krb5 commit: Remove pre-CMS PKINIT compatibility code

ghudson at mit.edu ghudson at mit.edu
Wed Jul 13 16:16:33 EDT 2022 

https://github.com/krb5/krb5/commit/7280d55ea3a1ffe5aa1bee82075e62177d79e1fe
commit 7280d55ea3a1ffe5aa1bee82075e62177d79e1fe
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Jul 11 10:49:38 2022 -0400

    Remove pre-CMS PKINIT compatibility code
    
    CMS support is present in OpenSSL 1.0, which is the earliest supported
    version.

 src/configure.ac                                   |  1 -
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 47 +++-------------------
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.h |  1 +
 3 files changed, 6 insertions(+), 43 deletions(-)

diff --git a/src/configure.ac b/src/configure.ac
index 392ac02d5..77be7a202 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1145,7 +1145,6 @@ if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || t
   K5_GEN_MAKEFILE(plugins/preauth/pkinit)
   K5_GEN_MAKEFILE(tests/softpkcs11)
   PKINIT=yes
-  AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])])
 elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then
   AC_MSG_ERROR([Version of OpenSSL is too old; cannot enable PKINIT.])
 else
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 1c2aa0282..3024973f3 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -147,43 +147,6 @@ static const char *
 pkcs11err(int err);
 
 
-#ifdef HAVE_OPENSSL_CMS
-/* Use CMS support present in OpenSSL. */
-#include <openssl/cms.h>
-#define pkinit_CMS_get0_content_signed(_cms) CMS_get0_content(_cms)
-#define pkinit_CMS_get0_content_data(_cms) CMS_get0_content(_cms)
-#define pkinit_CMS_free1_crls(_sk_x509crl)              \
-    sk_X509_CRL_pop_free((_sk_x509crl), X509_CRL_free)
-#define pkinit_CMS_free1_certs(_sk_x509)        \
-    sk_X509_pop_free((_sk_x509), X509_free)
-#define pkinit_CMS_SignerInfo_get_cert(_cms,_si,_x509_pp)       \
-    CMS_SignerInfo_get0_algs(_si,NULL,_x509_pp,NULL,NULL)
-#else
-/* Fake up CMS support using PKCS7. */
-#define pkinit_CMS_free1_crls(_stack_of_x509crls)   /* Don't free these */
-#define pkinit_CMS_free1_certs(_stack_of_x509certs) /* Don't free these */
-#define CMS_NO_SIGNER_CERT_VERIFY PKCS7_NOVERIFY
-#define CMS_NOATTR PKCS7_NOATTR
-#define CMS_ContentInfo PKCS7
-#define CMS_SignerInfo PKCS7_SIGNER_INFO
-#define d2i_CMS_ContentInfo d2i_PKCS7
-#define CMS_get0_type(_p7) ((_p7)->type)
-#define pkinit_CMS_get0_content_signed(_p7) (&((_p7)->d.sign->contents->d.other->value.octet_string))
-#define pkinit_CMS_get0_content_data(_p7) (&((_p7)->d.other->value.octet_string))
-#define CMS_set1_signers_certs(_p7,_stack_of_x509,_uint)
-#define CMS_get0_SignerInfos PKCS7_get_signer_info
-#define stack_st_CMS_SignerInfo stack_st_PKCS7_SIGNER_INFO
-#undef  sk_CMS_SignerInfo_value
-#define sk_CMS_SignerInfo_value sk_PKCS7_SIGNER_INFO_value
-#define CMS_get0_eContentType(_p7) (_p7->d.sign->contents->type)
-#define CMS_verify PKCS7_verify
-#define CMS_get1_crls(_p7) (_p7->d.sign->crl)
-#define CMS_get1_certs(_p7) (_p7->d.sign->cert)
-#define CMS_ContentInfo_free(_p7) PKCS7_free(_p7)
-#define pkinit_CMS_SignerInfo_get_cert(_p7,_si,_x509_pp)        \
-    (*_x509_pp) = PKCS7_cert_from_signer_info(_p7,_si)
-#endif
-
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 
 /* 1.1 standardizes constructor and destructor names, renaming
@@ -1901,7 +1864,7 @@ cms_signeddata_verify(krb5_context context,
     if (is_signed && !OBJ_cmp(type, oid)) {
         unsigned char *d;
         *is_signed = 0;
-        octets = pkinit_CMS_get0_content_data(cms);
+        octets = CMS_get0_content(cms);
         if (!octets || ((*octets)->type != V_ASN1_OCTET_STRING)) {
             retval = KRB5KDC_ERR_PREAUTH_FAILED;
             krb5_set_error_message(context, retval,
@@ -1956,13 +1919,13 @@ cms_signeddata_verify(krb5_context context,
             goto cleanup;
         *is_signed = 0;
         /* We cannot use CMS_dataInit because there may be no digest */
-        octets = pkinit_CMS_get0_content_signed(cms);
+        octets = CMS_get0_content(cms);
         if (octets)
             out = BIO_new_mem_buf((*octets)->data, (*octets)->length);
         if (out == NULL)
             goto cleanup;
     } else {
-        pkinit_CMS_SignerInfo_get_cert(cms, si, &x);
+        CMS_SignerInfo_get0_algs(si, NULL, &x, NULL, NULL);
         if (x == NULL)
             goto cleanup;
 
@@ -2187,11 +2150,11 @@ cleanup:
         X509_STORE_free(store);
     if (cms != NULL) {
         if (signerCerts != NULL)
-            pkinit_CMS_free1_certs(signerCerts);
+            sk_X509_pop_free(signerCerts, X509_free);
         if (idctx->intermediateCAs != NULL && signerCerts)
             sk_X509_free(intermediateCAs);
         if (signerRevoked != NULL)
-            pkinit_CMS_free1_crls(signerRevoked);
+            sk_X509_CRL_pop_free(signerRevoked, X509_CRL_free);
         if (idctx->revoked != NULL && signerRevoked)
             sk_X509_CRL_free(revoked);
         CMS_ContentInfo_free(cms);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
index 689279de7..c807f044a 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
@@ -46,6 +46,7 @@
 #include <openssl/asn1.h>
 #include <openssl/pem.h>
 #include <openssl/asn1t.h>
+#include <openssl/cms.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/core_names.h>
 #include <openssl/decoder.h>

More information about the cvs-krb5 mailing list