Remove incomplete PKINIT OCSP support

pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
implementation, so remove most traces of it, including its man page
entry.  If it is present in kdc.conf, error out of PKINIT
initialization instead of silently ignoring the realm entirely.

ticket: 8603 (new)

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 4def01f041970ce257b55e6501c3ed515faca762..3c11e45be56937ab9902fbcd1ace0d93ba7a63ca 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -770,9 +770,6 @@ For information about the syntax of some of these options, see
     pkinit is used to authenticate.  This option may be specified
     multiple times.  (New in release 1.14.)
 
-**pkinit_kdc_ocsp**
-    Specifies the location of the KDC's OCSP.
-
 **pkinit_pool**
     Specifies the location of intermediate certificates which may be
     used by the KDC to complete the trust chain between a client's

diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 194af5a3c049ca1bc12c0b00deddf78b65bd6267..9ed4b7edb86758d5a5942a5bc0bc9301d2a76c1b 100644 (file)
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -891,9 +891,6 @@ Specifies an authentication indicator to include in the ticket if
 pkinit is used to authenticate.  This option may be specified
 multiple times.  (New in release 1.14.)
 .TP
-.B \fBpkinit_kdc_ocsp\fP
-Specifies the location of the KDC\(aqs OCSP.
-.TP
 .B \fBpkinit_pool\fP
 Specifies the location of intermediate certificates which may be
 used by the KDC to complete the trust chain between a client\(aqs

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 2ae3d161b57d4a72fd0405abe4a77d03ed829fb2..f3de9ad7a15da88e15bbe9654ab37208634894a4 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -73,6 +73,7 @@
 #define KRB5_CONF_PKINIT_IDENTITIES             "pkinit_identities"
 #define KRB5_CONF_PKINIT_IDENTITY               "pkinit_identity"
 #define KRB5_CONF_PKINIT_KDC_HOSTNAME           "pkinit_kdc_hostname"
+/* pkinit_kdc_ocsp has been removed */
 #define KRB5_CONF_PKINIT_KDC_OCSP               "pkinit_kdc_ocsp"
 #define KRB5_CONF_PKINIT_POOL                   "pkinit_pool"
 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING   "pkinit_require_crl_checking"
@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts {
     char **anchors;
     char **intermediates;
     char **crls;
-    char *ocsp;
     int  idtype;
     char *cert_filename;
     char *key_filename;

diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index c161a71108ae21ab981f014314a4ef06330ced54..e8997c9351a8d1d2f63eb7dbbff31fd637835b49 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -122,7 +122,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
     opts->anchors = NULL;
     opts->intermediates = NULL;
     opts->crls = NULL;
-    opts->ocsp = NULL;
 
     opts->cert_filename = NULL;
     opts->key_filename = NULL;
@@ -171,12 +170,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
     if (retval)
         goto cleanup;
 
-    if (src_opts->ocsp != NULL) {
-        newopts->ocsp = strdup(src_opts->ocsp);
-        if (newopts->ocsp == NULL)
-            goto cleanup;
-    }
-
     if (src_opts->cert_filename != NULL) {
         newopts->cert_filename = strdup(src_opts->cert_filename);
         if (newopts->cert_filename == NULL)
@@ -653,10 +646,6 @@ pkinit_identity_prompt(krb5_context context,
         if (retval)
             goto errout;
     }
-    if (idopts->ocsp != NULL) {
-        retval = ENOTSUP;
-        goto errout;
-    }
 
 errout:
     return retval;

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 24da789c9bf4b765da9ea7a95981112e1c0bb39a..a4ce308cb408fa75b25d4e7c185ed0c9954a2dd5 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1254,7 +1254,7 @@ static krb5_error_code
 pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
 {
     krb5_error_code retval;
-    char *eku_string = NULL;
+    char *eku_string = NULL, *ocsp_check = NULL;
 
     pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
     retval = pkinit_kdcdefault_string(context, plgctx->realmname,
@@ -1289,7 +1289,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
 
     pkinit_kdcdefault_string(context, plgctx->realmname,
                              KRB5_CONF_PKINIT_KDC_OCSP,
-                             &plgctx->idopts->ocsp);
+                             &ocsp_check);
+    if (ocsp_check != NULL) {
+        free(ocsp_check);
+        retval = ENOTSUP;
+        krb5_set_error_message(context, retval,
+                               _("OCSP is not supported: (realm: %s)"),
+                               plgctx->realmname);
+        goto errout;
+    }
 
     pkinit_kdcdefault_integer(context, plgctx->realmname,
                               KRB5_CONF_PKINIT_DH_MIN_BITS,