#include "pkinit.h"
#include "k5-json.h"
-/*
- * It is anticipated that all the special checks currently
- * required when talking to a Longhorn server will go away
- * by the time it is officially released and all references
- * to the longhorn global can be removed and any code
- * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
- *
- * Current testing (20070620) is against a patched Beta 3
- * version of Longhorn. Most, if not all, problems should
- * be fixed in SP1 of Longhorn.
- */
-int longhorn = 0; /* Talking to a Longhorn server? */
-
/**
* Return true if we should use ContentInfo rather than SignedData. This
* happens if we are talking to what might be an old (pre-6112) MIT KDC and
* in order to get the Checksum rather than a Nonce in the reply.
* This can be removed when LH SP1 is released.
*/
- if ((return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD
- && reqctx->opts->win2k_require_cksum) || (longhorn == 1)) {
+ if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD &&
+ reqctx->opts->win2k_require_cksum) {
return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval);
if (return_pa_data[1] == NULL)
goto cleanup;
if ((retval = k5int_decode_krb5_reply_key_pack(&k5data,
&key_pack)) != 0) {
pkiDebug("failed to decode reply_key_pack\n");
-#ifdef LONGHORN_BETA_COMPAT
- /*
- * LH Beta 3 requires the extra pa-data, even for RFC requests,
- * in order to get the Checksum rather than a Nonce in the reply.
- * This can be removed when LH SP1 is released.
- */
- if (pa_type == KRB5_PADATA_PK_AS_REP && longhorn == 0)
-#else
- if (pa_type == KRB5_PADATA_PK_AS_REP)
-#endif
- goto cleanup;
- else {
- if ((retval =
- k5int_decode_krb5_reply_key_pack_draft9(&k5data,
- &key_pack9)) != 0) {
- pkiDebug("failed to decode reply_key_pack_draft9\n");
- goto cleanup;
- }
- pkiDebug("decode reply_key_pack_draft9\n");
- if (key_pack9->nonce != request->nonce) {
- pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n", key_pack9->nonce, request->nonce);
- retval = -1;
- goto cleanup;
- }
- krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
- key_block);
- break;
- }
+ if (pa_type == KRB5_PADATA_PK_AS_REP)
+ goto cleanup;
+ retval = k5int_decode_krb5_reply_key_pack_draft9(&k5data,
+ &key_pack9);
+ if (retval) {
+ pkiDebug("failed to decode reply_key_pack_draft9\n");
+ goto cleanup;
+ }
+ pkiDebug("decode reply_key_pack_draft9\n");
+ if (key_pack9->nonce != request->nonce) {
+ pkiDebug("nonce in AS_REP=%d doesn't match AS_REQ=%d\n",
+ key_pack9->nonce, request->nonce);
+ retval = -1;
+ goto cleanup;
+ }
+ krb5_copy_keyblock_contents(context, &key_pack9->replyKey,
+ key_block);
+ break;
}
/*
* This is hack but Windows sends back SHA1 checksum
}
free(eku_string);
}
-#ifdef LONGHORN_BETA_COMPAT
- /* Temporarily just set global flag from config file */
- pkinit_libdefault_boolean(context, realm,
- KRB5_CONF_PKINIT_LONGHORN,
- 0,
- &longhorn);
-#endif
/* Only process anchors here if they were not specified on command line */
if (reqctx->idopts->anchors == NULL)
static krb5_error_code
create_identifiers_from_stack(STACK_OF(X509) *sk,
krb5_external_principal_identifier *** ids);
-#ifdef LONGHORN_BETA_COMPAT
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server);
-#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len);
-#endif
static char *
pkinit_pkcs11_code_to_text(int err);
* For draft9-compatible, we don't do anything because it
* is already wrapped.
*/
-#ifdef LONGHORN_BETA_COMPAT
- /*
- * The Longhorn server returns the expected RFC-style data, but
- * it is missing the sequence tag and length, so it requires
- * special processing when wrapping.
- * This will hopefully be fixed before the final release and
- * this can all be removed.
- */
- if (msg_type == CMS_ENVEL_SERVER || longhorn == 1) {
- retval = wrap_signeddata(tmp_buf, tmp_buf_len,
- &tmp_buf2, &tmp_buf2_len, longhorn);
- if (retval) {
- pkiDebug("failed to encode signeddata\n");
- goto cleanup;
- }
- vfy_buf = tmp_buf2;
- vfy_buf_len = tmp_buf2_len;
-
- } else {
- vfy_buf = tmp_buf;
- vfy_buf_len = tmp_buf_len;
- }
-#else
if (msg_type == CMS_ENVEL_SERVER) {
retval = wrap_signeddata(tmp_buf, tmp_buf_len,
&tmp_buf2, &tmp_buf2_len);
vfy_buf = tmp_buf;
vfy_buf_len = tmp_buf_len;
}
-#endif
#ifdef DEBUG_ASN1
print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2");
}
-#ifdef LONGHORN_BETA_COMPAT
-#if 0
-/*
- * This is a version that worked with Longhorn Beta 3.
- */
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server)
-{
-
- unsigned int orig_len = 0, oid_len = 0, tot_len = 0;
- ASN1_OBJECT *oid = NULL;
- unsigned char *p = NULL;
-
- pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
- __FUNCTION__, is_longhorn_server);
-
- /* Get length to wrap the original data with SEQUENCE tag */
- tot_len = orig_len = ASN1_object_size(1, (int)data_len, V_ASN1_SEQUENCE);
-
- if (is_longhorn_server == 0) {
- /* Add the signedData OID and adjust lengths */
- oid = OBJ_nid2obj(NID_pkcs7_signed);
- oid_len = i2d_ASN1_OBJECT(oid, NULL);
-
- tot_len = ASN1_object_size(1, (int)(orig_len+oid_len), V_ASN1_SEQUENCE);
- }
-
- p = *out = malloc(tot_len);
- if (p == NULL) return -1;
-
- if (is_longhorn_server == 0) {
- ASN1_put_object(&p, 1, (int)(orig_len+oid_len),
- V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
- i2d_ASN1_OBJECT(oid, &p);
-
- ASN1_put_object(&p, 1, (int)data_len, 0, V_ASN1_CONTEXT_SPECIFIC);
- } else {
- ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
- }
- memcpy(p, data, data_len);
-
- *out_len = tot_len;
-
- return 0;
-}
-#else
-/*
- * This is a version that works with a patched Longhorn KDC.
- * (Which should match SP1 ??).
- */
-static int
-wrap_signeddata(unsigned char *data, unsigned int data_len,
- unsigned char **out, unsigned int *out_len,
- int is_longhorn_server)
-{
-
- unsigned int oid_len = 0, tot_len = 0, wrap_len = 0, tag_len = 0;
- ASN1_OBJECT *oid = NULL;
- unsigned char *p = NULL;
-
- pkiDebug("%s: This is the Longhorn version and is_longhorn_server = %d\n",
- __FUNCTION__, is_longhorn_server);
-
- /* New longhorn is missing another sequence */
- if (is_longhorn_server == 1)
- wrap_len = ASN1_object_size(1, (int)(data_len), V_ASN1_SEQUENCE);
- else
- wrap_len = data_len;
-
- /* Get length to wrap the original data with SEQUENCE tag */
- tag_len = ASN1_object_size(1, (int)wrap_len, V_ASN1_SEQUENCE);
-
- /* Always add oid */
- oid = OBJ_nid2obj(NID_pkcs7_signed);
- oid_len = i2d_ASN1_OBJECT(oid, NULL);
- oid_len += tag_len;
-
- tot_len = ASN1_object_size(1, (int)(oid_len), V_ASN1_SEQUENCE);
-
- p = *out = malloc(tot_len);
- if (p == NULL)
- return -1;
-
- ASN1_put_object(&p, 1, (int)(oid_len),
- V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
- i2d_ASN1_OBJECT(oid, &p);
-
- ASN1_put_object(&p, 1, (int)wrap_len, 0, V_ASN1_CONTEXT_SPECIFIC);
-
- /* Wrap in extra seq tag */
- if (is_longhorn_server == 1) {
- ASN1_put_object(&p, 1, (int)data_len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
- }
- memcpy(p, data, data_len);
-
- *out_len = tot_len;
-
- return 0;
-}
-
-#endif
-#else
static int
wrap_signeddata(unsigned char *data, unsigned int data_len,
unsigned char **out, unsigned int *out_len)
return 0;
}
-#endif
static int
prepare_enc_data(unsigned char *indata,
krb5_cas[i]->issuerAndSerialNumber.magic = 0;
krb5_cas[i]->issuerAndSerialNumber.data = NULL;
-#ifdef LONGHORN_BETA_COMPAT
- if (longhorn == 0) { /* XXX Longhorn doesn't like this */
-#endif
- is = PKCS7_ISSUER_AND_SERIAL_new();
- X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
- M_ASN1_INTEGER_free(is->serial);
- is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
- len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = malloc((size_t) len)) == NULL)
- goto cleanup;
- krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
- i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
- krb5_cas[i]->issuerAndSerialNumber.length = len;
-#ifdef LONGHORN_BETA_COMPAT
- }
-#endif
+ is = PKCS7_ISSUER_AND_SERIAL_new();
+ X509_NAME_set(&is->issuer, X509_get_issuer_name(x));
+ M_ASN1_INTEGER_free(is->serial);
+ is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
+ len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
+ p = malloc(len);
+ if (p == NULL)
+ goto cleanup;
+ krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
+ i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
+ krb5_cas[i]->issuerAndSerialNumber.length = len;
/* fill-in subjectKeyIdentifier */
krb5_cas[i]->subjectKeyIdentifier.length = 0;
krb5_cas[i]->subjectKeyIdentifier.magic = 0;
krb5_cas[i]->subjectKeyIdentifier.data = NULL;
-
-#ifdef LONGHORN_BETA_COMPAT
- if (longhorn == 0) { /* XXX Longhorn doesn't like this */
-#endif
- if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
- ASN1_OCTET_STRING *ikeyid = NULL;
-
- if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
- NULL))) {
- len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
- if ((p = malloc((size_t) len)) == NULL)
- goto cleanup;
- krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
- i2d_ASN1_OCTET_STRING(ikeyid, &p);
- krb5_cas[i]->subjectKeyIdentifier.length = len;
- }
- if (ikeyid != NULL)
- ASN1_OCTET_STRING_free(ikeyid);
+ if (X509_get_ext_by_NID(x, NID_subject_key_identifier, -1) >= 0) {
+ ASN1_OCTET_STRING *ikeyid;
+
+ ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
+ NULL);
+ if (ikeyid != NULL) {
+ len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
+ p = malloc(len);
+ if (p == NULL)
+ goto cleanup;
+ krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
+ i2d_ASN1_OCTET_STRING(ikeyid, &p);
+ krb5_cas[i]->subjectKeyIdentifier.length = len;
+ ASN1_OCTET_STRING_free(ikeyid);
}
-#ifdef LONGHORN_BETA_COMPAT
}
-#endif
if (is != NULL) {
if (is->issuer != NULL)
X509_NAME_free(is->issuer);
projects / thirdparty / krb5.git / commitdiff
