svn rev #23654: branches/krb5-1-7/src/plugins/preauth/pkinit/

Tue Jan 12 18:04:32 EST 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23654
Commit By: tlyu
Log Message:
ticket: 6587
version_fixed: 1.7.1
status: resolved

Pull up r23492 from branches/anonymous.

 ------------------------------------------------------------------------
 r23492 | hartmans | 2009-12-23 16:09:50 -0500 (Wed, 23 Dec 2009) | 17 lines

 Subject: ad-initial-verified-cas logic broken
 ticket: 6587
 status: open

 In the initial pkinit implementation, the server plugin generates an
 incorrect encoding for ad-initial-verified-cas.  In particular, it
 assumes that ad-if-relevant takes a single authorization data element
 not a sequence of authorization data elements.  Nothing looked at the
 authorization data in 1.6.3 so this was not noticed.  However in 1.7,
 the FAST implementation looks for authorization data.  In 1.8 several
 more parts of the KDC examine authorization data.  The net result is
 that the KDC fails to process the TGT it issues.

 However on top of this bug, there is a spec problem.  For many of its
 intended uses, ad-initial-verified-cas needs to be integrity
 protected by the KDC in order to prevent a client from injecting it.
 So, it should be contained in kdc-issued not ad-if-relevant.

 For now we're simply removing the generation of this AD element until
 the spec is clarified.

------------------------------------------------------------------------


Changed Files:
U   branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================

--- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c	2010-01-12 23:03:56 UTC (rev 23653)
+++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c	2010-01-12 23:04:32 UTC (rev 23654)
@@ -579,66 +579,13 @@
 
     /* return authorization data to be included in the ticket */
     switch ((int)data->pa_type) {
-	case KRB5_PADATA_PK_AS_REQ:
-	    my_authz_data = malloc(2 * sizeof(*my_authz_data));
-	    if (my_authz_data == NULL) {
-		retval = ENOMEM;
-		pkiDebug("Couldn't allocate krb5_authdata ptr array\n");
-		goto cleanup;
-	    }
-	    my_authz_data[1] = NULL;
-	    my_authz_data[0] = malloc(sizeof(krb5_authdata));
-	    if (my_authz_data[0] == NULL) {
-		retval = ENOMEM;
-		pkiDebug("Couldn't allocate krb5_authdata\n");
-		free(my_authz_data);
-		goto cleanup;
-	    }
-	    /* AD-INITIAL-VERIFIED-CAS must be wrapped in AD-IF-RELEVANT */
-	    my_authz_data[0]->magic = KV5M_AUTHDATA;
-	    my_authz_data[0]->ad_type = KRB5_AUTHDATA_IF_RELEVANT;
-
-	    /* create an internal AD-INITIAL-VERIFIED-CAS data */
-	    pkinit_authz_data = malloc(sizeof(krb5_authdata));
-	    if (pkinit_authz_data == NULL) {
-		retval = ENOMEM;
-		pkiDebug("Couldn't allocate krb5_authdata\n");
-		free(my_authz_data[0]);
-		free(my_authz_data);
-		goto cleanup;
-	    }
-	    pkinit_authz_data->ad_type = KRB5_AUTHDATA_INITIAL_VERIFIED_CAS;
-	    /* content of this ad-type contains the certification
-	       path with which the client certificate was validated
-	     */
-	    pkinit_authz_data->contents = krb5_authz.data;
-	    pkinit_authz_data->length = krb5_authz.length;
-	    retval = k5int_encode_krb5_authdata_elt(pkinit_authz_data, 
-			    &encoded_pkinit_authz_data);
-#ifdef DEBUG_ASN1
-	    print_buffer_bin((unsigned char *)encoded_pkinit_authz_data->data,
-			     encoded_pkinit_authz_data->length,
-			     "/tmp/kdc_pkinit_authz_data");
-#endif
-	    free(pkinit_authz_data);
-	    if (retval) {
-		pkiDebug("k5int_encode_krb5_authdata_elt failed\n");
-		free(my_authz_data[0]);
-		free(my_authz_data);
-		goto cleanup;
-	    }
-
-	    my_authz_data[0]->contents =
-			    (krb5_octet *) encoded_pkinit_authz_data->data;
-	    my_authz_data[0]->length = encoded_pkinit_authz_data->length;
-	    *authz_data = my_authz_data;
-	    pkiDebug("Returning %d bytes of authorization data\n", 
-		     krb5_authz.length);
-	    encoded_pkinit_authz_data->data = NULL; /* Don't free during cleanup*/
-	    free(encoded_pkinit_authz_data);
-	    break;
-	default: 
-	    *authz_data = NULL;
+	/*
+	 * This code used to generate ad-initial-verified-cas authorization data.
+	 * However that has been removed until the ad-kdc-issued discussion can happen
+	 * in the working group.  Dec 2009
+	 */
+    default:
+	*authz_data = NULL;
     }
     /* remember to set the PREAUTH flag in the reply */
     enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;


