Skip to content

Commit

Permalink
Remove PKINIT longhorn compatibility option
Browse files Browse the repository at this point in the history 
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable.  It is not required to
interoperate with any released version of Windows.

ticket: 7934 (new)
  • Loading branch information
@greghudson
greghudson committed Jun 12, 2014
1 parent 677c775 commit cd06659
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 242 deletions.
3 changes: 0 additions & 3 deletions doc/admin/conf_files/krb5_conf.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1055,9 +1055,6 @@ PKINIT krb5.conf options
times. Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).

**pkinit_longhorn**
If this flag is set to true, we are talking to the Longhorn KDC.

**pkinit_pool**
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
Expand Down
15 changes: 0 additions & 15 deletions src/plugins/preauth/pkinit/pkinit.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,20 +40,6 @@
#include "pkinit_accessor.h"
#include "pkinit_trace.h"

/*
* It is anticipated that all the special checks currently
* required when talking to a Longhorn server will go away
* by the time it is officially released and all references
* to the longhorn global can be removed and any code
* #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
* And this #define!
*/
#define LONGHORN_BETA_COMPAT 1
#ifdef LONGHORN_BETA_COMPAT
extern int longhorn; /* XXX Talking to a Longhorn server? */
#endif


#ifndef WITHOUT_PKCS11
#include "pkcs11.h"

Expand Down Expand Up @@ -88,7 +74,6 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */
#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn"
#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
Expand Down
70 changes: 20 additions & 50 deletions src/plugins/preauth/pkinit/pkinit_clnt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,19 +43,6 @@
#include "pkinit.h"
#include "k5-json.h"

/*
* It is anticipated that all the special checks currently
* required when talking to a Longhorn server will go away
* by the time it is officially released and all references
* to the longhorn global can be removed and any code
* #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
*
* Current testing (20070620) is against a patched Beta 3
* version of Longhorn. Most, if not all, problems should
* be fixed in SP1 of Longhorn.
*/
int longhorn = 0; /* Talking to a Longhorn server? */

/**
* Return true if we should use ContentInfo rather than SignedData. This
* happens if we are talking to what might be an old (pre-6112) MIT KDC and
Expand Down Expand Up @@ -192,8 +179,8 @@ pa_pkinit_gen_req(krb5_context context,
* in order to get the Checksum rather than a Nonce in the reply.
* This can be removed when LH SP1 is released.
*/
if ((return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD
&& reqctx->opts->win2k_require_cksum) || (longhorn == 1)) {
if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
reqctx->opts->win2k_require_cksum) {
return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
if (return_pa_data[1] == NULL)
goto cleanup;
Expand Down Expand Up @@ -829,34 +816,24 @@ pkinit_as_rep_parse(krb5_context context,
if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
&key_pack)) != 0) {
pkiDebug("failed to decode reply_key_pack\n");
#ifdef LONGHORN_BETA_COMPAT
/*
* LH Beta 3 requires the extra pa-data, even for RFC requests,
* in order to get the Checksum rather than a Nonce in the reply.
* This can be removed when LH SP1 is released.
*/
if (pa_type == KRB5_PADATA_PK_AS_REP && longhorn == 0)
#else
if (pa_type == KRB5_PADATA_PK_AS_REP)
#endif
goto cleanup;
else {
if ((retval =
k5int_decode_krb5_reply_key_pack_draft9(&k5data,
&key_pack9)) != 0) {
pkiDebug("failed to decode reply_key_pack_draft9\n");
goto cleanup;
}
pkiDebug("decode reply_key_pack_draft9\n");
if (key_pack9->nonce != request->nonce) {
pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", key_pack9->nonce, request->nonce);
retval = -1;
goto cleanup;
}
krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
key_block);
break;
}
if (pa_type == KRB5_PADATA_PK_AS_REP)
goto cleanup;
retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
&key_pack9);
if (retval) {
pkiDebug("failed to decode reply_key_pack_draft9\n");
goto cleanup;
}
pkiDebug("decode reply_key_pack_draft9\n");
if (key_pack9->nonce != request->nonce) {
pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
key_pack9->nonce, request->nonce);
retval = -1;
goto cleanup;
}
krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
key_block);
break;
}
/*
* This is hack but Windows sends back SHA1 checksum
Expand Down Expand Up @@ -986,13 +963,6 @@ pkinit_client_profile(krb5_context context,
}
free(eku_string);
}
#ifdef LONGHORN_BETA_COMPAT
/* Temporarily just set global flag from config file */
pkinit_libdefault_boolean(context, realm,
KRB5_CONF_PKINIT_LONGHORN,
0,
&longhorn);
#endif

/* Only process anchors here if they were not specified on command line */
if (reqctx->idopts->anchors == NULL)
Expand Down
199 changes: 25 additions & 174 deletions src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,16 +155,9 @@ create_krb5_invalidCertificates(krb5_context context,
static krb5_error_code
create_identifiers_from_stack(STACK_OF(X509) *sk,
krb5_external_principal_identifier *** ids);
#ifdef LONGHORN_BETA_COMPAT
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len,
int is_longhorn_server);
#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len);
#endif

static char *
pkinit_pkcs11_code_to_text(int err);
Expand Down Expand Up @@ -1953,29 +1946,6 @@ cms_envelopeddata_verify(krb5_context context,
* For draft9-compatible, we don't do anything because it
* is already wrapped.
*/
#ifdef LONGHORN_BETA_COMPAT
/*
* The Longhorn server returns the expected RFC-style data, but
* it is missing the sequence tag and length, so it requires
* special processing when wrapping.
* This will hopefully be fixed before the final release and
* this can all be removed.
*/
if (msg_type == CMS_ENVEL_SERVER || longhorn == 1) {
retval = wrap_signeddata(tmp_buf, tmp_buf_len,
&tmp_buf2, &tmp_buf2_len, longhorn);
if (retval) {
pkiDebug("failed to encode signeddata\n");
goto cleanup;
}
vfy_buf = tmp_buf2;
vfy_buf_len = tmp_buf2_len;

} else {
vfy_buf = tmp_buf;
vfy_buf_len = tmp_buf_len;
}
#else
if (msg_type == CMS_ENVEL_SERVER) {
retval = wrap_signeddata(tmp_buf, tmp_buf_len,
&tmp_buf2, &tmp_buf2_len);
Expand All @@ -1990,7 +1960,6 @@ cms_envelopeddata_verify(krb5_context context,
vfy_buf = tmp_buf;
vfy_buf_len = tmp_buf_len;
}
#endif

#ifdef DEBUG_ASN1
print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2");
Expand Down Expand Up @@ -3458,112 +3427,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type)

}

#ifdef LONGHORN_BETA_COMPAT
#if 0
/*
* This is a version that worked with Longhorn Beta 3.
*/
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len,
int is_longhorn_server)
{

unsigned int orig_len = 0, oid_len = 0, tot_len = 0;
ASN1_OBJECT *oid = NULL;
unsigned char *p = NULL;

pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
__FUNCTION__, is_longhorn_server);

/* Get length to wrap the original data with SEQUENCE tag */
tot_len = orig_len = ASN1_object_size(1, (int)data_len, V_ASN1_SEQUENCE);

if (is_longhorn_server == 0) {
/* Add the signedData OID and adjust lengths */
oid = OBJ_nid2obj(NID_pkcs7_signed);
oid_len = i2d_ASN1_OBJECT(oid, NULL);

tot_len = ASN1_object_size(1, (int)(orig_len+oid_len), V_ASN1_SEQUENCE);
}

p = *out = malloc(tot_len);
if (p == NULL) return -1;

if (is_longhorn_server == 0) {
ASN1_put_object(&p, 1, (int)(orig_len+oid_len),
V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);

i2d_ASN1_OBJECT(oid, &p);

ASN1_put_object(&p, 1, (int)data_len, 0, V_ASN1_CONTEXT_SPECIFIC);
} else {
ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
}
memcpy(p, data, data_len);

*out_len = tot_len;

return 0;
}
#else
/*
* This is a version that works with a patched Longhorn KDC.
* (Which should match SP1 ??).
*/
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len,
int is_longhorn_server)
{

unsigned int oid_len = 0, tot_len = 0, wrap_len = 0, tag_len = 0;
ASN1_OBJECT *oid = NULL;
unsigned char *p = NULL;

pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
__FUNCTION__, is_longhorn_server);

/* New longhorn is missing another sequence */
if (is_longhorn_server == 1)
wrap_len = ASN1_object_size(1, (int)(data_len), V_ASN1_SEQUENCE);
else
wrap_len = data_len;

/* Get length to wrap the original data with SEQUENCE tag */
tag_len = ASN1_object_size(1, (int)wrap_len, V_ASN1_SEQUENCE);

/* Always add oid */
oid = OBJ_nid2obj(NID_pkcs7_signed);
oid_len = i2d_ASN1_OBJECT(oid, NULL);
oid_len += tag_len;

tot_len = ASN1_object_size(1, (int)(oid_len), V_ASN1_SEQUENCE);

p = *out = malloc(tot_len);
if (p == NULL)
return -1;

ASN1_put_object(&p, 1, (int)(oid_len),
V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);

i2d_ASN1_OBJECT(oid, &p);

ASN1_put_object(&p, 1, (int)wrap_len, 0, V_ASN1_CONTEXT_SPECIFIC);

/* Wrap in extra seq tag */
if (is_longhorn_server == 1) {
ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
}
memcpy(p, data, data_len);

*out_len = tot_len;

return 0;
}

#endif
#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len)
Expand Down Expand Up @@ -3597,7 +3460,6 @@ wrap_signeddata(unsigned char *data, unsigned int data_len,

return 0;
}
#endif

static int
prepare_enc_data(unsigned char *indata,
Expand Down Expand Up @@ -5643,50 +5505,39 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
krb5_cas[i]->issuerAndSerialNumber.magic = 0;
krb5_cas[i]->issuerAndSerialNumber.data = NULL;

#ifdef LONGHORN_BETA_COMPAT
if (longhorn == 0) { /* XXX Longhorn doesn't like this */
#endif
is = PKCS7_ISSUER_AND_SERIAL_new();
X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->issuerAndSerialNumber.length = len;
#ifdef LONGHORN_BETA_COMPAT
}
#endif
is = PKCS7_ISSUER_AND_SERIAL_new();
X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
p = malloc(len);
if (p == NULL)
goto cleanup;
krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->issuerAndSerialNumber.length = len;

/* fill-in subjectKeyIdentifier */
krb5_cas[i]->subjectKeyIdentifier.length = 0;
krb5_cas[i]->subjectKeyIdentifier.magic = 0;
krb5_cas[i]->subjectKeyIdentifier.data = NULL;


#ifdef LONGHORN_BETA_COMPAT
if (longhorn == 0) { /* XXX Longhorn doesn't like this */
#endif
if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
ASN1_OCTET_STRING *ikeyid = NULL;

if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
NULL))) {
len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
i2d_ASN1_OCTET_STRING(ikeyid, &p);
krb5_cas[i]->subjectKeyIdentifier.length = len;
}
if (ikeyid != NULL)
ASN1_OCTET_STRING_free(ikeyid);
if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
ASN1_OCTET_STRING *ikeyid;

ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
NULL);
if (ikeyid != NULL) {
len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
p = malloc(len);
if (p == NULL)
goto cleanup;
krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
i2d_ASN1_OCTET_STRING(ikeyid, &p);
krb5_cas[i]->subjectKeyIdentifier.length = len;
ASN1_OCTET_STRING_free(ikeyid);
}
#ifdef LONGHORN_BETA_COMPAT
}
#endif
if (is != NULL) {
if (is->issuer != NULL)
X509_NAME_free(is->issuer);
Expand Down

0 comments on commit cd06659

Please sign in to comment.