diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-06-06 22:48:04 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-06-12 13:16:24 -0400 |
| commit | cd06659844f9671d6ca9955fa6d3ee6e0806c7f1 (patch) | |
| tree | a8063e90ebfab8cbd5de1766566e5d66c62423cd | |
| parent | 677c7753923e5efa078074611d4474fbcc10f6a1 (diff) | |
| download | krb5-cd06659844f9671d6ca9955fa6d3ee6e0806c7f1.tar.gz krb5-cd06659844f9671d6ca9955fa6d3ee6e0806c7f1.tar.xz krb5-cd06659844f9671d6ca9955fa6d3ee6e0806c7f1.zip | |
Remove PKINIT longhorn compatibility option
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
ticket: 7934 (new)
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 3 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit.h | 15 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 70 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 199 |
4 files changed, 45 insertions, 242 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 387da6062..c6ded33d1 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -1055,9 +1055,6 @@ PKINIT krb5.conf options times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). -**pkinit_longhorn** - If this flag is set to true, we are talking to the Longhorn KDC. - **pkinit_pool** Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 328dee5b7..e21fc81be 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -40,20 +40,6 @@ #include "pkinit_accessor.h" #include "pkinit_trace.h" -/* - * It is anticipated that all the special checks currently - * required when talking to a Longhorn server will go away - * by the time it is officially released and all references - * to the longhorn global can be removed and any code - * #ifdef'd with LONGHORN_BETA_COMPAT can be removed. - * And this #define! - */ -#define LONGHORN_BETA_COMPAT 1 -#ifdef LONGHORN_BETA_COMPAT -extern int longhorn; /* XXX Talking to a Longhorn server? */ -#endif - - #ifndef WITHOUT_PKCS11 #include "pkcs11.h" @@ -88,7 +74,6 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" -#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn" #define KRB5_CONF_PKINIT_POOL "pkinit_pool" #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" #define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index b1c92dd02..742564b27 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -43,19 +43,6 @@ #include "pkinit.h" #include "k5-json.h" -/* - * It is anticipated that all the special checks currently - * required when talking to a Longhorn server will go away - * by the time it is officially released and all references - * to the longhorn global can be removed and any code - * #ifdef'd with LONGHORN_BETA_COMPAT can be removed. - * - * Current testing (20070620) is against a patched Beta 3 - * version of Longhorn. Most, if not all, problems should - * be fixed in SP1 of Longhorn. - */ -int longhorn = 0; /* Talking to a Longhorn server? */ - /** * Return true if we should use ContentInfo rather than SignedData. This * happens if we are talking to what might be an old (pre-6112) MIT KDC and @@ -192,8 +179,8 @@ pa_pkinit_gen_req(krb5_context context, * in order to get the Checksum rather than a Nonce in the reply. * This can be removed when LH SP1 is released. */ - if ((return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD - && reqctx->opts->win2k_require_cksum) || (longhorn == 1)) { + if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD && + reqctx->opts->win2k_require_cksum) { return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval); if (return_pa_data[1] == NULL) goto cleanup; @@ -829,34 +816,24 @@ pkinit_as_rep_parse(krb5_context context, if ((retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack)) != 0) { pkiDebug("failed to decode reply_key_pack\n"); -#ifdef LONGHORN_BETA_COMPAT - /* - * LH Beta 3 requires the extra pa-data, even for RFC requests, - * in order to get the Checksum rather than a Nonce in the reply. - * This can be removed when LH SP1 is released. - */ - if (pa_type == KRB5_PADATA_PK_AS_REP && longhorn == 0) -#else - if (pa_type == KRB5_PADATA_PK_AS_REP) -#endif - goto cleanup; - else { - if ((retval = - k5int_decode_krb5_reply_key_pack_draft9(&k5data, - &key_pack9)) != 0) { - pkiDebug("failed to decode reply_key_pack_draft9\n"); - goto cleanup; - } - pkiDebug("decode reply_key_pack_draft9\n"); - if (key_pack9->nonce != request->nonce) { - pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", key_pack9->nonce, request->nonce); - retval = -1; - goto cleanup; - } - krb5_copy_keyblock_contents(context, &key_pack9->replyKey, - key_block); - break; - } + if (pa_type == KRB5_PADATA_PK_AS_REP) + goto cleanup; + retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data, + &key_pack9); + if (retval) { + pkiDebug("failed to decode reply_key_pack_draft9\n"); + goto cleanup; + } + pkiDebug("decode reply_key_pack_draft9\n"); + if (key_pack9->nonce != request->nonce) { + pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", + key_pack9->nonce, request->nonce); + retval = -1; + goto cleanup; + } + krb5_copy_keyblock_contents(context, &key_pack9->replyKey, + key_block); + break; } /* * This is hack but Windows sends back SHA1 checksum @@ -986,13 +963,6 @@ pkinit_client_profile(krb5_context context, } free(eku_string); } -#ifdef LONGHORN_BETA_COMPAT - /* Temporarily just set global flag from config file */ - pkinit_libdefault_boolean(context, realm, - KRB5_CONF_PKINIT_LONGHORN, - 0, - &longhorn); -#endif /* Only process anchors here if they were not specified on command line */ if (reqctx->idopts->anchors == NULL) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 1d6b0cd7a..08fdc24ff 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -155,16 +155,9 @@ create_krb5_invalidCertificates(krb5_context context, static krb5_error_code create_identifiers_from_stack(STACK_OF(X509) *sk, krb5_external_principal_identifier *** ids); -#ifdef LONGHORN_BETA_COMPAT -static int -wrap_signeddata(unsigned char *data, unsigned int data_len, - unsigned char **out, unsigned int *out_len, - int is_longhorn_server); -#else static int wrap_signeddata(unsigned char *data, unsigned int data_len, unsigned char **out, unsigned int *out_len); -#endif static char * pkinit_pkcs11_code_to_text(int err); @@ -1953,29 +1946,6 @@ cms_envelopeddata_verify(krb5_context context, * For draft9-compatible, we don't do anything because it * is already wrapped. */ -#ifdef LONGHORN_BETA_COMPAT - /* - * The Longhorn server returns the expected RFC-style data, but - * it is missing the sequence tag and length, so it requires - * special processing when wrapping. - * This will hopefully be fixed before the final release and - * this can all be removed. - */ - if (msg_type == CMS_ENVEL_SERVER || longhorn == 1) { - retval = wrap_signeddata(tmp_buf, tmp_buf_len, - &tmp_buf2, &tmp_buf2_len, longhorn); - if (retval) { - pkiDebug("failed to encode signeddata\n"); - goto cleanup; - } - vfy_buf = tmp_buf2; - vfy_buf_len = tmp_buf2_len; - - } else { - vfy_buf = tmp_buf; - vfy_buf_len = tmp_buf_len; - } -#else if (msg_type == CMS_ENVEL_SERVER) { retval = wrap_signeddata(tmp_buf, tmp_buf_len, &tmp_buf2, &tmp_buf2_len); @@ -1990,7 +1960,6 @@ cms_envelopeddata_verify(krb5_context context, vfy_buf = tmp_buf; vfy_buf_len = tmp_buf_len; } -#endif #ifdef DEBUG_ASN1 print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2"); @@ -3458,112 +3427,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) } -#ifdef LONGHORN_BETA_COMPAT -#if 0 -/* - * This is a version that worked with Longhorn Beta 3. - */ -static int -wrap_signeddata(unsigned char *data, unsigned int data_len, - unsigned char **out, unsigned int *out_len, - int is_longhorn_server) -{ - - unsigned int orig_len = 0, oid_len = 0, tot_len = 0; - ASN1_OBJECT *oid = NULL; - unsigned char *p = NULL; - - pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n", - __FUNCTION__, is_longhorn_server); - - /* Get length to wrap the original data with SEQUENCE tag */ - tot_len = orig_len = ASN1_object_size(1, (int)data_len, V_ASN1_SEQUENCE); - - if (is_longhorn_server == 0) { - /* Add the signedData OID and adjust lengths */ - oid = OBJ_nid2obj(NID_pkcs7_signed); - oid_len = i2d_ASN1_OBJECT(oid, NULL); - - tot_len = ASN1_object_size(1, (int)(orig_len+oid_len), V_ASN1_SEQUENCE); - } - - p = *out = malloc(tot_len); - if (p == NULL) return -1; - - if (is_longhorn_server == 0) { - ASN1_put_object(&p, 1, (int)(orig_len+oid_len), - V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - - i2d_ASN1_OBJECT(oid, &p); - - ASN1_put_object(&p, 1, (int)data_len, 0, V_ASN1_CONTEXT_SPECIFIC); - } else { - ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - } - memcpy(p, data, data_len); - - *out_len = tot_len; - - return 0; -} -#else -/* - * This is a version that works with a patched Longhorn KDC. - * (Which should match SP1 ??). - */ -static int -wrap_signeddata(unsigned char *data, unsigned int data_len, - unsigned char **out, unsigned int *out_len, - int is_longhorn_server) -{ - - unsigned int oid_len = 0, tot_len = 0, wrap_len = 0, tag_len = 0; - ASN1_OBJECT *oid = NULL; - unsigned char *p = NULL; - - pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n", - __FUNCTION__, is_longhorn_server); - - /* New longhorn is missing another sequence */ - if (is_longhorn_server == 1) - wrap_len = ASN1_object_size(1, (int)(data_len), V_ASN1_SEQUENCE); - else - wrap_len = data_len; - - /* Get length to wrap the original data with SEQUENCE tag */ - tag_len = ASN1_object_size(1, (int)wrap_len, V_ASN1_SEQUENCE); - - /* Always add oid */ - oid = OBJ_nid2obj(NID_pkcs7_signed); - oid_len = i2d_ASN1_OBJECT(oid, NULL); - oid_len += tag_len; - - tot_len = ASN1_object_size(1, (int)(oid_len), V_ASN1_SEQUENCE); - - p = *out = malloc(tot_len); - if (p == NULL) - return -1; - - ASN1_put_object(&p, 1, (int)(oid_len), - V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - - i2d_ASN1_OBJECT(oid, &p); - - ASN1_put_object(&p, 1, (int)wrap_len, 0, V_ASN1_CONTEXT_SPECIFIC); - - /* Wrap in extra seq tag */ - if (is_longhorn_server == 1) { - ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); - } - memcpy(p, data, data_len); - - *out_len = tot_len; - - return 0; -} - -#endif -#else static int wrap_signeddata(unsigned char *data, unsigned int data_len, unsigned char **out, unsigned int *out_len) @@ -3597,7 +3460,6 @@ wrap_signeddata(unsigned char *data, unsigned int data_len, return 0; } -#endif static int prepare_enc_data(unsigned char *indata, @@ -5643,50 +5505,39 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, krb5_cas[i]->issuerAndSerialNumber.magic = 0; krb5_cas[i]->issuerAndSerialNumber.data = NULL; -#ifdef LONGHORN_BETA_COMPAT - if (longhorn == 0) { /* XXX Longhorn doesn't like this */ -#endif - is = PKCS7_ISSUER_AND_SERIAL_new(); - X509_NAME_set(&is->issuer, X509_get_issuer_name(x)); - M_ASN1_INTEGER_free(is->serial); - is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); - len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = malloc((size_t) len)) == NULL) - goto cleanup; - krb5_cas[i]->issuerAndSerialNumber.data = (char *)p; - i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); - krb5_cas[i]->issuerAndSerialNumber.length = len; -#ifdef LONGHORN_BETA_COMPAT - } -#endif + is = PKCS7_ISSUER_AND_SERIAL_new(); + X509_NAME_set(&is->issuer, X509_get_issuer_name(x)); + M_ASN1_INTEGER_free(is->serial); + is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); + len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); + p = malloc(len); + if (p == NULL) + goto cleanup; + krb5_cas[i]->issuerAndSerialNumber.data = (char *)p; + i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); + krb5_cas[i]->issuerAndSerialNumber.length = len; /* fill-in subjectKeyIdentifier */ krb5_cas[i]->subjectKeyIdentifier.length = 0; krb5_cas[i]->subjectKeyIdentifier.magic = 0; krb5_cas[i]->subjectKeyIdentifier.data = NULL; - -#ifdef LONGHORN_BETA_COMPAT - if (longhorn == 0) { /* XXX Longhorn doesn't like this */ -#endif - if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) { - ASN1_OCTET_STRING *ikeyid = NULL; - - if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, - NULL))) { - len = i2d_ASN1_OCTET_STRING(ikeyid, NULL); - if ((p = malloc((size_t) len)) == NULL) - goto cleanup; - krb5_cas[i]->subjectKeyIdentifier.data = (char *)p; - i2d_ASN1_OCTET_STRING(ikeyid, &p); - krb5_cas[i]->subjectKeyIdentifier.length = len; - } - if (ikeyid != NULL) - ASN1_OCTET_STRING_free(ikeyid); + if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) { + ASN1_OCTET_STRING *ikeyid; + + ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, + NULL); + if (ikeyid != NULL) { + len = i2d_ASN1_OCTET_STRING(ikeyid, NULL); + p = malloc(len); + if (p == NULL) + goto cleanup; + krb5_cas[i]->subjectKeyIdentifier.data = (char *)p; + i2d_ASN1_OCTET_STRING(ikeyid, &p); + krb5_cas[i]->subjectKeyIdentifier.length = len; + ASN1_OCTET_STRING_free(ikeyid); } -#ifdef LONGHORN_BETA_COMPAT } -#endif if (is != NULL) { if (is->issuer != NULL) X509_NAME_free(is->issuer); |