oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Removing PK-INIT-19 support.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16141 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-10-07 11:00:05 +00:00
parent 0915d6890b
commit 1ef128fbff
3 changed files with 32 additions and 365 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
kdc/pkinit.c
View File

@@ -65,7 +65,6 @@ struct krb5_pk_cert {
enum pkinit_type { enum pkinit_type {
PKINIT_COMPAT_WIN2K = 1, PKINIT_COMPAT_WIN2K = 1,
PKINIT_COMPAT_19 = 2,
PKINIT_COMPAT_27 = 3 PKINIT_COMPAT_27 = 3
}; };
@@ -135,49 +134,6 @@ pk_check_pkauthenticator_win2k(krb5_context context,
return 0; return 0;
} }
static krb5_error_code
pk_check_pkauthenticator_19(krb5_context context,
PKAuthenticator_19 *a,
KDC_REQ *req)
{
u_char *buf = NULL;
size_t buf_size;
krb5_error_code ret;
size_t len;
krb5_timestamp now;
krb5_timeofday (context, &now);
/* XXX cusec */
if (a->ctime == 0 || abs(a->ctime - now) > context->max_skew) {
krb5_clear_error_string(context);
return KRB5KRB_AP_ERR_SKEW;
}
if (a->paChecksum.cksumtype != CKSUMTYPE_RSA_MD5 &&
a->paChecksum.cksumtype != CKSUMTYPE_SHA1)
{
krb5_clear_error_string(context);
ret = KRB5KRB_ERR_GENERIC;
}
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
if (ret) {
krb5_clear_error_string(context);
return ret;
}
if (buf_size != len)
krb5_abortx(context, "Internal error in ASN.1 encoder");
ret = krb5_verify_checksum(context, NULL, 0, buf, len,
&a->paChecksum);
if (ret)
krb5_clear_error_string(context);
free(buf);
return ret;
}
static krb5_error_code static krb5_error_code
pk_check_pkauthenticator(krb5_context context, pk_check_pkauthenticator(krb5_context context,
PKAuthenticator *a, PKAuthenticator *a,
@@ -609,51 +565,6 @@ _kdc_pk_rd_padata(krb5_context context,
free_ContentInfo(&info); free_ContentInfo(&info);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_19) {
PA_PK_AS_REQ_19 r;
type = "PK-INIT-19";
pa_contentType = oid_id_pkauthdata();
ret = decode_PA_PK_AS_REQ_19(pa->padata_value.data,
pa->padata_value.length,
&r,
NULL);
if (ret) {
krb5_set_error_string(context, "Can't decode "
"PK-AS-REQ-19: %d", ret);
goto out;
}
if (heim_oid_cmp(&r.signedAuthPack.contentType,
oid_id_pkcs7_signedData()))
{
krb5_set_error_string(context, "PK-AS-REQ-19 invalid content "
"type oid");
free_PA_PK_AS_REQ_19(&r);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
if (r.signedAuthPack.content == NULL) {
krb5_set_error_string(context, "PK-AS-REQ-19 no signed auth pack");
free_PA_PK_AS_REQ_19(&r);
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
signed_content.data = malloc(r.signedAuthPack.content->length);
if (signed_content.data == NULL) {
ret = ENOMEM;
free_PA_PK_AS_REQ_19(&r);
krb5_set_error_string(context, "PK-AS-REQ-19 out of memory");
goto out;
}
signed_content.length = r.signedAuthPack.content->length;
memcpy(signed_content.data, r.signedAuthPack.content->data,
signed_content.length);
free_PA_PK_AS_REQ_19(&r);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) { } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
PA_PK_AS_REQ r; PA_PK_AS_REQ r;
ContentInfo info; ContentInfo info;
@@ -763,37 +674,6 @@ _kdc_pk_rd_padata(krb5_context context,
} }
free_AuthPack_Win2k(&ap); free_AuthPack_Win2k(&ap);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_19) {
AuthPack_19 ap;
ret = decode_AuthPack_19(eContent.data,
eContent.length,
&ap,
NULL);
if (ret) {
krb5_set_error_string(context, "can't decode AuthPack: %d", ret);
free_AuthPack_19(&ap);
goto out;
}
ret = pk_check_pkauthenticator_19(context,
&ap.pkAuthenticator,
req);
if (ret) {
free_AuthPack_19(&ap);
goto out;
}
client_params->type = PKINIT_COMPAT_19;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
krb5_set_error_string(context, "PK-INIT, no support for DH");
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
free_AuthPack_19(&ap);
goto out;
}
free_AuthPack_19(&ap);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) { } else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
AuthPack ap; AuthPack ap;
@@ -949,9 +829,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
enc_alg->parameters->length = params.length; enc_alg->parameters->length = params.length;
switch (client_params->type) { switch (client_params->type) {
case PKINIT_COMPAT_WIN2K: case PKINIT_COMPAT_WIN2K: {
case PKINIT_COMPAT_19: { ReplyKeyPack_Win2k kp;
ReplyKeyPack_19 kp;
memset(&kp, 0, sizeof(kp)); memset(&kp, 0, sizeof(kp));
ret = copy_EncryptionKey(reply_key, &kp.replyKey); ret = copy_EncryptionKey(reply_key, &kp.replyKey);
@@ -961,10 +840,10 @@ pk_mk_pa_reply_enckey(krb5_context context,
} }
kp.nonce = client_params->nonce; kp.nonce = client_params->nonce;
ASN1_MALLOC_ENCODE(ReplyKeyPack_19, ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
buf.data, buf.length, buf.data, buf.length,
&kp, &size,ret); &kp, &size,ret);
free_ReplyKeyPack_19(&kp); free_ReplyKeyPack_Win2k(&kp);
} }
case PKINIT_COMPAT_27: { case PKINIT_COMPAT_27: {
krb5_crypto ascrypto; krb5_crypto ascrypto;
@@ -1362,41 +1241,6 @@ _kdc_pk_mk_pa_reply(krb5_context context,
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other); kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (client_params->type == PKINIT_COMPAT_19) {
PA_PK_AS_REP_19 rep;
pa_type = KRB5_PADATA_PK_AS_REP_19;
memset(&rep, 0, sizeof(rep));
if (client_params->dh == NULL) {
rep.element = choice_PA_PK_AS_REP_19_encKeyPack;
krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
ret = pk_mk_pa_reply_enckey(context,
client_params,
req,
req_buffer,
&client_params->reply_key,
&rep.u.encKeyPack);
} else {
krb5_set_error_string(context, "DH -19 not implemented");
ret = KRB5KRB_ERR_GENERIC;
}
if (ret) {
free_PA_PK_AS_REP_19(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_19, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_19(&rep);
if (ret) {
krb5_set_error_string(context,
"encode PA-PK-AS-REP-19 failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
} else if (client_params->type == PKINIT_COMPAT_WIN2K) { } else if (client_params->type == PKINIT_COMPAT_WIN2K) {
PA_PK_AS_REP_Win2k rep; PA_PK_AS_REP_Win2k rep;

53
lib/asn1/pkinit.asn1
View File

@@ -124,6 +124,18 @@ AuthPack-Win2k ::= SEQUENCE {
} }
TrustedCA-Win2k ::= CHOICE {
caName [1] heim_any,
issuerAndSerial [2] IssuerAndSerialNumber
}
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
signed-auth-pack [0] IMPLICIT OCTET STRING,
trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
}
PA-PK-AS-REP-Win2k ::= CHOICE { PA-PK-AS-REP-Win2k ::= CHOICE {
dhSignedData [0] IMPLICIT OCTET STRING, dhSignedData [0] IMPLICIT OCTET STRING,
encKeyPack [1] IMPLICIT OCTET STRING encKeyPack [1] IMPLICIT OCTET STRING
@@ -135,46 +147,7 @@ KDCDHKeyInfo-Win2k ::= SEQUENCE {
subjectPublicKey [2] BIT STRING subjectPublicKey [2] BIT STRING
} }
TrustedCA-19 ::= CHOICE { ReplyKeyPack-Win2k ::= SEQUENCE {
caName [1] heim_any,
issuerAndSerial [2] IssuerAndSerialNumber
}
PA-PK-AS-REQ-19 ::= SEQUENCE { -- PAType 14
signedAuthPack [0] ContentInfo, -- AuthPack
trustedCertifiers [1] SEQUENCE OF TrustedCA-19 OPTIONAL,
kdcCert [2] IssuerAndSerialNumber OPTIONAL,
encryptionCert [3] IssuerAndSerialNumber OPTIONAL,
...
}
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
signed-auth-pack [0] IMPLICIT OCTET STRING,
trusted-certifiers [2] SEQUENCE OF TrustedCA-19 OPTIONAL,
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
}
PKAuthenticator-19 ::= SEQUENCE {
cusec [0] INTEGER (0..4294967295),
ctime [1] KerberosTime,
nonce [2] INTEGER (0..4294967295),
paChecksum [3] Checksum,
...
}
AuthPack-19 ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator-19,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
}
PA-PK-AS-REP-19 ::= CHOICE {
dhSignedData [0] ContentInfo,
encKeyPack [1] ContentInfo,
...
}
ReplyKeyPack-19 ::= SEQUENCE {
replyKey [0] EncryptionKey, replyKey [0] EncryptionKey,
nonce [1] INTEGER (0..4294967295), nonce [1] INTEGER (0..4294967295),
... ...

180
lib/krb5/pkinit.c
View File

@@ -57,7 +57,6 @@ RCSID("$Id$");
enum { enum {
COMPAT_WIN2K = 1, COMPAT_WIN2K = 1,
COMPAT_19 = 2,
COMPAT_27 = 3 COMPAT_27 = 3
}; };
@@ -492,46 +491,6 @@ build_auth_pack_win2k(krb5_context context,
return 0; return 0;
} }
static krb5_error_code
build_auth_pack_19(krb5_context context,
unsigned nonce,
const KDC_REQ_BODY *body,
AuthPack_19 *a)
{
size_t buf_size, len;
krb5_cksumtype cksum;
krb5_error_code ret;
void *buf;
krb5_timestamp sec;
int32_t usec;
krb5_clear_error_string(context);
/* XXX some PACKETCABLE needs implemetations need md5 */
cksum = CKSUMTYPE_RSA_MD5;
krb5_us_timeofday(context, &sec, &usec);
a->pkAuthenticator.ctime = sec;
a->pkAuthenticator.nonce = nonce;
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
if (ret)
return ret;
if (buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_create_checksum(context,
NULL,
0,
cksum,
buf,
len,
&a->pkAuthenticator.paChecksum);
free(buf);
return ret;
}
static krb5_error_code static krb5_error_code
build_auth_pack(krb5_context context, build_auth_pack(krb5_context context,
unsigned nonce, unsigned nonce,
@@ -728,27 +687,6 @@ pk_mk_padata(krb5_context context,
krb5_abortx(context, "internal ASN1 encoder error"); krb5_abortx(context, "internal ASN1 encoder error");
oid = oid_id_pkcs7_data(); oid = oid_id_pkcs7_data();
} else if (compat == COMPAT_19) {
AuthPack_19 ap;
memset(&ap, 0, sizeof(ap));
ret = build_auth_pack_19(context, nonce, req_body, &ap);
if (ret) {
free_AuthPack_19(&ap);
goto out;
}
ASN1_MALLOC_ENCODE(AuthPack_19, buf.data, buf.length, &ap, &size, ret);
free_AuthPack_19(&ap);
if (ret) {
krb5_set_error_string(context, "AuthPack_19: %d", ret);
goto out;
}
if (buf.length != size)
krb5_abortx(context, "internal ASN1 encoder error");
oid = oid_id_pkauthdata();
} else if (compat == COMPAT_27) { } else if (compat == COMPAT_27) {
AuthPack ap; AuthPack ap;
@@ -814,27 +752,6 @@ pk_mk_padata(krb5_context context,
&winreq, &size, ret); &winreq, &size, ret);
free_PA_PK_AS_REQ_Win2k(&winreq); free_PA_PK_AS_REQ_Win2k(&winreq);
} else if (compat == COMPAT_19) {
PA_PK_AS_REQ_19 req_19;
pa_type = KRB5_PADATA_PK_AS_REQ_19;
memset(&req_19, 0, sizeof(req_19));
ret = copy_ContentInfo(&content_info, &req_19.signedAuthPack);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
req_19.kdcCert = NULL;
req_19.trustedCertifiers = NULL;
req_19.encryptionCert = NULL;
ASN1_MALLOC_ENCODE(PA_PK_AS_REQ_19, buf.data, buf.length,
&req_19, &size, ret);
free_PA_PK_AS_REQ_19(&req_19);
} else if (compat == COMPAT_27) { } else if (compat == COMPAT_27) {
pa_type = KRB5_PADATA_PK_AS_REQ; pa_type = KRB5_PADATA_PK_AS_REQ;
@@ -881,9 +798,6 @@ _krb5_pk_mk_padata(krb5_context context,
{ {
krb5_pk_init_ctx ctx = c; krb5_pk_init_ctx ctx = c;
krb5_error_code ret; krb5_error_code ret;
size_t size;
krb5_data buf;
const char *provisioning_server;
int win2k_compat; int win2k_compat;
win2k_compat = krb5_config_get_bool_default(context, NULL, win2k_compat = krb5_config_get_bool_default(context, NULL,
@@ -900,39 +814,11 @@ _krb5_pk_mk_padata(krb5_context context,
if (ret) if (ret)
goto out; goto out;
} else { } else {
#if 0
ret = pk_mk_padata(context, COMPAT_19, ctx, req_body, nonce, md);
if (ret)
goto out;
#endif
ret = pk_mk_padata(context, COMPAT_27, ctx, req_body, nonce, md); ret = pk_mk_padata(context, COMPAT_27, ctx, req_body, nonce, md);
if (ret) if (ret)
goto out; goto out;
} }
provisioning_server =
krb5_config_get_string(context, NULL,
"realms",
req_body->realm,
"packet-cable-provisioning-server",
NULL);
if (provisioning_server) {
/* PacketCable requires the PROV-SRV-LOCATION authenticator */
const PROV_SRV_LOCATION prov_server = rk_UNCONST(provisioning_server);
ASN1_MALLOC_ENCODE(PROV_SRV_LOCATION, buf.data, buf.length,
&prov_server, &size, ret);
if (ret)
goto out;
if (buf.length != size)
krb5_abortx(context, "Internal ASN1 encoder error");
/* PacketCable uses -1 (application specific) as the auth data type */
ret = krb5_padata_add(context, md, -1, buf.data, buf.length);
if (ret)
free(buf.data);
}
out: out:
return ret; return ret;
} }
@@ -1312,42 +1198,42 @@ _krb5_pk_verify_sign(krb5_context context,
return ret; return ret;
} }
static krb5_error_code static krb5_error_code
get_reply_key_19(krb5_context context, get_reply_key_win(krb5_context context,
const krb5_data *content, const krb5_data *content,
unsigned nonce, unsigned nonce,
krb5_keyblock **key) krb5_keyblock **key)
{ {
ReplyKeyPack_19 key_pack; ReplyKeyPack_Win2k key_pack;
krb5_error_code ret; krb5_error_code ret;
size_t size; size_t size;
ret = decode_ReplyKeyPack_19(content->data, ret = decode_ReplyKeyPack_Win2k(content->data,
content->length, content->length,
&key_pack, &key_pack,
&size); &size);
if (ret) { if (ret) {
krb5_set_error_string(context, "PKINIT decoding reply key failed"); krb5_set_error_string(context, "PKINIT decoding reply key failed");
free_ReplyKeyPack_19(&key_pack); free_ReplyKeyPack_Win2k(&key_pack);
return ret; return ret;
} }
if (key_pack.nonce != nonce) { if (key_pack.nonce != nonce) {
krb5_set_error_string(context, "PKINIT enckey nonce is wrong"); krb5_set_error_string(context, "PKINIT enckey nonce is wrong");
free_ReplyKeyPack_19(&key_pack); free_ReplyKeyPack_Win2k(&key_pack);
return KRB5KRB_AP_ERR_MODIFIED; return KRB5KRB_AP_ERR_MODIFIED;
} }
*key = malloc (sizeof (**key)); *key = malloc (sizeof (**key));
if (*key == NULL) { if (*key == NULL) {
krb5_set_error_string(context, "PKINIT failed allocating reply key"); krb5_set_error_string(context, "PKINIT failed allocating reply key");
free_ReplyKeyPack_19(&key_pack); free_ReplyKeyPack_Win2k(&key_pack);
krb5_set_error_string(context, "malloc: out of memory"); krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM; return ENOMEM;
} }
ret = copy_EncryptionKey(&key_pack.replyKey, *key); ret = copy_EncryptionKey(&key_pack.replyKey, *key);
free_ReplyKeyPack_19(&key_pack); free_ReplyKeyPack_Win2k(&key_pack);
if (ret) { if (ret) {
krb5_set_error_string(context, "PKINIT failed copying reply key"); krb5_set_error_string(context, "PKINIT failed copying reply key");
free(*key); free(*key);
@@ -1633,8 +1519,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
switch(type) { switch(type) {
case COMPAT_WIN2K: case COMPAT_WIN2K:
case COMPAT_19: ret = get_reply_key_win(context, &content, nonce, key);
ret = get_reply_key_19(context, &content, nonce, key);
break; break;
case COMPAT_27: case COMPAT_27:
ret = get_reply_key(context, &content, req_buffer, key); ret = get_reply_key(context, &content, req_buffer, key);
@@ -1908,41 +1793,6 @@ _krb5_pk_rd_pa_reply(krb5_context context,
return ret; return ret;
} }
/* Check for PK-INIT -19 */
{
PA_PK_AS_REP_19 rep19;
memset(&rep19, 0, sizeof(rep19));
ret = decode_PA_PK_AS_REP_19(pa->padata_value.data,
pa->padata_value.length,
&rep19,
&size);
if (ret == 0) {
krb5_clear_error_string(context);
switch(rep19.element) {
case choice_PA_PK_AS_REP_19_dhSignedData:
ret = pk_rd_pa_reply_dh(context, &rep19.u.dhSignedData, ctx,
etype, NULL, NULL,
nonce, pa, key);
break;
case choice_PA_PK_AS_REP_19_encKeyPack:
ret = pk_rd_pa_reply_enckey(context, COMPAT_19,
&rep19.u.encKeyPack, ctx,
etype, nonce, NULL, pa, key);
break;
default:
krb5_set_error_string(context, "PKINIT: -19 reply invalid "
"content type");
ret = EINVAL;
break;
}
free_PA_PK_AS_REP_19(&rep19);
if (ret == 0)
return 0;
}
}
/* Check for Windows encoding of the AS-REP pa data */ /* Check for Windows encoding of the AS-REP pa data */
{ {
PA_PK_AS_REP_Win2k w2krep; PA_PK_AS_REP_Win2k w2krep;