krb5 commit: Remove pkinit_win2k_require_binding option
Greg Hudson
ghudson at MIT.EDU
Fri Jun 13 00:41:53 EDT 2014
https://github.com/krb5/krb5/commit/823bad7f3f314647feb14284bc36fa231c9c7875
commit 823bad7f3f314647feb14284bc36fa231c9c7875
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jun 6 23:24:00 2014 -0400
Remove pkinit_win2k_require_binding option
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
ticket: 7933
doc/admin/conf_files/krb5_conf.rst | 5 ----
src/plugins/preauth/pkinit/pkinit.h | 2 -
src/plugins/preauth/pkinit/pkinit_clnt.c | 38 +++--------------------------
src/plugins/preauth/pkinit/pkinit_lib.c | 1 -
4 files changed, 4 insertions(+), 42 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index c6ded33..008ca4c 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1083,11 +1083,6 @@ PKINIT krb5.conf options
of the KDC certificate presented. This option may be specified
multiple times.
-**pkinit_win2k_require_binding**
- If this flag is set to true, it expects that the target KDC is
- patched to return a reply with a checksum rather than a nonce.
- The default is false.
-
.. _parameter_expansion:
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index e21fc81..3ed43c0 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -77,7 +77,6 @@
#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
-#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding"
/* Make pkiDebug(fmt,...) print, or not. */
#ifdef DEBUG
@@ -162,7 +161,6 @@ typedef struct _pkinit_req_opts {
int require_crl_checking;
int dh_size; /* initial request DH modulus size (default=1024) */
int require_hostname_match;
- int win2k_require_cksum;
} pkinit_req_opts;
/*
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 742564b..6c23162 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -174,13 +174,7 @@ pa_pkinit_gen_req(krb5_context context,
return_pa_data[0]->contents = (krb5_octet *) out_data->data;
*out_data = empty_data();
- /*
- * LH Beta 3 requires the extra pa-data, even for RFC requests,
- * in order to get the Checksum rather than a Nonce in the reply.
- * This can be removed when LH SP1 is released.
- */
- if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
- reqctx->opts->win2k_require_cksum) {
+ if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) {
return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
if (return_pa_data[1] == NULL)
goto cleanup;
@@ -650,7 +644,6 @@ pkinit_as_rep_parse(krb5_context context,
krb5_pa_pk_as_rep *kdc_reply = NULL;
krb5_kdc_dh_key_info *kdc_dh = NULL;
krb5_reply_key_pack *key_pack = NULL;
- krb5_reply_key_pack_draft9 *key_pack9 = NULL;
krb5_data dh_data = { 0, 0, NULL };
unsigned char *client_key = NULL, *kdc_hostname = NULL;
unsigned int client_key_len = 0;
@@ -813,27 +806,10 @@ pkinit_as_rep_parse(krb5_context context,
print_buffer_bin(dh_data.data, dh_data.length,
"/tmp/client_key_pack");
#endif
- if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
- &key_pack)) != 0) {
+ retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack);
+ if (retval) {
pkiDebug("failed to decode reply_key_pack\n");
- if (pa_type == KRB5_PADATA_PK_AS_REP)
- goto cleanup;
- retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
- &key_pack9);
- if (retval) {
- pkiDebug("failed to decode reply_key_pack_draft9\n");
- goto cleanup;
- }
- pkiDebug("decode reply_key_pack_draft9\n");
- if (key_pack9->nonce != request->nonce) {
- pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
- key_pack9->nonce, request->nonce);
- retval = -1;
- goto cleanup;
- }
- krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
- key_block);
- break;
+ goto cleanup;
}
/*
* This is hack but Windows sends back SHA1 checksum
@@ -901,8 +877,6 @@ cleanup:
free_krb5_reply_key_pack(&key_pack);
free(cksum.contents);
}
- if (key_pack9 != NULL)
- free_krb5_reply_key_pack_draft9(&key_pack9);
free(kdc_hostname);
@@ -926,10 +900,6 @@ pkinit_client_profile(krb5_context context,
context, plgctx, reqctx, realm);
pkinit_libdefault_boolean(context, realm,
- KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING,
- reqctx->opts->win2k_require_cksum,
- &reqctx->opts->win2k_require_cksum);
- pkinit_libdefault_boolean(context, realm,
KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
reqctx->opts->require_crl_checking,
&reqctx->opts->require_crl_checking);
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index 1cbbed7..077080a 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -63,7 +63,6 @@ pkinit_init_req_opts(pkinit_req_opts **reqopts)
opts->dh_or_rsa = DH_PROTOCOL;
opts->require_crl_checking = 0;
opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS;
- opts->win2k_require_cksum = 0;
*reqopts = opts;
More information about the cvs-krb5
mailing list