svn rev #25830: trunk/src/ include/ kadmin/cli/ kdc/ lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Thu Apr 26 17:46:57 EDT 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25830
Commit By: ghudson
Log Message:
Remove orphaned Apple PKINIT support
Changed Files:
D trunk/src/include/pkinit_apple_utils.h
D trunk/src/include/pkinit_asn1.h
D trunk/src/include/pkinit_cert_store.h
D trunk/src/include/pkinit_client.h
D trunk/src/include/pkinit_cms.h
U trunk/src/kadmin/cli/kadmin.c
U trunk/src/kdc/do_as_req.c
U trunk/src/kdc/kdc_preauth.c
D trunk/src/kdc/pkinit_apple_server.c
D trunk/src/kdc/pkinit_server.h
U trunk/src/lib/krb5/krb/get_in_tkt.c
D trunk/src/lib/krb5/krb/pkinit_apple_asn1.c
D trunk/src/lib/krb5/krb/pkinit_apple_cert_store.c
D trunk/src/lib/krb5/krb/pkinit_apple_client.c
D trunk/src/lib/krb5/krb/pkinit_apple_cms.c
D trunk/src/lib/krb5/krb/pkinit_apple_utils.c
U trunk/src/lib/krb5/krb/preauth2.c
U trunk/src/lib/krb5/krb/str_conv.c
Modified: trunk/src/kadmin/cli/kadmin.c
===================================================================
--- trunk/src/kadmin/cli/kadmin.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/kadmin/cli/kadmin.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -943,9 +943,6 @@
kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
long *mask, char **pass, krb5_boolean *randkey,
krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple,
-#if APPLE_PKINIT
- char **cert_hash,
-#endif /* APPLE_PKINIT */
char *caller)
{
int i, attrib_set;
@@ -958,9 +955,6 @@
*pass = NULL;
*n_ks_tuple = 0;
*ks_tuple = NULL;
-#if APPLE_PKINIT
- *cert_hash = NULL;
-#endif /* APPLE_PKINIT */
time(&now);
*randkey = FALSE;
for (i = 1; i < argc - 1; i++) {
@@ -1069,16 +1063,6 @@
*randkey = TRUE;
continue;
}
-#if APPLE_PKINIT
- if (strlen(argv[i]) == 9 && !strcmp("-certhash", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *cert_hash = argv[i];
- continue;
- }
- }
-#endif /* APPLE_PKINIT */
if (strlen(argv[i]) == 7 && !strcmp("-unlock", argv[i])) {
unlock_princ(oprinc, mask, caller);
continue;
@@ -1211,32 +1195,17 @@
krb5_error_code retval;
char newpw[1024], dummybuf[256];
static char prompt1[1024], prompt2[1024];
-#if APPLE_PKINIT
- char *cert_hash = NULL;
-#endif /* APPLE_PKINIT */
/* Zero all fields in request structure */
memset(&princ, 0, sizeof(princ));
princ.attributes = 0;
if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey,
- &ks_tuple, &n_ks_tuple,
-#if APPLE_PKINIT
- &cert_hash,
-#endif /* APPLE_PKINIT */
- "add_principal")) {
+ &ks_tuple, &n_ks_tuple, "add_principal")) {
kadmin_addprinc_usage();
goto cleanup;
}
-#if APPLE_PKINIT
- if(cert_hash != NULL) {
- fprintf(stderr,
- "add_principal: -certhash not allowed; use modify_principal\n");
- goto cleanup;
- }
-#endif /* APPLE_PKINIT */
-
retval = krb5_unparse_name(context, princ.principal, &canon);
if (retval) {
com_err("add_principal", retval, _("while canonicalizing principal"));
@@ -1334,9 +1303,6 @@
krb5_boolean randkey = FALSE;
int n_ks_tuple = 0;
krb5_key_salt_tuple *ks_tuple = NULL;
-#if APPLE_PKINIT
- char *cert_hash = NULL;
-#endif /* APPLE_PKINIT */
if (argc < 2) {
kadmin_modprinc_usage();
@@ -1369,41 +1335,11 @@
&princ, &mask,
&pass, &randkey,
&ks_tuple, &n_ks_tuple,
-#if APPLE_PKINIT
- &cert_hash,
-#endif /* APPLE_PKINIT */
"modify_principal");
if (retval || ks_tuple != NULL || randkey || pass) {
kadmin_modprinc_usage();
goto cleanup;
}
-#if APPLE_PKINIT
- if (cert_hash) {
- /*
- * Use something other than the 1st preferred enctype here for fallback
- * to pwd authentication
- */
- krb5_key_salt_tuple key_salt = {ENCTYPE_ARCFOUR_HMAC, KRB5_KDB_SALTTYPE_CERTHASH};
- krb5_keyblock keyblock;
- kadm5_ret_t kadmin_rtn;
-
- keyblock.magic = KV5M_KEYBLOCK;
- keyblock.enctype = ENCTYPE_ARCFOUR_HMAC;
- keyblock.length = strlen(cert_hash);
- keyblock.contents = (krb5_octet *)cert_hash;
- kadmin_rtn = kadm5_setkey_principal_3(handle, kprinc,
- TRUE, /* keepold - we're appending */
- 1, &key_salt,
- &keyblock, 1);
- if (kadmin_rtn) {
- com_err("modify_principal", kadmin_rtn,
- "while adding certhash for \"%s\".", canon);
- printf("realm %s data %s\n", (char *)kprinc->realm.data, (char *)kprinc->data->data);
- goto cleanup;
- }
- retval = 0;
- }
-#endif /* APPLE_PKINIT */
if (mask) {
/* Skip this if all we're doing is setting certhash. */
retval = kadm5_modify_principal(handle, &princ, mask);
Modified: trunk/src/kdc/do_as_req.c
===================================================================
--- trunk/src/kdc/do_as_req.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/kdc/do_as_req.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -73,15 +73,6 @@
#include "adm_proto.h"
#include "extern.h"
-#if APPLE_PKINIT
-#define AS_REQ_DEBUG 0
-#if AS_REQ_DEBUG
-#define asReqDebug(args...) printf(args)
-#else
-#define asReqDebug(args...)
-#endif
-#endif /* APPLE_PKINIT */
-
static krb5_error_code
prepare_error_as(struct kdc_request_state *, krb5_kdc_req *,
int, krb5_pa_data **, krb5_boolean, krb5_principal,
@@ -254,13 +245,6 @@
goto egress;
}
-#if APPLE_PKINIT
- asReqDebug("process_as_req reply realm %s name %s\n",
- reply.client->realm.data, reply.client->data->data);
-#endif /* APPLE_PKINIT */
-
-
-
errcode = handle_authdata(kdc_context,
state->c_flags,
state->client,
@@ -475,11 +459,6 @@
state->req_pkt = req_pkt;
state->from = from;
-#if APPLE_PKINIT
- asReqDebug("process_as_req top realm %s name %s\n",
- request->client->realm.data, request->client->data->data);
-#endif /* APPLE_PKINIT */
-
if (state->request->msg_type != KRB5_AS_REQ) {
state->status = "msg_type mismatch";
errcode = KRB5_BADMSGTYPE;
Modified: trunk/src/kdc/kdc_preauth.c
===================================================================
--- trunk/src/kdc/kdc_preauth.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/kdc/kdc_preauth.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -81,10 +81,6 @@
#include "extern.h"
#include <stdio.h>
#include "adm_proto.h"
-#if APPLE_PKINIT
-#include "pkinit_server.h"
-#include "pkinit_cert_store.h"
-#endif /* APPLE_PKINIT */
#include <syslog.h>
@@ -149,59 +145,9 @@
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq);
-#if APPLE_PKINIT
-/* PKINIT preauth support */
-static krb5_error_code get_pkinit_edata(
- krb5_context context,
- krb5_kdc_req *request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- krb5_pa_data *pa_data);
-static krb5_error_code verify_pkinit_request(
- krb5_context context,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data);
-static krb5_error_code return_pkinit_response(
- krb5_context context,
- krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_data,
- void *pa_module_context,
- void **pa_request_context);
-#endif /* APPLE_PKINIT */
static preauth_system static_preauth_systems[] = {
-#if APPLE_PKINIT
{
- "pkinit",
- KRB5_PADATA_PK_AS_REQ,
- PA_SUFFICIENT,
- NULL, /* pa_sys_context */
- NULL, /* init */
- NULL, /* fini */
- get_pkinit_edata,
- verify_pkinit_request,
- return_pkinit_response,
- NULL /* free_modreq */
- },
-#endif /* APPLE_PKINIT */
- {
"FAST",
KRB5_PADATA_FX_FAST,
PA_HARDWARE,
@@ -1646,458 +1592,7 @@
return retval;
}
-
-
-#if APPLE_PKINIT
-/* PKINIT preauth support */
-#define PKINIT_DEBUG 0
-#if PKINIT_DEBUG
-#define kdcPkinitDebug(args...) printf(args)
-#else
-#define kdcPkinitDebug(args...)
-#endif
-
/*
- * get_edata() - our only job is to determine whether this KDC is capable of
- * performing PKINIT. We infer that from the presence or absence of any
- * KDC signing cert.
- */
-static krb5_error_code get_pkinit_edata(
- krb5_context context,
- krb5_kdc_req *request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- preauth_get_entry_data_proc pkinit_get_entry_data,
- void *pa_module_context,
- krb5_pa_data *pa_data)
-{
- krb5_pkinit_signing_cert_t cert = NULL;
- krb5_error_code err = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &cert);
-
- kdcPkinitDebug("get_pkinit_edata: kdc cert %s\n", err ? "NOT FOUND" : "FOUND");
- if(cert) {
- krb5_pkinit_release_cert(cert);
- }
- return err;
-}
-
-/*
- * This is 0 only for testing until the KDC DB contains
- * the hash of the client cert
- */
-#define REQUIRE_CLIENT_CERT_MATCH 1
-
-static krb5_error_code verify_pkinit_request(
- krb5_context context,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- preauth_get_entry_data_proc pkinit_get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
- krb5_data **e_data,
- krb5_authdata ***authz_data)
-{
- krb5_error_code krtn;
- krb5_data pa_data;
- krb5_data *der_req = NULL;
- krb5_boolean valid_cksum;
- char *cert_hash = NULL;
- unsigned cert_hash_len;
- unsigned key_dex;
- unsigned cert_match = 0;
- krb5_keyblock decrypted_key, *mkey_ptr;
-
- /* the data we get from the AS-REQ */
- krb5_timestamp client_ctime = 0;
- krb5_ui_4 client_cusec = 0;
- krb5_timestamp kdc_ctime = 0;
- krb5_int32 kdc_cusec = 0;
- krb5_ui_4 nonce = 0;
- krb5_checksum pa_cksum;
- krb5int_cert_sig_status cert_sig_status;
- krb5_data client_cert = {0, 0, NULL};
-
- krb5_kdc_req *tmp_as_req = NULL;
-
- kdcPkinitDebug("verify_pkinit_request\n");
-
- decrypted_key.contents = NULL;
- pa_data.data = (char *)data->contents;
- pa_data.length = data->length;
- krtn = krb5int_pkinit_as_req_parse(context, &pa_data,
- &client_ctime, &client_cusec,
- &nonce, &pa_cksum,
- &cert_sig_status,
- NULL, NULL,/* num_cms_types, cms_types */
- &client_cert, /* signer_cert */
- /* remaining fields unused (for now) */
- NULL, NULL,/* num_all_certs, all_certs */
- NULL, NULL,/* num_trusted_CAs, trusted_CAs */
- NULL); /* kdc_cert */
- if(krtn) {
- kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
- (int)krtn);
- return krtn;
- }
-#if PKINIT_DEBUG
- if(cert_sig_status != pki_cs_good) {
- kdcPkinitDebug("verify_pkinit_request: cert_sig_status %d\n",
- (int)cert_sig_status);
- }
-#endif /* PKINIT_DEBUG */
-
- /*
- * Verify signature and cert.
- * FIXME: The spec calls for an e-data with error-specific type to be
- * returned on error here. TD_TRUSTED_CERTIFIERS
- * to be returned to the client here. There is no way for a preauth
- * module to pass back e-data to process_as_req at this time. We
- * might want to add such capability via an out param to check_padata
- * and to its callees.
- */
- switch(cert_sig_status) {
- case pki_cs_good:
- break;
- case pki_cs_sig_verify_fail:
- /* no e-data */
- krtn = KDC_ERR_INVALID_SIG;
- goto cleanup;
- case pki_cs_no_root:
- case pki_cs_unknown_root:
- case pki_cs_untrusted:
- /*
- * Can't verify to known root.
- * e-data TD_TRUSTED_CERTIFIERS
- */
- kdcPkinitDebug("verify_pkinit_request: KDC_ERR_CANT_VERIFY_CERTIFICATE\n");
- krtn = KDC_ERR_CANT_VERIFY_CERTIFICATE;
- goto cleanup;
- case pki_cs_bad_leaf:
- case pki_cs_expired:
- case pki_cs_not_valid_yet:
- /*
- * Problems with client cert itself.
- * e-data type TD_INVALID_CERTIFICATES
- */
- krtn = KDC_ERR_INVALID_CERTIFICATE;
- goto cleanup;
- case pki_cs_revoked:
- /* e-data type TD-INVALID-CERTIFICATES */
- krtn = KDC_ERR_REVOKED_CERTIFICATE;
- goto cleanup;
- case pki_bad_key_use:
- krtn = KDC_ERR_INCONSISTENT_KEY_PURPOSE;
- /* no e-data */
- goto cleanup;
- case pki_bad_digest:
- /* undefined (explicitly!) e-data */
- krtn = KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
- goto cleanup;
- case pki_bad_cms:
- case pki_cs_other_err:
- default:
- krtn = KRB5KDC_ERR_PREAUTH_FAILED;
- goto cleanup;
- }
-
- krtn = krb5_us_timeofday(context, &kdc_ctime, &kdc_cusec);
- if(krtn) {
- goto cleanup;
- }
- if (labs(kdc_ctime - client_ctime) > context->clockskew) {
- kdcPkinitDebug("verify_pkinit_request: clock skew violation client %d svr %d\n",
- (int)client_ctime, (int)kdc_ctime);
- krtn = KRB5KRB_AP_ERR_SKEW;
- goto cleanup;
- }
-
- /*
- * The KDC may have modified the request after decoding it.
- * We need to compute the checksum on the data that
- * came from the client. Therefore, we use the original
- * packet contents.
- */
- krtn = decode_krb5_as_req(req_pkt, &tmp_as_req);
- if(krtn) {
- kdcPkinitDebug("decode_krb5_as_req returned %d\n", (int)krtn);
- goto cleanup;
- }
-
- /* calculate and compare checksum */
- krtn = encode_krb5_kdc_req_body(tmp_as_req, &der_req);
- if(krtn) {
- kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn);
- goto cleanup;
- }
- krtn = krb5_c_verify_checksum(context, NULL, 0, der_req,
- &pa_cksum, &valid_cksum);
- if(krtn) {
- kdcPkinitDebug("krb5_c_verify_checksum returned %d\n", (int)krtn);
- goto cleanup;
- }
- if(!valid_cksum) {
- kdcPkinitDebug("verify_pkinit_request: checksum error\n");
- krtn = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto cleanup;
- }
-
-#if REQUIRE_CLIENT_CERT_MATCH
- /* look up in the KDB to ensure correct client/cert binding */
- cert_hash = krb5_pkinit_cert_hash_str(&client_cert);
- if(cert_hash == NULL) {
- krtn = ENOMEM;
- goto cleanup;
- }
- cert_hash_len = strlen(cert_hash);
- for(key_dex=0; key_dex<client->n_key_data; key_dex++) {
- krb5_key_data *key_data = &client->key_data[key_dex];
- kdcPkinitDebug("--- key %u type[0] %u length[0] %u type[1] %u length[1] %u\n",
- key_dex,
- key_data->key_data_type[0], key_data->key_data_length[0],
- key_data->key_data_type[1], key_data->key_data_length[1]);
- if(key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_CERTHASH) {
- continue;
- }
-
- /*
- * Unfortunately this key is stored encrypted even though it's
- * not sensitive...
- */
- krtn = krb5_dbe_decrypt_key_data(context, NULL, key_data,
- &decrypted_key, NULL);
- if(krtn) {
- kdcPkinitDebug("verify_pkinit_request: error decrypting cert hash block\n");
- break;
- }
- if((decrypted_key.contents != NULL) &&
- (cert_hash_len == decrypted_key.length) &&
- !memcmp(decrypted_key.contents, cert_hash, cert_hash_len)) {
- cert_match = 1;
- break;
- }
- }
- if(decrypted_key.contents) {
- krb5_free_keyblock_contents(context, &decrypted_key);
- }
- if(!cert_match) {
- kdcPkinitDebug("verify_pkinit_request: client cert does not match\n");
- krtn = KDC_ERR_CLIENT_NOT_TRUSTED;
- goto cleanup;
- }
-#endif /* REQUIRE_CLIENT_CERT_MATCH */
- krtn = 0;
- setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH);
-
-cleanup:
- if(pa_cksum.contents) {
- free(pa_cksum.contents);
- }
- if (tmp_as_req) {
- krb5_free_kdc_req(context, tmp_as_req);
- }
- if (der_req) {
- krb5_free_data(context, der_req);
- }
- if(cert_hash) {
- free(cert_hash);
- }
- if(client_cert.data) {
- free(client_cert.data);
- }
- kdcPkinitDebug("verify_pkinit_request: returning %d\n", (int)krtn);
- return krtn;
-}
-
-static krb5_error_code return_pkinit_response(
- krb5_context context,
- krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- preauth_get_entry_data_proc pkinit_get_entry_data,
- void *pa_module_context,
- void **pa_request_context)
-{
- krb5_error_code krtn;
- krb5_data pa_data;
- krb5_pkinit_signing_cert_t signing_cert = NULL;
- krb5_checksum as_req_checksum = {0};
- krb5_data *encoded_as_req = NULL;
- krb5int_algorithm_id *cms_types = NULL;
- krb5_ui_4 num_cms_types = 0;
-
- /* the data we get from the AS-REQ */
- krb5_ui_4 nonce = 0;
- krb5_data client_cert = {0};
-
- /*
- * Trusted CA list and specific KC cert optionally obtained via
- * krb5int_pkinit_as_req_parse(). All are DER-encoded
- * issuerAndSerialNumbers.
- */
- krb5_data *trusted_CAs = NULL;
- krb5_ui_4 num_trusted_CAs;
- krb5_data kdc_cert = {0};
-
- if (padata == NULL) {
- /* Client has to send us something */
- return 0;
- }
-
- kdcPkinitDebug("return_pkinit_response\n");
- pa_data.data = (char *)padata->contents;
- pa_data.length = padata->length;
-
- /*
- * We've already verified; just obtain the fields we need to create a response
- */
- krtn = krb5int_pkinit_as_req_parse(context,
- &pa_data,
- NULL, NULL, &nonce, /* ctime, cusec, nonce */
- NULL, NULL, /* pa_cksum, cert_status */
- &num_cms_types, &cms_types,
- &client_cert, /* signer_cert: we encrypt for this */
- /* remaining fields unused (for now) */
- NULL, NULL, /* num_all_certs, all_certs */
- &num_trusted_CAs, &trusted_CAs,
- &kdc_cert);
- if(krtn) {
- kdcPkinitDebug("pa_pk_as_req_parse returned %d; PKINIT aborting.\n",
- (int)krtn);
- goto cleanup;
- }
- if(client_cert.data == NULL) {
- kdcPkinitDebug("pa_pk_as_req_parse failed to give a client_cert; aborting.\n");
- krtn = KRB5KDC_ERR_PREAUTH_FAILED;
- goto cleanup;
- }
-
- if(krb5_pkinit_get_kdc_cert(num_trusted_CAs, trusted_CAs,
- (kdc_cert.data ? &kdc_cert : NULL),
- &signing_cert)) {
- /*
- * Since get_pkinit_edata was able to obtain *some* KDC cert,
- * this means that we can't satisfy the client's requirement.
- * FIXME - particular error status for this?
- */
- kdcPkinitDebug("return_pkinit_response: NO appropriate signing cert!\n");
- krtn = KRB5KDC_ERR_PREAUTH_FAILED;
- goto cleanup;
- }
-
- /*
- * Cook up keyblock for caller and for outgoing AS-REP.
- * FIXME how much is known to be valid about encrypting_key?
- * Will encrypting_key->enctype always be valid here? Seems that
- * if we allow for clients without a shared secret (i.e. preauth
- * by PKINIT only) there won't be a valid encrypting_key set up
- * here for us.
- */
- krb5_free_keyblock_contents(context, encrypting_key);
- krb5_c_make_random_key(context, encrypting_key->enctype, encrypting_key);
-
- /* calculate checksum of incoming AS-REQ */
- krtn = encode_krb5_as_req(request, &encoded_as_req);
- if(krtn) {
- kdcPkinitDebug("encode_krb5_as_req returned %d; PKINIT aborting.\n", (int)krtn);
- goto cleanup;
- }
- krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype,
- encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- encoded_as_req, &as_req_checksum);
- if(krtn) {
- goto cleanup;
- }
-
- /*
- * FIXME: here we assume that the client has one cert - the one that
- * signed the AuthPack in the request (and that we therefore obtained from
- * krb5int_pkinit_as_req_parse()), and the one we're using to encrypt the
- * ReplyKeyPack with here. This may need rethinking.
- */
- krtn = krb5int_pkinit_as_rep_create(context,
- encrypting_key, &as_req_checksum,
- signing_cert, TRUE,
- &client_cert,
- num_cms_types, cms_types,
- num_trusted_CAs, trusted_CAs,
- (kdc_cert.data ? &kdc_cert : NULL),
- &pa_data);
- if(krtn) {
- kdcPkinitDebug("pa_pk_as_rep_create returned %d; PKINIT aborting.\n",
- (int)krtn);
- goto cleanup;
- }
-
- *send_pa = (krb5_pa_data *)malloc(sizeof(krb5_pa_data));
- if(*send_pa == NULL) {
- krtn = ENOMEM;
- free(pa_data.data);
- goto cleanup;
- }
- (*send_pa)->magic = KV5M_PA_DATA;
- (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP;
- (*send_pa)->length = pa_data.length;
- (*send_pa)->contents = (krb5_octet *)pa_data.data;
- krtn = 0;
-
-#if PKINIT_DEBUG
- fprintf(stderr, "return_pkinit_response: SUCCESS\n");
- fprintf(stderr, "nonce 0x%x enctype %d keydata %02x %02x %02x %02x...\n",
- (int)nonce, (int)encrypting_key->enctype,
- encrypting_key->contents[0], encrypting_key->contents[1],
- encrypting_key->contents[2], encrypting_key->contents[3]);
-#endif
-
-cleanup:
- /* all of this was allocd by krb5int_pkinit_as_req_parse() */
- if(signing_cert) {
- krb5_pkinit_release_cert(signing_cert);
- }
- if(cms_types) {
- unsigned dex;
- krb5int_algorithm_id *alg_id;
-
- for(dex=0; dex<num_cms_types; dex++) {
- alg_id = &cms_types[dex];
- if(alg_id->algorithm.data) {
- free(alg_id->algorithm.data);
- }
- if(alg_id->parameters.data) {
- free(alg_id->parameters.data);
- }
- }
- free(cms_types);
- }
- if(trusted_CAs) {
- unsigned dex;
- for(dex=0; dex<num_trusted_CAs; dex++) {
- free(trusted_CAs[dex].data);
- }
- free(trusted_CAs);
- }
- if(kdc_cert.data) {
- free(kdc_cert.data);
- }
- if(client_cert.data) {
- free(client_cert.data);
- }
- if(encoded_as_req) {
- krb5_free_data(context, encoded_as_req);
- }
- return krtn;
-}
-
-#endif /* APPLE_PKINIT */
-
-/*
* Returns TRUE if the PAC should be included
*/
krb5_boolean
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -32,15 +32,6 @@
#include "fast.h"
#include "init_creds_ctx.h"
-#if APPLE_PKINIT
-#define IN_TKT_DEBUG 0
-#if IN_TKT_DEBUG
-#define inTktDebug(args...) printf(args)
-#else
-#define inTktDebug(args...)
-#endif
-#endif /* APPLE_PKINIT */
-
/* some typedef's for the function args to make things look a bit cleaner */
static krb5_error_code make_preauth_list (krb5_context,
@@ -202,17 +193,6 @@
(request->till != 0) &&
(as_reply->enc_part2->times.renew_till > request->till))
) {
-#if APPLE_PKINIT
- inTktDebug("verify_as_reply: KDCREP_MODIFIED\n");
-#if IN_TKT_DEBUG
- if(request->client->realm.length && request->client->data->length)
- inTktDebug("request: name %s realm %s\n",
- request->client->realm.data, request->client->data->data);
- if(as_reply->client->realm.length && as_reply->client->data->length)
- inTktDebug("reply : name %s realm %s\n",
- as_reply->client->realm.data, as_reply->client->data->data);
-#endif
-#endif /* APPLE_PKINIT */
return KRB5_KDCREP_MODIFIED;
}
Modified: trunk/src/lib/krb5/krb/preauth2.c
===================================================================
--- trunk/src/lib/krb5/krb/preauth2.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/lib/krb5/krb/preauth2.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -31,10 +31,6 @@
*/
#include "k5-int.h"
-#if APPLE_PKINIT
-#include "pkinit_client.h"
-#include "pkinit_cert_store.h"
-#endif /* APPLE_PKINIT */
#include "osconf.h"
#include <krb5/preauth_plugin.h>
#include "int-proto.h"
@@ -604,320 +600,6 @@
return 0;
}
-#if APPLE_PKINIT
-/*
- * PKINIT. One function to generate AS-REQ, one to parse AS-REP
- */
-#define PKINIT_DEBUG 0
-#if PKINIT_DEBUG
-#define kdcPkinitDebug(args...) printf(args)
-#else
-#define kdcPkinitDebug(args...)
-#endif
-
-static krb5_error_code
-pa_pkinit_gen_req(krb5_context context,
- krb5_kdc_req *request,
- krb5_pa_data *in_padata,
- krb5_pa_data **out_padata,
- krb5_data *salt,
- krb5_data *s2kparams,
- krb5_enctype *etype,
- krb5_keyblock *as_key,
- krb5_prompter_fct prompter,
- void *prompter_data,
- krb5_gic_get_as_key_fct gak_fct,
- void *gak_data)
-{
- krb5_error_code krtn;
- krb5_data out_data = {0, 0, NULL};
- krb5_timestamp kctime = 0;
- krb5_int32 cusec = 0;
- krb5_ui_4 nonce = 0;
- krb5_checksum cksum;
- krb5_pkinit_signing_cert_t client_cert;
- krb5_data *der_req = NULL;
- char *client_principal = NULL;
- char *server_principal = NULL;
- unsigned char nonce_bytes[4];
- krb5_data nonce_data = {0, 4, (char *)nonce_bytes};
- int dex;
-
- /*
- * Trusted CA list and specific KC cert optionally obtained via
- * krb5_pkinit_get_server_certs(). All are DER-encoded certs.
- */
- krb5_data *trusted_CAs = NULL;
- krb5_ui_4 num_trusted_CAs;
- krb5_data kdc_cert = {0};
-
- kdcPkinitDebug("pa_pkinit_gen_req\n");
-
- /* If we don't have a client cert, we're done */
- if(request->client == NULL) {
- kdcPkinitDebug("No request->client; aborting PKINIT\n");
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
- krtn = krb5_unparse_name(context, request->client, &client_principal);
- if(krtn) {
- return krtn;
- }
- krtn = krb5_pkinit_get_client_cert(client_principal, &client_cert);
- free(client_principal);
- if(krtn) {
- kdcPkinitDebug("No client cert; aborting PKINIT\n");
- return krtn;
- }
-
- /* optional platform-dependent CA list and KDC cert */
- krtn = krb5_unparse_name(context, request->server, &server_principal);
- if(krtn) {
- goto cleanup;
- }
- krtn = krb5_pkinit_get_server_certs(client_principal, server_principal,
- &trusted_CAs, &num_trusted_CAs, &kdc_cert);
- if(krtn) {
- goto cleanup;
- }
-
- /* checksum of the encoded KDC-REQ-BODY */
- krtn = encode_krb5_kdc_req_body(request, &der_req);
- if(krtn) {
- kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn);
- goto cleanup;
- }
- krtn = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, der_req, &cksum);
- if(krtn) {
- goto cleanup;
- }
-
- krtn = krb5_us_timeofday(context, &kctime, &cusec);
- if(krtn) {
- goto cleanup;
- }
-
- /* cook up a random 4-byte nonce */
- krtn = krb5_c_random_make_octets(context, &nonce_data);
- if(krtn) {
- goto cleanup;
- }
- for(dex=0; dex<4; dex++) {
- nonce <<= 8;
- nonce |= nonce_bytes[dex];
- }
-
- krtn = krb5int_pkinit_as_req_create(context,
- kctime, cusec, nonce, &cksum,
- client_cert,
- trusted_CAs, num_trusted_CAs,
- (kdc_cert.data ? &kdc_cert : NULL),
- &out_data);
- if(krtn) {
- kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn);
- goto cleanup;
- }
- *out_padata = (krb5_pa_data *)malloc(sizeof(krb5_pa_data));
- if(*out_padata == NULL) {
- krtn = ENOMEM;
- free(out_data.data);
- goto cleanup;
- }
- (*out_padata)->magic = KV5M_PA_DATA;
- (*out_padata)->pa_type = KRB5_PADATA_PK_AS_REQ;
- (*out_padata)->length = out_data.length;
- (*out_padata)->contents = (krb5_octet *)out_data.data;
- krtn = 0;
-cleanup:
- if(client_cert) {
- krb5_pkinit_release_cert(client_cert);
- }
- if(cksum.contents) {
- free(cksum.contents);
- }
- if (der_req) {
- krb5_free_data(context, der_req);
- }
- if(server_principal) {
- free(server_principal);
- }
- /* free data mallocd by krb5_pkinit_get_server_certs() */
- if(trusted_CAs) {
- unsigned udex;
- for(udex=0; udex<num_trusted_CAs; udex++) {
- free(trusted_CAs[udex].data);
- }
- free(trusted_CAs);
- }
- if(kdc_cert.data) {
- free(kdc_cert.data);
- }
- return krtn;
-
-}
-
-/* If and only if the realm is that of a Local KDC, accept
- * the KDC certificate as valid if its hash matches the
- * realm.
- */
-static krb5_boolean
-local_kdc_cert_match(krb5_context context,
- krb5_data *signer_cert,
- krb5_principal client)
-{
- static const char lkdcprefix[] = "LKDC:SHA1.";
- krb5_boolean match = FALSE;
- size_t cert_hash_len;
- char *cert_hash;
- const char *realm_hash;
- size_t realm_hash_len;
-
- if (client->realm.length <= sizeof(lkdcprefix) ||
- 0 != memcmp(lkdcprefix, client->realm.data, sizeof(lkdcprefix)-1))
- return match;
- realm_hash = &client->realm.data[sizeof(lkdcprefix)-1];
- realm_hash_len = client->realm.length - sizeof(lkdcprefix) + 1;
- kdcPkinitDebug("checking realm versus certificate hash\n");
- if (NULL != (cert_hash = krb5_pkinit_cert_hash_str(signer_cert))) {
- kdcPkinitDebug("hash = %s\n", cert_hash);
- cert_hash_len = strlen(cert_hash);
- if (cert_hash_len == realm_hash_len &&
- 0 == memcmp(cert_hash, realm_hash, cert_hash_len))
- match = TRUE;
- free(cert_hash);
- }
- kdcPkinitDebug("result: %s\n", match ? "matches" : "does not match");
- return match;
-}
-
-static krb5_error_code
-pa_pkinit_parse_rep(krb5_context context,
- krb5_kdc_req *request,
- krb5_pa_data *in_padata,
- krb5_pa_data **out_padata,
- krb5_data *salt,
- krb5_data *s2kparams,
- krb5_enctype *etype,
- krb5_keyblock *as_key,
- krb5_prompter_fct prompter,
- void *prompter_data,
- krb5_gic_get_as_key_fct gak_fct,
- void *gak_data)
-{
- krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999;
- krb5_error_code krtn;
- krb5_data asRep;
- krb5_keyblock local_key = {0};
- krb5_pkinit_signing_cert_t client_cert;
- char *princ_name = NULL;
- krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */
- krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */
- krb5_data *encoded_as_req = NULL;
- krb5_data signer_cert = {0};
-
- *out_padata = NULL;
- kdcPkinitDebug("pa_pkinit_parse_rep\n");
- if((in_padata == NULL) || (in_padata->length== 0)) {
- kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n");
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
-
- /* If we don't have a client cert, we're done */
- if(request->client == NULL) {
- kdcPkinitDebug("No request->client; aborting PKINIT\n");
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
- krtn = krb5_unparse_name(context, request->client, &princ_name);
- if(krtn) {
- return krtn;
- }
- krtn = krb5_pkinit_get_client_cert(princ_name, &client_cert);
- free(princ_name);
- if(krtn) {
- kdcPkinitDebug("No client cert; aborting PKINIT\n");
- return krtn;
- }
-
- memset(&local_key, 0, sizeof(local_key));
- asRep.data = (char *)in_padata->contents;
- asRep.length = in_padata->length;
- krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert,
- &local_key, &as_req_checksum_rcd, &sig_status,
- &signer_cert, NULL, NULL);
- if(krtn) {
- kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn);
- return krtn;
- }
- switch(sig_status) {
- case pki_cs_good:
- break;
- case pki_cs_unknown_root:
- if (local_kdc_cert_match(context, &signer_cert, request->client))
- break;
- /* FALLTHROUGH */
- default:
- kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n",
- (int)sig_status);
- krtn = KRB5KDC_ERR_PREAUTH_FAILED;
- goto error_out;
- }
-
- /* calculate checksum of incoming AS-REQ using the decryption key
- * we just got from the ReplyKeyPack */
- krtn = encode_krb5_as_req(request, &encoded_as_req);
- if(krtn) {
- goto error_out;
- }
- krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype,
- &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
- encoded_as_req, &as_req_checksum_gen);
- if(krtn) {
- goto error_out;
- }
- if((as_req_checksum_gen.length != as_req_checksum_rcd.length) ||
- memcmp(as_req_checksum_gen.contents,
- as_req_checksum_rcd.contents,
- as_req_checksum_gen.length)) {
- kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n");
- krtn = KRB5KDC_ERR_PREAUTH_FAILED;
- goto error_out;
- }
-
- /* We have the key; transfer to caller */
- if (as_key->length) {
- krb5_free_keyblock_contents(context, as_key);
- }
- *as_key = local_key;
-
-#if PKINIT_DEBUG
- fprintf(stderr, "pa_pkinit_parse_rep: SUCCESS\n");
- fprintf(stderr, "enctype %d keylen %d keydata %02x %02x %02x %02x...\n",
- (int)as_key->enctype, (int)as_key->length,
- as_key->contents[0], as_key->contents[1],
- as_key->contents[2], as_key->contents[3]);
-#endif
-
- krtn = 0;
-
-error_out:
- if (signer_cert.data) {
- free(signer_cert.data);
- }
- if(as_req_checksum_rcd.contents) {
- free(as_req_checksum_rcd.contents);
- }
- if(as_req_checksum_gen.contents) {
- free(as_req_checksum_gen.contents);
- }
- if(encoded_as_req) {
- krb5_free_data(context, encoded_as_req);
- }
- if(krtn && (local_key.contents != NULL)) {
- krb5_free_keyblock_contents(context, &local_key);
- }
- return krtn;
-}
-#endif /* APPLE_PKINIT */
-
/* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */
#define SAMDATA(kdata, str, maxsize) \
@@ -1343,19 +1025,7 @@
pa_salt,
PA_INFO,
},
-#if APPLE_PKINIT
{
- KRB5_PADATA_PK_AS_REQ,
- pa_pkinit_gen_req,
- PA_INFO,
- },
- {
- KRB5_PADATA_PK_AS_REP,
- pa_pkinit_parse_rep,
- PA_REAL,
- },
-#endif /* APPLE_PKINIT */
- {
KRB5_PADATA_SAM_CHALLENGE_2,
pa_sam_2,
PA_REAL,
Modified: trunk/src/lib/krb5/krb/str_conv.c
===================================================================
--- trunk/src/lib/krb5/krb/str_conv.c 2012-04-26 13:11:09 UTC (rev 25829)
+++ trunk/src/lib/krb5/krb/str_conv.c 2012-04-26 21:46:57 UTC (rev 25830)
@@ -69,9 +69,6 @@
{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" },
{ KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" },
{ KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" },
-#if PKINIT_APPLE
- { KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" }
-#endif /* PKINIT_APPLE */
};
static const int salttype_table_nents = sizeof(salttype_table)/
sizeof(salttype_table[0]);
More information about the cvs-krb5
mailing list