Remove pkinit_win2k_require_binding option

When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.

For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.

ticket: 7933

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index c6ded33d1cd7e4a4fc09fa2e6dc37d624fa382ca..008ca4ce89c543f05281c012265f0e0d8594ffe4 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -1083,11 +1083,6 @@ PKINIT krb5.conf options
     of the KDC certificate presented.  This option may be specified
     multiple times.
 
-**pkinit_win2k_require_binding**
-    If this flag is set to true, it expects that the target KDC is
-    patched to return a reply with a checksum rather than a nonce.
-    The default is false.
-
 
 .. _parameter_expansion:
 

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index e21fc81bef56574838ef80a193deec6e65b74c37..3ed43c052e2886484e140b2ec7ac1e2c81bbf466 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -77,7 +77,6 @@
 #define KRB5_CONF_PKINIT_POOL                   "pkinit_pool"
 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING   "pkinit_require_crl_checking"
 #define KRB5_CONF_PKINIT_REVOKE                 "pkinit_revoke"
-#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING  "pkinit_win2k_require_binding"
 
 /* Make pkiDebug(fmt,...) print, or not.  */
 #ifdef DEBUG
@@ -162,7 +161,6 @@ typedef struct _pkinit_req_opts {
     int require_crl_checking;
     int dh_size;           /* initial request DH modulus size (default=1024) */
     int require_hostname_match;
-    int win2k_require_cksum;
 } pkinit_req_opts;
 
 /*

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 742564b2704a949fd2502c1ecff53daca1bd8ee8..6c2316298e9b46afb5b75bf72fa3f98d3b9fad5d 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -174,13 +174,7 @@ pa_pkinit_gen_req(krb5_context context,
     return_pa_data[0]->contents = (krb5_octet *) out_data->data;
     *out_data = empty_data();
 
-    /*
-     * LH Beta 3 requires the extra pa-data, even for RFC requests,
-     * in order to get the Checksum rather than a Nonce in the reply.
-     * This can be removed when LH SP1 is released.
-     */
-    if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
-        reqctx->opts->win2k_require_cksum) {
+    if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) {
         return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
         if (return_pa_data[1] == NULL)
             goto cleanup;
@@ -650,7 +644,6 @@ pkinit_as_rep_parse(krb5_context context,
     krb5_pa_pk_as_rep *kdc_reply = NULL;
     krb5_kdc_dh_key_info *kdc_dh = NULL;
     krb5_reply_key_pack *key_pack = NULL;
-    krb5_reply_key_pack_draft9 *key_pack9 = NULL;
     krb5_data dh_data = { 0, 0, NULL };
     unsigned char *client_key = NULL, *kdc_hostname = NULL;
     unsigned int client_key_len = 0;
@@ -813,27 +806,10 @@ pkinit_as_rep_parse(krb5_context context,
         print_buffer_bin(dh_data.data, dh_data.length,
                          "/tmp/client_key_pack");
 #endif
-        if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
-                                                       &key_pack)) != 0) {
+        retval = k5int_decode_krb5_reply_key_pack(&k5data, &key_pack);
+        if (retval) {
             pkiDebug("failed to decode reply_key_pack\n");
-            if (pa_type == KRB5_PADATA_PK_AS_REP)
-                goto cleanup;
-            retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
-                                                             &key_pack9);
-            if (retval) {
-                pkiDebug("failed to decode reply_key_pack_draft9\n");
-                goto cleanup;
-            }
-            pkiDebug("decode reply_key_pack_draft9\n");
-            if (key_pack9->nonce != request->nonce) {
-                pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
-                         key_pack9->nonce, request->nonce);
-                retval = -1;
-                goto cleanup;
-            }
-            krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
-                                        key_block);
-            break;
+            goto cleanup;
         }
         /*
          * This is hack but Windows sends back SHA1 checksum
@@ -901,8 +877,6 @@ cleanup:
         free_krb5_reply_key_pack(&key_pack);
         free(cksum.contents);
     }
-    if (key_pack9 != NULL)
-        free_krb5_reply_key_pack_draft9(&key_pack9);
 
     free(kdc_hostname);
 
@@ -925,10 +899,6 @@ pkinit_client_profile(krb5_context context,
     pkiDebug("pkinit_client_profile %p %p %p %p\n",
              context, plgctx, reqctx, realm);
 
-    pkinit_libdefault_boolean(context, realm,
-                              KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING,
-                              reqctx->opts->win2k_require_cksum,
-                              &reqctx->opts->win2k_require_cksum);
     pkinit_libdefault_boolean(context, realm,
                               KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING,
                               reqctx->opts->require_crl_checking,

diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index 1cbbed7f07a4d54bc6d2d47a2168c312ae2ce46e..077080afe3fbcdb2513f93ec50036093ec7d527a 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -63,7 +63,6 @@ pkinit_init_req_opts(pkinit_req_opts **reqopts)
     opts->dh_or_rsa = DH_PROTOCOL;
     opts->require_crl_checking = 0;
     opts->dh_size = PKINIT_DEFAULT_DH_MIN_BITS;
-    opts->win2k_require_cksum = 0;
 
     *reqopts = opts;