From 1ef128fbffa218bc611ae4abce6bd5a57cc39882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Fri, 7 Oct 2005 11:00:05 +0000 Subject: [PATCH] Removing PK-INIT-19 support. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16141 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 164 +-------------------------------------- lib/asn1/pkinit.asn1 | 53 ++++--------- lib/krb5/pkinit.c | 180 ++++--------------------------------------- 3 files changed, 32 insertions(+), 365 deletions(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index be2aa3657..91a7754d6 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -65,7 +65,6 @@ struct krb5_pk_cert { enum pkinit_type { PKINIT_COMPAT_WIN2K = 1, - PKINIT_COMPAT_19 = 2, PKINIT_COMPAT_27 = 3 }; @@ -135,49 +134,6 @@ pk_check_pkauthenticator_win2k(krb5_context context, return 0; } -static krb5_error_code -pk_check_pkauthenticator_19(krb5_context context, - PKAuthenticator_19 *a, - KDC_REQ *req) -{ - u_char *buf = NULL; - size_t buf_size; - krb5_error_code ret; - size_t len; - krb5_timestamp now; - - krb5_timeofday (context, &now); - - /* XXX cusec */ - if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) { - krb5_clear_error_string(context); - return KRB5KRB_AP_ERR_SKEW; - } - - if (a->paChecksum.cksumtype != CKSUMTYPE_RSA_MD5 && - a->paChecksum.cksumtype != CKSUMTYPE_SHA1) - { - krb5_clear_error_string(context); - ret = KRB5KRB_ERR_GENERIC; - } - - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); - if (ret) { - krb5_clear_error_string(context); - return ret; - } - if (buf_size != len) - krb5_abortx(context, "Internal error in ASN.1 encoder"); - - ret = krb5_verify_checksum(context, NULL, 0, buf, len, - &a->paChecksum); - if (ret) - krb5_clear_error_string(context); - - free(buf); - return ret; -} - static krb5_error_code pk_check_pkauthenticator(krb5_context context, PKAuthenticator *a, @@ -609,51 +565,6 @@ _kdc_pk_rd_padata(krb5_context context, free_ContentInfo(&info); - } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_19) { - PA_PK_AS_REQ_19 r; - - type = "PK-INIT-19"; - pa_contentType = oid_id_pkauthdata(); - - ret = decode_PA_PK_AS_REQ_19(pa->padata_value.data, - pa->padata_value.length, - &r, - NULL); - if (ret) { - krb5_set_error_string(context, "Can't decode " - "PK-AS-REQ-19: %d", ret); - goto out; - } - - if (heim_oid_cmp(&r.signedAuthPack.contentType, - oid_id_pkcs7_signedData())) - { - krb5_set_error_string(context, "PK-AS-REQ-19 invalid content " - "type oid"); - free_PA_PK_AS_REQ_19(&r); - ret = KRB5KRB_ERR_GENERIC; - goto out; - } - - if (r.signedAuthPack.content == NULL) { - krb5_set_error_string(context, "PK-AS-REQ-19 no signed auth pack"); - free_PA_PK_AS_REQ_19(&r); - ret = KRB5KRB_ERR_GENERIC; - goto out; - } - - signed_content.data = malloc(r.signedAuthPack.content->length); - if (signed_content.data == NULL) { - ret = ENOMEM; - free_PA_PK_AS_REQ_19(&r); - krb5_set_error_string(context, "PK-AS-REQ-19 out of memory"); - goto out; - } - signed_content.length = r.signedAuthPack.content->length; - memcpy(signed_content.data, r.signedAuthPack.content->data, - signed_content.length); - - free_PA_PK_AS_REQ_19(&r); } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) { PA_PK_AS_REQ r; ContentInfo info; @@ -763,37 +674,6 @@ _kdc_pk_rd_padata(krb5_context context, } free_AuthPack_Win2k(&ap); - } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_19) { - AuthPack_19 ap; - - ret = decode_AuthPack_19(eContent.data, - eContent.length, - &ap, - NULL); - if (ret) { - krb5_set_error_string(context, "can't decode AuthPack: %d", ret); - free_AuthPack_19(&ap); - goto out; - } - - ret = pk_check_pkauthenticator_19(context, - &ap.pkAuthenticator, - req); - if (ret) { - free_AuthPack_19(&ap); - goto out; - } - - client_params->type = PKINIT_COMPAT_19; - client_params->nonce = ap.pkAuthenticator.nonce; - - if (ap.clientPublicValue) { - krb5_set_error_string(context, "PK-INIT, no support for DH"); - ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - free_AuthPack_19(&ap); - goto out; - } - free_AuthPack_19(&ap); } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) { AuthPack ap; @@ -949,9 +829,8 @@ pk_mk_pa_reply_enckey(krb5_context context, enc_alg->parameters->length = params.length; switch (client_params->type) { - case PKINIT_COMPAT_WIN2K: - case PKINIT_COMPAT_19: { - ReplyKeyPack_19 kp; + case PKINIT_COMPAT_WIN2K: { + ReplyKeyPack_Win2k kp; memset(&kp, 0, sizeof(kp)); ret = copy_EncryptionKey(reply_key, &kp.replyKey); @@ -961,10 +840,10 @@ pk_mk_pa_reply_enckey(krb5_context context, } kp.nonce = client_params->nonce; - ASN1_MALLOC_ENCODE(ReplyKeyPack_19, + ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k, buf.data, buf.length, &kp, &size,ret); - free_ReplyKeyPack_19(&kp); + free_ReplyKeyPack_Win2k(&kp); } case PKINIT_COMPAT_27: { krb5_crypto ascrypto; @@ -1362,41 +1241,6 @@ _kdc_pk_mk_pa_reply(krb5_context context, kdc_log(context, config, 0, "PK-INIT using %s %s", type, other); - } else if (client_params->type == PKINIT_COMPAT_19) { - PA_PK_AS_REP_19 rep; - - pa_type = KRB5_PADATA_PK_AS_REP_19; - - memset(&rep, 0, sizeof(rep)); - - if (client_params->dh == NULL) { - rep.element = choice_PA_PK_AS_REP_19_encKeyPack; - krb5_generate_random_keyblock(context, enctype, - &client_params->reply_key); - ret = pk_mk_pa_reply_enckey(context, - client_params, - req, - req_buffer, - &client_params->reply_key, - &rep.u.encKeyPack); - } else { - krb5_set_error_string(context, "DH -19 not implemented"); - ret = KRB5KRB_ERR_GENERIC; - } - if (ret) { - free_PA_PK_AS_REP_19(&rep); - goto out; - } - - ASN1_MALLOC_ENCODE(PA_PK_AS_REP_19, buf, len, &rep, &size, ret); - free_PA_PK_AS_REP_19(&rep); - if (ret) { - krb5_set_error_string(context, - "encode PA-PK-AS-REP-19 failed %d", ret); - goto out; - } - if (len != size) - krb5_abortx(context, "Internal ASN.1 encoder error"); } else if (client_params->type == PKINIT_COMPAT_WIN2K) { PA_PK_AS_REP_Win2k rep; diff --git a/lib/asn1/pkinit.asn1 b/lib/asn1/pkinit.asn1 index 4bdfb4faf..951e04ff8 100644 --- a/lib/asn1/pkinit.asn1 +++ b/lib/asn1/pkinit.asn1 @@ -124,6 +124,18 @@ AuthPack-Win2k ::= SEQUENCE { } +TrustedCA-Win2k ::= CHOICE { + caName [1] heim_any, + issuerAndSerial [2] IssuerAndSerialNumber +} + +PA-PK-AS-REQ-Win2k ::= SEQUENCE { + signed-auth-pack [0] IMPLICIT OCTET STRING, + trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL, + kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, + encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL +} + PA-PK-AS-REP-Win2k ::= CHOICE { dhSignedData [0] IMPLICIT OCTET STRING, encKeyPack [1] IMPLICIT OCTET STRING @@ -135,46 +147,7 @@ KDCDHKeyInfo-Win2k ::= SEQUENCE { subjectPublicKey [2] BIT STRING } -TrustedCA-19 ::= CHOICE { - caName [1] heim_any, - issuerAndSerial [2] IssuerAndSerialNumber -} - -PA-PK-AS-REQ-19 ::= SEQUENCE { -- PAType 14 - signedAuthPack [0] ContentInfo, -- AuthPack - trustedCertifiers [1] SEQUENCE OF TrustedCA-19 OPTIONAL, - kdcCert [2] IssuerAndSerialNumber OPTIONAL, - encryptionCert [3] IssuerAndSerialNumber OPTIONAL, - ... -} - -PA-PK-AS-REQ-Win2k ::= SEQUENCE { - signed-auth-pack [0] IMPLICIT OCTET STRING, - trusted-certifiers [2] SEQUENCE OF TrustedCA-19 OPTIONAL, - kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL, - encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL -} - -PKAuthenticator-19 ::= SEQUENCE { - cusec [0] INTEGER (0..4294967295), - ctime [1] KerberosTime, - nonce [2] INTEGER (0..4294967295), - paChecksum [3] Checksum, - ... -} - -AuthPack-19 ::= SEQUENCE { - pkAuthenticator [0] PKAuthenticator-19, - clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL -} - -PA-PK-AS-REP-19 ::= CHOICE { - dhSignedData [0] ContentInfo, - encKeyPack [1] ContentInfo, - ... -} - -ReplyKeyPack-19 ::= SEQUENCE { +ReplyKeyPack-Win2k ::= SEQUENCE { replyKey [0] EncryptionKey, nonce [1] INTEGER (0..4294967295), ... diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index 7026ee323..157fab1e4 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -57,7 +57,6 @@ RCSID("$Id$"); enum { COMPAT_WIN2K = 1, - COMPAT_19 = 2, COMPAT_27 = 3 }; @@ -492,46 +491,6 @@ build_auth_pack_win2k(krb5_context context, return 0; } -static krb5_error_code -build_auth_pack_19(krb5_context context, - unsigned nonce, - const KDC_REQ_BODY *body, - AuthPack_19 *a) -{ - size_t buf_size, len; - krb5_cksumtype cksum; - krb5_error_code ret; - void *buf; - krb5_timestamp sec; - int32_t usec; - - krb5_clear_error_string(context); - - /* XXX some PACKETCABLE needs implemetations need md5 */ - cksum = CKSUMTYPE_RSA_MD5; - - krb5_us_timeofday(context, &sec, &usec); - a->pkAuthenticator.ctime = sec; - a->pkAuthenticator.nonce = nonce; - - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret); - if (ret) - return ret; - if (buf_size != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - - ret = krb5_create_checksum(context, - NULL, - 0, - cksum, - buf, - len, - &a->pkAuthenticator.paChecksum); - free(buf); - - return ret; -} - static krb5_error_code build_auth_pack(krb5_context context, unsigned nonce, @@ -728,27 +687,6 @@ pk_mk_padata(krb5_context context, krb5_abortx(context, "internal ASN1 encoder error"); oid = oid_id_pkcs7_data(); - } else if (compat == COMPAT_19) { - AuthPack_19 ap; - - memset(&ap, 0, sizeof(ap)); - - ret = build_auth_pack_19(context, nonce, req_body, &ap); - if (ret) { - free_AuthPack_19(&ap); - goto out; - } - - ASN1_MALLOC_ENCODE(AuthPack_19, buf.data, buf.length, &ap, &size, ret); - free_AuthPack_19(&ap); - if (ret) { - krb5_set_error_string(context, "AuthPack_19: %d", ret); - goto out; - } - if (buf.length != size) - krb5_abortx(context, "internal ASN1 encoder error"); - - oid = oid_id_pkauthdata(); } else if (compat == COMPAT_27) { AuthPack ap; @@ -814,27 +752,6 @@ pk_mk_padata(krb5_context context, &winreq, &size, ret); free_PA_PK_AS_REQ_Win2k(&winreq); - } else if (compat == COMPAT_19) { - PA_PK_AS_REQ_19 req_19; - - pa_type = KRB5_PADATA_PK_AS_REQ_19; - - memset(&req_19, 0, sizeof(req_19)); - - ret = copy_ContentInfo(&content_info, &req_19.signedAuthPack); - if (ret) { - krb5_clear_error_string(context); - goto out; - } - req_19.kdcCert = NULL; - req_19.trustedCertifiers = NULL; - req_19.encryptionCert = NULL; - - ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_19, buf.data, buf.length, - &req_19, &size, ret); - - free_PA_PK_AS_REQ_19(&req_19); - } else if (compat == COMPAT_27) { pa_type = KRB5_PADATA_PK_AS_REQ; @@ -881,9 +798,6 @@ _krb5_pk_mk_padata(krb5_context context, { krb5_pk_init_ctx ctx = c; krb5_error_code ret; - size_t size; - krb5_data buf; - const char *provisioning_server; int win2k_compat; win2k_compat = krb5_config_get_bool_default(context, NULL, @@ -900,39 +814,11 @@ _krb5_pk_mk_padata(krb5_context context, if (ret) goto out; } else { -#if 0 - ret = pk_mk_padata(context, COMPAT_19, ctx, req_body, nonce, md); - if (ret) - goto out; -#endif ret = pk_mk_padata(context, COMPAT_27, ctx, req_body, nonce, md); if (ret) goto out; } - provisioning_server = - krb5_config_get_string(context, NULL, - "realms", - req_body->realm, - "packet-cable-provisioning-server", - NULL); - - if (provisioning_server) { - /* PacketCable requires the PROV-SRV-LOCATION authenticator */ - const PROV_SRV_LOCATION prov_server = rk_UNCONST(provisioning_server); - - ASN1_MALLOC_ENCODE(PROV_SRV_LOCATION, buf.data, buf.length, - &prov_server, &size, ret); - if (ret) - goto out; - if (buf.length != size) - krb5_abortx(context, "Internal ASN1 encoder error"); - - /* PacketCable uses -1 (application specific) as the auth data type */ - ret = krb5_padata_add(context, md, -1, buf.data, buf.length); - if (ret) - free(buf.data); - } out: return ret; } @@ -1312,42 +1198,42 @@ _krb5_pk_verify_sign(krb5_context context, return ret; } -static krb5_error_code -get_reply_key_19(krb5_context context, - const krb5_data *content, - unsigned nonce, - krb5_keyblock **key) + static krb5_error_code +get_reply_key_win(krb5_context context, + const krb5_data *content, + unsigned nonce, + krb5_keyblock **key) { - ReplyKeyPack_19 key_pack; + ReplyKeyPack_Win2k key_pack; krb5_error_code ret; size_t size; - ret = decode_ReplyKeyPack_19(content->data, - content->length, - &key_pack, - &size); + ret = decode_ReplyKeyPack_Win2k(content->data, + content->length, + &key_pack, + &size); if (ret) { krb5_set_error_string(context, "PKINIT decoding reply key failed"); - free_ReplyKeyPack_19(&key_pack); + free_ReplyKeyPack_Win2k(&key_pack); return ret; } if (key_pack.nonce != nonce) { krb5_set_error_string(context, "PKINIT enckey nonce is wrong"); - free_ReplyKeyPack_19(&key_pack); + free_ReplyKeyPack_Win2k(&key_pack); return KRB5KRB_AP_ERR_MODIFIED; } *key = malloc (sizeof (**key)); if (*key == NULL) { krb5_set_error_string(context, "PKINIT failed allocating reply key"); - free_ReplyKeyPack_19(&key_pack); + free_ReplyKeyPack_Win2k(&key_pack); krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } ret = copy_EncryptionKey(&key_pack.replyKey, *key); - free_ReplyKeyPack_19(&key_pack); + free_ReplyKeyPack_Win2k(&key_pack); if (ret) { krb5_set_error_string(context, "PKINIT failed copying reply key"); free(*key); @@ -1633,8 +1519,7 @@ pk_rd_pa_reply_enckey(krb5_context context, switch(type) { case COMPAT_WIN2K: - case COMPAT_19: - ret = get_reply_key_19(context, &content, nonce, key); + ret = get_reply_key_win(context, &content, nonce, key); break; case COMPAT_27: ret = get_reply_key(context, &content, req_buffer, key); @@ -1908,41 +1793,6 @@ _krb5_pk_rd_pa_reply(krb5_context context, return ret; } - /* Check for PK-INIT -19 */ - { - PA_PK_AS_REP_19 rep19; - - memset(&rep19, 0, sizeof(rep19)); - - ret = decode_PA_PK_AS_REP_19(pa->padata_value.data, - pa->padata_value.length, - &rep19, - &size); - if (ret == 0) { - krb5_clear_error_string(context); - switch(rep19.element) { - case choice_PA_PK_AS_REP_19_dhSignedData: - ret = pk_rd_pa_reply_dh(context, &rep19.u.dhSignedData, ctx, - etype, NULL, NULL, - nonce, pa, key); - break; - case choice_PA_PK_AS_REP_19_encKeyPack: - ret = pk_rd_pa_reply_enckey(context, COMPAT_19, - &rep19.u.encKeyPack, ctx, - etype, nonce, NULL, pa, key); - break; - default: - krb5_set_error_string(context, "PKINIT: -19 reply invalid " - "content type"); - ret = EINVAL; - break; - } - free_PA_PK_AS_REP_19(&rep19); - if (ret == 0) - return 0; - } - } - /* Check for Windows encoding of the AS-REP pa data */ { PA_PK_AS_REP_Win2k w2krep;