krb5 commit: Remove PKINIT longhorn compatibility option
Greg Hudson
ghudson at MIT.EDU
Thu Jun 12 13:23:16 EDT 2014
https://github.com/krb5/krb5/commit/cd06659844f9671d6ca9955fa6d3ee6e0806c7f1
commit cd06659844f9671d6ca9955fa6d3ee6e0806c7f1
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jun 6 22:48:04 2014 -0400
Remove PKINIT longhorn compatibility option
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
ticket: 7934 (new)
doc/admin/conf_files/krb5_conf.rst | 3 -
src/plugins/preauth/pkinit/pkinit.h | 15 --
src/plugins/preauth/pkinit/pkinit_clnt.c | 70 ++-----
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 199 +++-----------------
4 files changed, 45 insertions(+), 242 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 387da60..c6ded33 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1055,9 +1055,6 @@ PKINIT krb5.conf options
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).
-**pkinit_longhorn**
- If this flag is set to true, we are talking to the Longhorn KDC.
-
**pkinit_pool**
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 328dee5..e21fc81 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -40,20 +40,6 @@
#include "pkinit_accessor.h"
#include "pkinit_trace.h"
-/*
- * It is anticipated that all the special checks currently
- * required when talking to a Longhorn server will go away
- * by the time it is officially released and all references
- * to the longhorn global can be removed and any code
- * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
- * And this #define!
- */
-#define LONGHORN_BETA_COMPAT 1
-#ifdef LONGHORN_BETA_COMPAT
-extern int longhorn; /* XXX Talking to a Longhorn server? */
-#endif
-
-
#ifndef WITHOUT_PKCS11
#include "pkcs11.h"
@@ -88,7 +74,6 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */
#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
-#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn"
#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index b1c92dd..742564b 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -43,19 +43,6 @@
#include "pkinit.h"
#include "k5-json.h"
-/*
- * It is anticipated that all the special checks currently
- * required when talking to a Longhorn server will go away
- * by the time it is officially released and all references
- * to the longhorn global can be removed and any code
- * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
- *
- * Current testing (20070620) is against a patched Beta 3
- * version of Longhorn. Most, if not all, problems should
- * be fixed in SP1 of Longhorn.
- */
-int longhorn = 0; /* Talking to a Longhorn server? */
-
/**
* Return true if we should use ContentInfo rather than SignedData. This
* happens if we are talking to what might be an old (pre-6112) MIT KDC and
@@ -192,8 +179,8 @@ pa_pkinit_gen_req(krb5_context context,
* in order to get the Checksum rather than a Nonce in the reply.
* This can be removed when LH SP1 is released.
*/
- if ((return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD
- && reqctx->opts->win2k_require_cksum) || (longhorn == 1)) {
+ if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
+ reqctx->opts->win2k_require_cksum) {
return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
if (return_pa_data[1] == NULL)
goto cleanup;
@@ -829,34 +816,24 @@ pkinit_as_rep_parse(krb5_context context,
if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
&key_pack)) != 0) {
pkiDebug("failed to decode reply_key_pack\n");
-#ifdef LONGHORN_BETA_COMPAT
- /*
- * LH Beta 3 requires the extra pa-data, even for RFC requests,
- * in order to get the Checksum rather than a Nonce in the reply.
- * This can be removed when LH SP1 is released.
- */
- if (pa_type == KRB5_PADATA_PK_AS_REP && longhorn == 0)
-#else
- if (pa_type == KRB5_PADATA_PK_AS_REP)
-#endif
- goto cleanup;
- else {
- if ((retval =
- k5int_decode_krb5_reply_key_pack_draft9(&k5data,
- &key_pack9)) != 0) {
- pkiDebug("failed to decode reply_key_pack_draft9\n");
- goto cleanup;
- }
- pkiDebug("decode reply_key_pack_draft9\n");
- if (key_pack9->nonce != request->nonce) {
- pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", key_pack9->nonce, request->nonce);
- retval = -1;
- goto cleanup;
- }
- krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
- key_block);
- break;
- }
+ if (pa_type == KRB5_PADATA_PK_AS_REP)
+ goto cleanup;
+ retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
+ &key_pack9);
+ if (retval) {
+ pkiDebug("failed to decode reply_key_pack_draft9\n");
+ goto cleanup;
+ }
+ pkiDebug("decode reply_key_pack_draft9\n");
+ if (key_pack9->nonce != request->nonce) {
+ pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
+ key_pack9->nonce, request->nonce);
+ retval = -1;
+ goto cleanup;
+ }
+ krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
+ key_block);
+ break;
}
/*
* This is hack but Windows sends back SHA1 checksum
@@ -986,13 +963,6 @@ pkinit_client_profile(krb5_context context,
}
free(eku_string);
}
-#ifdef LONGHORN_BETA_COMPAT
- /* Temporarily just set global flag from config file */
- pkinit_libdefault_boolean(context, realm,
- KRB5_CONF_PKINIT_LONGHORN,
- 0,
- &longhorn);
-#endif
/* Only process anchors here if they were not specified on command line */
if (reqctx->idopts->anchors == NULL)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 1d6b0cd..08fdc24 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -155,16 +155,9 @@ create_krb5_invalidCertificates(krb5_context context,
static krb5_error_code
create_identifiers_from_stack(STACK_OF(X509) *sk,
krb5_external_principal_identifier *** ids);
-#ifdef LONGHORN_BETA_COMPAT
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server);
-#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len);
-#endif
static char *
pkinit_pkcs11_code_to_text(int err);
@@ -1953,29 +1946,6 @@ cms_envelopeddata_verify(krb5_context context,
* For draft9-compatible, we don't do anything because it
* is already wrapped.
*/
-#ifdef LONGHORN_BETA_COMPAT
- /*
- * The Longhorn server returns the expected RFC-style data, but
- * it is missing the sequence tag and length, so it requires
- * special processing when wrapping.
- * This will hopefully be fixed before the final release and
- * this can all be removed.
- */
- if (msg_type == CMS_ENVEL_SERVER || longhorn == 1) {
- retval = wrap_signeddata(tmp_buf, tmp_buf_len,
- &tmp_buf2, &tmp_buf2_len, longhorn);
- if (retval) {
- pkiDebug("failed to encode signeddata\n");
- goto cleanup;
- }
- vfy_buf = tmp_buf2;
- vfy_buf_len = tmp_buf2_len;
-
- } else {
- vfy_buf = tmp_buf;
- vfy_buf_len = tmp_buf_len;
- }
-#else
if (msg_type == CMS_ENVEL_SERVER) {
retval = wrap_signeddata(tmp_buf, tmp_buf_len,
&tmp_buf2, &tmp_buf2_len);
@@ -1990,7 +1960,6 @@ cms_envelopeddata_verify(krb5_context context,
vfy_buf = tmp_buf;
vfy_buf_len = tmp_buf_len;
}
-#endif
#ifdef DEBUG_ASN1
print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2");
@@ -3458,112 +3427,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type)
}
-#ifdef LONGHORN_BETA_COMPAT
-#if 0
-/*
- * This is a version that worked with Longhorn Beta 3.
- */
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server)
-{
-
- unsigned int orig_len = 0, oid_len = 0, tot_len = 0;
- ASN1_OBJECT *oid = NULL;
- unsigned char *p = NULL;
-
- pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
- __FUNCTION__, is_longhorn_server);
-
- /* Get length to wrap the original data with SEQUENCE tag */
- tot_len = orig_len = ASN1_object_size(1, (int)data_len, V_ASN1_SEQUENCE);
-
- if (is_longhorn_server == 0) {
- /* Add the signedData OID and adjust lengths */
- oid = OBJ_nid2obj(NID_pkcs7_signed);
- oid_len = i2d_ASN1_OBJECT(oid, NULL);
-
- tot_len = ASN1_object_size(1, (int)(orig_len+oid_len), V_ASN1_SEQUENCE);
- }
-
- p = *out = malloc(tot_len);
- if (p == NULL) return -1;
-
- if (is_longhorn_server == 0) {
- ASN1_put_object(&p, 1, (int)(orig_len+oid_len),
- V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
- i2d_ASN1_OBJECT(oid, &p);
-
- ASN1_put_object(&p, 1, (int)data_len, 0, V_ASN1_CONTEXT_SPECIFIC);
- } else {
- ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
- }
- memcpy(p, data, data_len);
-
- *out_len = tot_len;
-
- return 0;
-}
-#else
-/*
- * This is a version that works with a patched Longhorn KDC.
- * (Which should match SP1 ??).
- */
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server)
-{
-
- unsigned int oid_len = 0, tot_len = 0, wrap_len = 0, tag_len = 0;
- ASN1_OBJECT *oid = NULL;
- unsigned char *p = NULL;
-
- pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
- __FUNCTION__, is_longhorn_server);
-
- /* New longhorn is missing another sequence */
- if (is_longhorn_server == 1)
- wrap_len = ASN1_object_size(1, (int)(data_len), V_ASN1_SEQUENCE);
- else
- wrap_len = data_len;
-
- /* Get length to wrap the original data with SEQUENCE tag */
- tag_len = ASN1_object_size(1, (int)wrap_len, V_ASN1_SEQUENCE);
-
- /* Always add oid */
- oid = OBJ_nid2obj(NID_pkcs7_signed);
- oid_len = i2d_ASN1_OBJECT(oid, NULL);
- oid_len += tag_len;
-
- tot_len = ASN1_object_size(1, (int)(oid_len), V_ASN1_SEQUENCE);
-
- p = *out = malloc(tot_len);
- if (p == NULL)
- return -1;
-
- ASN1_put_object(&p, 1, (int)(oid_len),
- V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
- i2d_ASN1_OBJECT(oid, &p);
-
- ASN1_put_object(&p, 1, (int)wrap_len, 0, V_ASN1_CONTEXT_SPECIFIC);
-
- /* Wrap in extra seq tag */
- if (is_longhorn_server == 1) {
- ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
- }
- memcpy(p, data, data_len);
-
- *out_len = tot_len;
-
- return 0;
-}
-
-#endif
-#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len)
@@ -3597,7 +3460,6 @@ wrap_signeddata(unsigned char *data, unsigned int data_len,
return 0;
}
-#endif
static int
prepare_enc_data(unsigned char *indata,
@@ -5643,50 +5505,39 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
krb5_cas[i]->issuerAndSerialNumber.magic = 0;
krb5_cas[i]->issuerAndSerialNumber.data = NULL;
-#ifdef LONGHORN_BETA_COMPAT
- if (longhorn == 0) { /* XXX Longhorn doesn't like this */
-#endif
- is = PKCS7_ISSUER_AND_SERIAL_new();
- X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
- M_ASN1_INTEGER_free(is->serial);
- is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
- len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = malloc((size_t) len)) == NULL)
- goto cleanup;
- krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
- i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
- krb5_cas[i]->issuerAndSerialNumber.length = len;
-#ifdef LONGHORN_BETA_COMPAT
- }
-#endif
+ is = PKCS7_ISSUER_AND_SERIAL_new();
+ X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
+ M_ASN1_INTEGER_free(is->serial);
+ is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
+ len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
+ p = malloc(len);
+ if (p == NULL)
+ goto cleanup;
+ krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
+ i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
+ krb5_cas[i]->issuerAndSerialNumber.length = len;
/* fill-in subjectKeyIdentifier */
krb5_cas[i]->subjectKeyIdentifier.length = 0;
krb5_cas[i]->subjectKeyIdentifier.magic = 0;
krb5_cas[i]->subjectKeyIdentifier.data = NULL;
-
-#ifdef LONGHORN_BETA_COMPAT
- if (longhorn == 0) { /* XXX Longhorn doesn't like this */
-#endif
- if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
- ASN1_OCTET_STRING *ikeyid = NULL;
-
- if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
- NULL))) {
- len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
- if ((p = malloc((size_t) len)) == NULL)
- goto cleanup;
- krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
- i2d_ASN1_OCTET_STRING(ikeyid, &p);
- krb5_cas[i]->subjectKeyIdentifier.length = len;
- }
- if (ikeyid != NULL)
- ASN1_OCTET_STRING_free(ikeyid);
+ if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
+ ASN1_OCTET_STRING *ikeyid;
+
+ ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
+ NULL);
+ if (ikeyid != NULL) {
+ len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
+ p = malloc(len);
+ if (p == NULL)
+ goto cleanup;
+ krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
+ i2d_ASN1_OCTET_STRING(ikeyid, &p);
+ krb5_cas[i]->subjectKeyIdentifier.length = len;
+ ASN1_OCTET_STRING_free(ikeyid);
}
-#ifdef LONGHORN_BETA_COMPAT
}
-#endif
if (is != NULL) {
if (is->issuer != NULL)
X509_NAME_free(is->issuer);
More information about the cvs-krb5
mailing list