svn rev #22385: branches/krb5-1-7/src/plugins/preauth/pkinit/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue May 26 03:58:28 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22385
Commit By: tlyu
Log Message:
ticket: 6501
version_fixed: 1.7
pull up r22381 from trunk
------------------------------------------------------------------------
r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines
ticket: 6501
subject: Temporarily disable FAST PKINIT for 1.7 release
tags: pullup
target_version: 1.7
There are protocol issues and implementation defects surrounding the
combination of FAST an PKINIT currently. To avoid impacting the 1.7
scheduled and to avoid creating interoperability problems later,
disable the combination until the problems are resolved.
Changed Files:
U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c
U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c
===================================================================
--- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-25 21:48:49 UTC (rev 22384)
+++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-26 07:58:28 UTC (rev 22385)
@@ -40,6 +40,9 @@
#include "pkinit.h"
+/* Remove when FAST PKINIT is settled. */
+#include "../fast_factor.h"
+
#ifdef LONGHORN_BETA_COMPAT
/*
* It is anticipated that all the special checks currently
@@ -1027,10 +1030,19 @@
int processing_request = 0;
pkinit_context plgctx = (pkinit_context)plugin_context;
pkinit_req_context reqctx = (pkinit_req_context)request_context;
+ krb5_keyblock *armor_key = NULL;
pkiDebug("pkinit_client_process %p %p %p %p\n",
context, plgctx, reqctx, request);
+ /* Remove (along with armor_key) when FAST PKINIT is settled. */
+ retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
+ if (retval == 0 && armor_key != NULL) {
+ /* Don't use PKINIT if also using FAST. */
+ krb5_free_keyblock(context, armor_key);
+ return EINVAL;
+ }
+
if (plgctx == NULL || reqctx == NULL)
return EINVAL;
Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-25 21:48:49 UTC (rev 22384)
+++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-26 07:58:28 UTC (rev 22385)
@@ -35,6 +35,9 @@
#include "pkinit.h"
+/* Remove when FAST PKINIT is settled. */
+#include "../fast_factor.h"
+
static krb5_error_code
pkinit_server_get_edata(krb5_context context,
krb5_kdc_req * request,
@@ -146,9 +149,19 @@
{
krb5_error_code retval = 0;
pkinit_kdc_context plgctx = NULL;
+ krb5_keyblock *armor_key = NULL;
pkiDebug("pkinit_server_get_edata: entered!\n");
+ /* Remove (along with armor_key) when FAST PKINIT is settled. */
+ retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
+ client, &armor_key);
+ if (retval == 0 && armor_key != NULL) {
+ /* Don't advertise PKINIT if the client used FAST. */
+ krb5_free_keyblock(context, armor_key);
+ return EINVAL;
+ }
+
/*
* If we don't have a realm context for the given realm,
* don't tell the client that we support pkinit!
@@ -344,11 +357,21 @@
krb5_authdata **my_authz_data = NULL, *pkinit_authz_data = NULL;
krb5_kdc_req *tmp_as_req = NULL;
krb5_data k5data;
+ krb5_keyblock *armor_key;
pkiDebug("pkinit_verify_padata: entered!\n");
if (data == NULL || data->length <= 0 || data->contents == NULL)
return 0;
+ /* Remove (along with armor_key) when FAST PKINIT is settled. */
+ retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
+ client, &armor_key);
+ if (retval == 0 && armor_key != NULL) {
+ /* Don't allow PKINIT if the client used FAST. */
+ krb5_free_keyblock(context, armor_key);
+ return EINVAL;
+ }
+
if (pa_plugin_context == NULL || e_data == NULL)
return EINVAL;
More information about the cvs-krb5
mailing list