krb5 commit: Remove pkinit_win2k_require_binding option

Greg Hudson ghudson at MIT.EDU
Fri Jun 13 00:41:53 EDT 2014


https://github.com/krb5/krb5/commit/823bad7f3f314647feb14284bc36fa231c9c7875
commit 823bad7f3f314647feb14284bc36fa231c9c7875
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jun 6 23:24:00 2014 -0400

    Remove pkinit_win2k_require_binding option
    
    When constructing a draft9 PKINIT request, always include
    KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
    Do not accept a draft9 ReplyKeyPack in the KDC response.
    
    For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
    support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
    request does not contain KRB5_PADATA_AS_CHECKSUM.
    
    ticket: 7933

 doc/admin/conf_files/krb5_conf.rst       |    5 ----
 src/plugins/preauth/pkinit/pkinit.h      |    2 -
 src/plugins/preauth/pkinit/pkinit_clnt.c |   38 +++--------------------------
 src/plugins/preauth/pkinit/pkinit_lib.c  |    1 -
 4 files changed, 4 insertions(+), 42 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index c6ded33..008ca4c 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1083,11 +1083,6 @@ PKINIT krb5.conf options
     of the KDC certificate presented.  This option may be specified
     multiple times.
 
-**pkinit_win2k_require_binding**
-    If this flag is set to true, it expects that the target KDC is
-    patched to return a reply with a checksum rather than a nonce.
-    The default is false.
-
 
 .. _parameter_expansion:
 
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index e21fc81..3ed43c0 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -77,7 +77,6 @@
 #define KRB5_CONF_PKINIT_POOL                   "pkinit_pool"
 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING   "pkinit_require_crl_checking"
 #define KRB5_CONF_PKINIT_REVOKE                 "pkinit_revoke"
-#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING  "pkinit_win2k_require_binding"
 
 /* Make pkiDebug(fmt,...) print, or not.  */
 #ifdef DEBUG
@@ -162,7 +161,6 @@ typedef struct _pkinit_req_opts {
     int require_crl_checking;
     int dh_size;	    /* initial request DH modulus size (default=1024) */
     int require_hostname_match;
-    int win2k_require_cksum;
 } pkinit_req_opts;
 
 /*
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 742564b..6c23162 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -174,13 +174,7 @@ pa_pkinit_gen_req(krb5_context context,
     return_pa_data[0]->contents = (krb5_octet *) out_data->data;
     *out_data = empty_data();
 
-    /*
-     * LH Beta 3 requires the extra pa-data, even for RFC requests,
-     * in order to get the Checksum rather than a Nonce in the reply.
-     * This can be removed when LH SP1 is released.
-     */
-    if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
-        reqctx->opts->win2k_require_cksum) {
+    if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) {
         return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
         if (return_pa_data[1] == NULL)
             goto cleanup;
@@ -650,7 +644,6 @@ pkinit_as_rep_parse(krb5_context context,
     krb5_pa_pk_as_rep *kdc_reply = NULL;
     krb5_kdc_dh_key_info *kdc_dh = NULL;
     krb5_reply_key_pack *key_pack = NULL;
-    krb5_reply_key_pack_draft9 *key_pack9 = NULL;
     krb5_data dh_data = { 0, 0, NULL };
     unsigned char *client_key = NULL, *kdc_hostname = NULL;
     unsigned int client_key_len = 0;
@@ -813,27 +806,10 @@ pkinit_as_rep_parse(krb5_context context,
         print_buffer_bin(dh_data.data, dh_data.length,
                          "/tmp/client_key_pack");
 #endif
-        if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
-                                                       &key_pack)) != 0) {
+        retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack);
+        if (retval) {
             pkiDebug("failed to decode reply_key_pack\n");
-            if (pa_type == KRB5_PADATA_PK_AS_REP)
-                goto cleanup;
-            retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
-                                                             &key_pack9);
-            if (retval) {
-                pkiDebug("failed to decode reply_key_pack_draft9\n");
-                goto cleanup;
-            }
-            pkiDebug("decode reply_key_pack_draft9\n");
-            if (key_pack9->nonce != request->nonce) {
-                pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
-                         key_pack9->nonce, request->nonce);
-                retval = -1;
-                goto cleanup;
-            }
-            krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
-                                        key_block);
-            break;
+            goto cleanup;
         }
         /*
          * This is hack but Windows sends back SHA1 checksum
@@ -901,8 +877,6 @@ cleanup:
         free_krb5_reply_key_pack(&key_pack);
         free(cksum.contents);
     }
-    if (key_pack9 != NULL)
-        free_krb5_reply_key_pack_draft9(&key_pack9);
 
     free(kdc_hostname);
 
@@ -926,10 +900,6 @@ pkinit_client_profile(krb5_context context,
              context, plgctx, reqctx, realm);
 
     pkinit_libdefault_boolean(context, realm,
-                              KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING,
-                              reqctx->opts->win2k_require_cksum,
-                              &reqctx->opts->win2k_require_cksum);
-    pkinit_libdefault_boolean(context, realm,
                               KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
                               reqctx->opts->require_crl_checking,
                               &reqctx->opts->require_crl_checking);
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index 1cbbed7..077080a 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -63,7 +63,6 @@ pkinit_init_req_opts(pkinit_req_opts **reqopts)
     opts->dh_or_rsa = DH_PROTOCOL;
     opts->require_crl_checking = 0;
     opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS;
-    opts->win2k_require_cksum = 0;
 
     *reqopts = opts;
 


More information about the cvs-krb5 mailing list