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -63,7 +63,6 @@ pkinit_init_req_opts(pkinit_req_opts **reqopts) opts->dh_or_rsa = DH_PROTOCOL; opts->require_crl_checking = 0; opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS; - opts->win2k_require_cksum = 0; *reqopts = opts; |