diff --git a/Remove-3des-support.patch b/Remove-3des-support.patch index 62161e5..be344a3 100644 --- a/Remove-3des-support.patch +++ b/Remove-3des-support.patch @@ -1,4 +1,4 @@ -From c6e61b6ce3f305765dab2acf05a676172c596ddd Mon Sep 17 00:00:00 2001 +From cac8b2d0da82fd625da0a351bb80b51a0bb811a2 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 26 Mar 2019 18:51:10 -0400 Subject: [PATCH] Remove 3des support @@ -7,6 +7,8 @@ Completely remove support for all DES3 enctypes (des3-cbc-raw, des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain their constants. + +(cherry picked from commit 49b086ddbf861ad0e2e84c402f3d65e9ea8a2392) --- doc/admin/advanced/retiring-des.rst | 11 + doc/admin/conf_files/kdc_conf.rst | 7 +- @@ -16,7 +18,7 @@ their constants. doc/mitK5features.rst | 2 +- src/Makefile.in | 4 +- src/configure.in | 1 - - src/include/krb5/krb5.hin | 10 +- + src/include/krb5/krb5.hin | 12 +- src/kadmin/testing/proto/kdc.conf.proto | 4 +- src/kdc/kdc_util.c | 4 - src/lib/crypto/Makefile.in | 8 +- @@ -103,7 +105,7 @@ their constants. src/tests/t_salt.py | 5 +- src/util/k5test.py | 10 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 - - 95 files changed, 162 insertions(+), 4836 deletions(-) + 95 files changed, 163 insertions(+), 4837 deletions(-) delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c @@ -300,9 +302,15 @@ index 8d781a7c8..a19a0ea97 100644 lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index 5f596d1fc..9a05ce32d 100644 +index 5f596d1fc..ca7eb6a80 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin +@@ -1,4 +1,4 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++./* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + /* General definitions for Kerberos version 5. */ + /* + * Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ @@ -5771,29 +5779,29 @@ index 28ded4a89..47f4727bd 100644 #define CKK_CAST3 (0x17) #define CKK_CAST128 (0x18) diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c -index 58400d555..a5337b6f5 100644 +index 1a642139a..2f0431991 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c -@@ -237,14 +237,6 @@ pkinit_as_req_create(krb5_context context, - auth_pack.clientDHNonce.length = 0; - auth_pack.clientPublicValue = &info; - auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; +@@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context, + auth_pack.clientPublicValue = &info; + auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; + +- /* add List of CMS algorithms */ +- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, +- reqctx->cryptoctx, +- reqctx->idctx, &cmstypes); +- auth_pack.supportedCMSTypes = cmstypes; +- if (retval) +- goto cleanup; - -- /* add List of CMS algorithms */ -- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, -- reqctx->cryptoctx, -- reqctx->idctx, &cmstypes); -- auth_pack.supportedCMSTypes = cmstypes; -- if (retval) -- goto cleanup; - break; - default: - pkiDebug("as_req: unrecognized pa_type = %d\n", + switch(protocol) { + case DH_PROTOCOL: + TRACE_PKINIT_CLIENT_REQ_DH(context); diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h -index 0acb731cd..d42acfa4b 100644 +index 8064a07d0..a291889b0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h -@@ -381,18 +381,6 @@ krb5_error_code server_process_dh +@@ -380,18 +380,6 @@ krb5_error_code server_process_dh unsigned int *server_key_len_out); /* OUT receives length of DH secret key */ @@ -5813,10 +5821,10 @@ index 0acb731cd..d42acfa4b 100644 * this functions takes in crypto specific representation of * trustedCertifiers and creates a list of diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 8aa2c5257..b101d179f 100644 +index 8c7fd0cca..52976895b 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -5596,44 +5596,6 @@ cleanup: +@@ -5487,44 +5487,6 @@ cleanup: return retval; } diff --git a/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch b/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch new file mode 100644 index 0000000..658991f --- /dev/null +++ b/Remove-PKINIT-draft-9-ASN.1-code-and-types.patch @@ -0,0 +1,967 @@ +From fc909a6d2881c4b434c946023c5f581cec9e96c9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 18 Jun 2019 11:40:48 -0400 +Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types + +ticket: 8817 +(cherry picked from commit c82e21d8836d4cb4c6ac7047752c9f600cb1ce33) +--- + src/include/k5-int-pkinit.h | 74 -------------------------- + src/include/k5-int.h | 30 +---------- + src/lib/krb5/asn.1/asn1_k_encode.c | 81 ---------------------------- + src/lib/krb5/os/accessor.c | 7 --- + src/tests/asn.1/krb5_decode_test.c | 41 -------------- + src/tests/asn.1/krb5_encode_test.c | 40 -------------- + src/tests/asn.1/ktest.c | 85 ------------------------------ + src/tests/asn.1/ktest.h | 11 ---- + src/tests/asn.1/ktest_equal.c | 51 ------------------ + src/tests/asn.1/ktest_equal.h | 3 -- + src/tests/asn.1/pkinit_encode.out | 5 -- + src/tests/asn.1/pkinit_trval.out | 47 ----------------- + 12 files changed, 1 insertion(+), 474 deletions(-) + +diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h +index 4622a629e..c23cfd304 100644 +--- a/src/include/k5-int-pkinit.h ++++ b/src/include/k5-int-pkinit.h +@@ -45,14 +45,6 @@ typedef struct _krb5_pk_authenticator { + krb5_data *freshnessToken; + } krb5_pk_authenticator; + +-/* PKAuthenticator draft9 */ +-typedef struct _krb5_pk_authenticator_draft9 { +- krb5_principal kdcName; +- krb5_int32 cusec; /* (0..999999) */ +- krb5_timestamp ctime; +- krb5_int32 nonce; /* (0..4294967295) */ +-} krb5_pk_authenticator_draft9; +- + /* AlgorithmIdentifier */ + typedef struct _krb5_algorithm_identifier { + krb5_data algorithm; /* OID */ +@@ -74,12 +66,6 @@ typedef struct _krb5_auth_pack { + krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */ + } krb5_auth_pack; + +-/* AuthPack draft9 */ +-typedef struct _krb5_auth_pack_draft9 { +- krb5_pk_authenticator_draft9 pkAuthenticator; +- krb5_subject_pk_info *clientPublicValue; /* Optional */ +-} krb5_auth_pack_draft9; +- + /* ExternalPrincipalIdentifier */ + typedef struct _krb5_external_principal_identifier { + krb5_data subjectName; /* Optional */ +@@ -87,14 +73,6 @@ typedef struct _krb5_external_principal_identifier { + krb5_data subjectKeyIdentifier; /* Optional */ + } krb5_external_principal_identifier; + +-/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ +-/* This has four fields, but we only care about the first and third for +- * encoding, and the only about the first for decoding. */ +-typedef struct _krb5_pa_pk_as_req_draft9 { +- krb5_data signedAuthPack; +- krb5_data kdcCert; /* Optional */ +-} krb5_pa_pk_as_req_draft9; +- + /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ + typedef struct _krb5_pa_pk_as_req { + krb5_data signedAuthPack; +@@ -116,37 +94,12 @@ typedef struct _krb5_kdc_dh_key_info { + krb5_timestamp dhKeyExpiration; /* Optional */ + } krb5_kdc_dh_key_info; + +-/* KDCDHKeyInfo draft9*/ +-typedef struct _krb5_kdc_dh_key_info_draft9 { +- krb5_data subjectPublicKey; /* BIT STRING */ +- krb5_int32 nonce; /* (0..4294967295) */ +-} krb5_kdc_dh_key_info_draft9; +- + /* ReplyKeyPack */ + typedef struct _krb5_reply_key_pack { + krb5_keyblock replyKey; + krb5_checksum asChecksum; + } krb5_reply_key_pack; + +-/* ReplyKeyPack */ +-typedef struct _krb5_reply_key_pack_draft9 { +- krb5_keyblock replyKey; +- krb5_int32 nonce; +-} krb5_reply_key_pack_draft9; +- +-/* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */ +-typedef struct _krb5_pa_pk_as_rep_draft9 { +- enum krb5_pa_pk_as_rep_draft9_selection { +- choice_pa_pk_as_rep_draft9_UNKNOWN = -1, +- choice_pa_pk_as_rep_draft9_dhSignedData = 0, +- choice_pa_pk_as_rep_draft9_encKeyPack = 1 +- } choice; +- union krb5_pa_pk_as_rep_draft9_choices { +- krb5_data dhSignedData; +- krb5_data encKeyPack; +- } u; +-} krb5_pa_pk_as_rep_draft9; +- + /* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */ + typedef struct _krb5_pa_pk_as_rep { + enum krb5_pa_pk_as_rep_selection { +@@ -186,34 +139,18 @@ typedef struct _krb5_pkinit_supp_pub_info { + krb5_error_code + encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code); + +-krb5_error_code +-encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code); + +-krb5_error_code +-encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code); + +-krb5_error_code +-encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code); + + krb5_error_code + encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code); + +-krb5_error_code +-encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *, +- krb5_data **code); +- + krb5_error_code + encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *, + krb5_data **code); +@@ -237,19 +174,12 @@ encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *, + krb5_error_code + decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **); + +-krb5_error_code +-decode_krb5_pa_pk_as_req_draft9(const krb5_data *, +- krb5_pa_pk_as_req_draft9 **); +- + krb5_error_code + decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **); + + krb5_error_code + decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **); + +-krb5_error_code +-decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **); +- + krb5_error_code + decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **); + +@@ -259,10 +189,6 @@ decode_krb5_principal_name(const krb5_data *, krb5_principal_data **); + krb5_error_code + decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **); + +-krb5_error_code +-decode_krb5_reply_key_pack_draft9(const krb5_data *, +- krb5_reply_key_pack_draft9 **); +- + krb5_error_code + decode_krb5_td_trusted_certifiers(const krb5_data *, + krb5_external_principal_identifier ***); +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 0857fd1cc..cb328785d 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -1836,7 +1836,7 @@ krb5int_random_string(krb5_context, char *string, unsigned int length); + /* To keep happy libraries which are (for now) accessing internal stuff */ + + /* Make sure to increment by one when changing the struct */ +-#define KRB5INT_ACCESS_STRUCT_VERSION 22 ++#define KRB5INT_ACCESS_STRUCT_VERSION 23 + + typedef struct _krb5int_access { + krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, +@@ -1865,10 +1865,6 @@ typedef struct _krb5int_access { + krb5_error_code + (*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code); + +- krb5_error_code +- (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + (*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep, + krb5_data **code); +@@ -1877,26 +1873,14 @@ typedef struct _krb5int_access { + (*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep, + krb5_data **code); + +- krb5_error_code +- (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + (*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep, + krb5_data **code); + +- krb5_error_code +- (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep, +- krb5_data **code); +- + krb5_error_code + (*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *, + krb5_data **code); + +- krb5_error_code +- (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *, +- krb5_data **code); +- + krb5_error_code + (*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *, + krb5_data **code); +@@ -1908,17 +1892,9 @@ typedef struct _krb5int_access { + krb5_error_code + (*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **); + +- krb5_error_code +- (*decode_krb5_auth_pack_draft9)(const krb5_data *, +- krb5_auth_pack_draft9 **); +- + krb5_error_code + (*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **); + +- krb5_error_code +- (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *, +- krb5_pa_pk_as_req_draft9 **); +- + krb5_error_code + (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **); + +@@ -1931,10 +1907,6 @@ typedef struct _krb5int_access { + krb5_error_code + (*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **); + +- krb5_error_code +- (*decode_krb5_reply_key_pack_draft9)(const krb5_data *, +- krb5_reply_key_pack_draft9 **); +- + krb5_error_code + (*decode_krb5_td_dh_parameters)(const krb5_data *, + krb5_algorithm_identifier ***); +diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c +index 81a34bac9..a026ab390 100644 +--- a/src/lib/krb5/asn.1/asn1_k_encode.c ++++ b/src/lib/krb5/asn.1/asn1_k_encode.c +@@ -1446,19 +1446,6 @@ static const struct atype_info *pk_authenticator_fields[] = { + }; + DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields); + +-DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal); +-DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1, +- realm_of_principal); +-DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32); +-DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time); +-DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32); +-static const struct atype_info *pk_authenticator_draft9_fields[] = { +- &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2, +- &k5_atype_pkauth9_3, &k5_atype_pkauth9_4 +-}; +-DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9, +- pk_authenticator_draft9_fields); +- + DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int, + k5_asn1_encode_bitstring, k5_asn1_decode_bitstring, + ASN1_BITSTRING); +@@ -1488,15 +1475,6 @@ static const struct atype_info *auth_pack_fields[] = { + }; + DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields); + +-DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0, +- pk_authenticator_draft9); +-DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1, +- opt_subject_pk_info_ptr); +-static const struct atype_info *auth_pack_draft9_fields[] = { +- &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1 +-}; +-DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields); +- + DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier, + subjectName, 0, opt_ostring_data); + DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier, +@@ -1529,29 +1507,6 @@ static const struct atype_info *pa_pk_as_req_fields[] = { + }; + DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields); + +-/* +- * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we +- * only ever use the first and third. The fields are specified as explicitly +- * tagged, but our historical behavior is to pretend that they are wrapped in +- * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't +- * want to change that without interop testing. +- */ +-DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0, +- ostring_data); +-DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2, +- opt_ostring_data); +-static const struct atype_info *pa_pk_as_req_draft9_fields[] = { +- &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2 +-}; +-DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9, +- pa_pk_as_req_draft9_fields); +-/* For decoding, we only care about the first field; we can ignore the rest. */ +-static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = { +- &k5_atype_pa_pk_as_req9_0 +-}; +-DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9, +- pa_pk_as_req_draft9_decode_fields); +- + DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0, + ostring_data); + DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data); +@@ -1577,14 +1532,6 @@ static const struct atype_info *reply_key_pack_fields[] = { + }; + DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields); + +-DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key); +-DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32); +-static const struct atype_info *reply_key_pack_draft9_fields[] = { +- &k5_atype_key_pack9_0, &k5_atype_key_pack9_1 +-}; +-DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9, +- reply_key_pack_draft9_fields); +- + DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info); + DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data); + static const struct atype_info *pa_pk_as_rep_alternatives[] = { +@@ -1595,44 +1542,16 @@ DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices, + DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice, + pa_pk_as_rep_choice); + +-/* +- * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as +- * explicitly tagged SignedData and EnvelopedData respectively, which means +- * they should have constructed context tags. However, our historical behavior +- * is to use primitive context tags, and we don't want to change that behavior +- * without interop testing. We have the encodings for each alternative in a +- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in +- * order to wrap them in primitive [0] and [1] tags. +- */ +-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data); +-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data); +-static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = { +- &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1 +-}; +-DEFCHOICETYPE(pa_pk_as_rep_draft9_choice, +- union krb5_pa_pk_as_rep_draft9_choices, +- enum krb5_pa_pk_as_rep_draft9_selection, +- pa_pk_as_rep_draft9_alternatives); +-DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice, +- pa_pk_as_rep_draft9_choice); +- + MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req); + MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req); +-MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9); +-MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode); + MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep); + MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep); +-MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9); + MAKE_ENCODER(encode_krb5_auth_pack, auth_pack); + MAKE_DECODER(decode_krb5_auth_pack, auth_pack); +-MAKE_ENCODER(encode_krb5_auth_pack_draft9, auth_pack_draft9); +-MAKE_DECODER(decode_krb5_auth_pack_draft9, auth_pack_draft9); + MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info); + MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info); + MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack); + MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack); +-MAKE_ENCODER(encode_krb5_reply_key_pack_draft9, reply_key_pack_draft9); +-MAKE_DECODER(decode_krb5_reply_key_pack_draft9, reply_key_pack_draft9); + MAKE_ENCODER(encode_krb5_td_trusted_certifiers, + seqof_external_principal_identifier); + MAKE_DECODER(decode_krb5_td_trusted_certifiers, +diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c +index d77f8c6b7..12a39a2ab 100644 +--- a/src/lib/krb5/os/accessor.c ++++ b/src/lib/krb5/os/accessor.c +@@ -80,25 +80,18 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) + #define SC(FIELD, VAL) S(FIELD, 0) + #endif + SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req), +- SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9), + SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep), +- SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9), + SC (encode_krb5_auth_pack, encode_krb5_auth_pack), +- SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9), + SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info), + SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack), +- SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9), + SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers), + SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters), + SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req), +- SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9), + SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep), + SC (decode_krb5_auth_pack, decode_krb5_auth_pack), +- SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9), + SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info), + SC (decode_krb5_principal_name, decode_krb5_principal_name), + SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack), +- SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9), + SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers), + SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters), + SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body), +diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c +index cbd99ba63..7a116b40d 100644 +--- a/src/tests/asn.1/krb5_decode_test.c ++++ b/src/tests/asn.1/krb5_decode_test.c +@@ -42,8 +42,6 @@ void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val); + #ifndef DISABLE_PKINIT + static int equal_principal(krb5_principal *ref, krb5_principal var); + static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val); +-static void ktest_free_auth_pack_draft9(krb5_context context, +- krb5_auth_pack_draft9 *val); + static void ktest_free_kdc_dh_key_info(krb5_context context, + krb5_kdc_dh_key_info *val); + static void ktest_free_pa_pk_as_req(krb5_context context, +@@ -52,8 +50,6 @@ static void ktest_free_pa_pk_as_rep(krb5_context context, + krb5_pa_pk_as_rep *val); + static void ktest_free_reply_key_pack(krb5_context context, + krb5_reply_key_pack *val); +-static void ktest_free_reply_key_pack_draft9(krb5_context context, +- krb5_reply_key_pack_draft9 *val); + #endif + static void ktest_free_kkdcp_message(krb5_context context, + krb5_kkdcp_message *val); +@@ -1183,16 +1179,6 @@ int main(argc, argv) + ktest_empty_auth_pack(&ref); + } + +- /****************************************************************/ +- /* decode_krb5_auth_pack_draft9 */ +- { +- setup(krb5_auth_pack_draft9,ktest_make_sample_auth_pack_draft9); +- decode_run("krb5_auth_pack_draft9","","30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61", +- acc.decode_krb5_auth_pack_draft9, +- ktest_equal_auth_pack_draft9,ktest_free_auth_pack_draft9); +- ktest_empty_auth_pack_draft9(&ref); +- } +- + /****************************************************************/ + /* decode_krb5_kdc_dh_key_info */ + { +@@ -1213,16 +1199,6 @@ int main(argc, argv) + ktest_empty_reply_key_pack(&ref); + } + +- /****************************************************************/ +- /* decode_krb5_reply_key_pack_draft9 */ +- { +- setup(krb5_reply_key_pack_draft9,ktest_make_sample_reply_key_pack_draft9); +- decode_run("krb5_reply_key_pack_draft9","","30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A", +- acc.decode_krb5_reply_key_pack_draft9, +- ktest_equal_reply_key_pack_draft9,ktest_free_reply_key_pack_draft9); +- ktest_empty_reply_key_pack_draft9(&ref); +- } +- + /****************************************************************/ + /* decode_krb5_principal_name */ + /* We have no encoder for this type (KerberosName from RFC 4556); the +@@ -1279,14 +1255,6 @@ ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val) + free(val); + } + +-static void +-ktest_free_auth_pack_draft9(krb5_context context, krb5_auth_pack_draft9 *val) +-{ +- if (val) +- ktest_empty_auth_pack_draft9(val); +- free(val); +-} +- + static void + ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val) + { +@@ -1319,15 +1287,6 @@ ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val) + free(val); + } + +-static void +-ktest_free_reply_key_pack_draft9(krb5_context context, +- krb5_reply_key_pack_draft9 *val) +-{ +- if (val) +- ktest_empty_reply_key_pack_draft9(val); +- free(val); +-} +- + #endif /* not DISABLE_PKINIT */ + + static void +diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c +index 3efbfb4c0..72c013468 100644 +--- a/src/tests/asn.1/krb5_encode_test.c ++++ b/src/tests/asn.1/krb5_encode_test.c +@@ -798,15 +798,6 @@ main(argc, argv) + ktest_empty_pa_pk_as_req(&req); + } + /****************************************************************/ +- /* encode_krb5_pa_pk_as_req_draft9 */ +- { +- krb5_pa_pk_as_req_draft9 req; +- ktest_make_sample_pa_pk_as_req_draft9(&req); +- encode_run(req, "pa_pk_as_req_draft9", "", +- acc.encode_krb5_pa_pk_as_req_draft9); +- ktest_empty_pa_pk_as_req_draft9(&req); +- } +- /****************************************************************/ + /* encode_krb5_pa_pk_as_rep */ + { + krb5_pa_pk_as_rep rep; +@@ -820,19 +811,6 @@ main(argc, argv) + ktest_empty_pa_pk_as_rep(&rep); + } + /****************************************************************/ +- /* encode_krb5_pa_pk_as_rep_draft9 */ +- { +- krb5_pa_pk_as_rep_draft9 rep; +- ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(&rep); +- encode_run(rep, "pa_pk_as_rep_draft9", "(dhSignedData)", +- acc.encode_krb5_pa_pk_as_rep_draft9); +- ktest_empty_pa_pk_as_rep_draft9(&rep); +- ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(&rep); +- encode_run(rep, "pa_pk_as_rep_draft9", "(encKeyPack)", +- acc.encode_krb5_pa_pk_as_rep_draft9); +- ktest_empty_pa_pk_as_rep_draft9(&rep); +- } +- /****************************************************************/ + /* encode_krb5_auth_pack */ + { + krb5_auth_pack pack; +@@ -841,15 +819,6 @@ main(argc, argv) + ktest_empty_auth_pack(&pack); + } + /****************************************************************/ +- /* encode_krb5_auth_pack_draft9_draft9 */ +- { +- krb5_auth_pack_draft9 pack; +- ktest_make_sample_auth_pack_draft9(&pack); +- encode_run(pack, "auth_pack_draft9", "", +- acc.encode_krb5_auth_pack_draft9); +- ktest_empty_auth_pack_draft9(&pack); +- } +- /****************************************************************/ + /* encode_krb5_kdc_dh_key_info */ + { + krb5_kdc_dh_key_info ki; +@@ -866,15 +835,6 @@ main(argc, argv) + ktest_empty_reply_key_pack(&pack); + } + /****************************************************************/ +- /* encode_krb5_reply_key_pack_draft9 */ +- { +- krb5_reply_key_pack_draft9 pack; +- ktest_make_sample_reply_key_pack_draft9(&pack); +- encode_run(pack, "reply_key_pack_draft9", "", +- acc.encode_krb5_reply_key_pack_draft9); +- ktest_empty_reply_key_pack_draft9(&pack); +- } +- /****************************************************************/ + /* encode_krb5_sp80056a_other_info */ + { + krb5_sp80056a_other_info info; +diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c +index 258377299..7bb698732 100644 +--- a/src/tests/asn.1/ktest.c ++++ b/src/tests/asn.1/ktest.c +@@ -729,15 +729,6 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p) + ktest_make_sample_data(p->freshnessToken); + } + +-static void +-ktest_make_sample_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p) +-{ +- ktest_make_sample_principal(&p->kdcName); +- p->cusec = SAMPLE_USEC; +- p->ctime = SAMPLE_TIME; +- p->nonce = SAMPLE_NONCE; +-} +- + static void + ktest_make_sample_oid(krb5_data *p) + { +@@ -788,13 +779,6 @@ ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p) + ktest_make_sample_data(&p->kdcPkId); + } + +-void +-ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) +-{ +- ktest_make_sample_data(&p->signedAuthPack); +- ktest_make_sample_data(&p->kdcCert); +-} +- + static void + ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p) + { +@@ -818,20 +802,6 @@ ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p) + ktest_make_sample_data(&p->u.encKeyPack); + } + +-void +-ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(krb5_pa_pk_as_rep_draft9 *p) +-{ +- p->choice = choice_pa_pk_as_rep_draft9_dhSignedData; +- ktest_make_sample_data(&p->u.dhSignedData); +-} +- +-void +-ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(krb5_pa_pk_as_rep_draft9 *p) +-{ +- p->choice = choice_pa_pk_as_rep_draft9_encKeyPack; +- ktest_make_sample_data(&p->u.encKeyPack); +-} +- + void + ktest_make_sample_auth_pack(krb5_auth_pack *p) + { +@@ -851,14 +821,6 @@ ktest_make_sample_auth_pack(krb5_auth_pack *p) + p->supportedKDFs[1] = NULL; + } + +-void +-ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p) +-{ +- ktest_make_sample_pk_authenticator_draft9(&p->pkAuthenticator); +- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info)); +- ktest_make_sample_subject_pk_info(p->clientPublicValue); +-} +- + void + ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p) + { +@@ -874,13 +836,6 @@ ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p) + ktest_make_sample_checksum(&p->asChecksum); + } + +-void +-ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p) +-{ +- ktest_make_sample_keyblock(&p->replyKey); +- p->nonce = SAMPLE_NONCE; +-} +- + void + ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p) + { +@@ -1717,12 +1672,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p) + p->freshnessToken = NULL; + } + +-static void +-ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p) +-{ +- ktest_destroy_principal(&p->kdcName); +-} +- + static void + ktest_empty_subject_pk_info(krb5_subject_pk_info *p) + { +@@ -1754,13 +1703,6 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p) + ktest_empty_data(&p->kdcPkId); + } + +-void +-ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p) +-{ +- ktest_empty_data(&p->signedAuthPack); +- ktest_empty_data(&p->kdcCert); +-} +- + static void + ktest_empty_dh_rep_info(krb5_dh_rep_info *p) + { +@@ -1779,16 +1721,6 @@ ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p) + p->choice = choice_pa_pk_as_rep_UNKNOWN; + } + +-void +-ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p) +-{ +- if (p->choice == choice_pa_pk_as_rep_draft9_dhSignedData) +- ktest_empty_data(&p->u.dhSignedData); +- else if (p->choice == choice_pa_pk_as_rep_draft9_encKeyPack) +- ktest_empty_data(&p->u.encKeyPack); +- p->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; +-} +- + void + ktest_empty_auth_pack(krb5_auth_pack *p) + { +@@ -1820,17 +1752,6 @@ ktest_empty_auth_pack(krb5_auth_pack *p) + } + } + +-void +-ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p) +-{ +- ktest_empty_pk_authenticator_draft9(&p->pkAuthenticator); +- if (p->clientPublicValue != NULL) { +- ktest_empty_subject_pk_info(p->clientPublicValue); +- free(p->clientPublicValue); +- p->clientPublicValue = NULL; +- } +-} +- + void + ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p) + { +@@ -1844,12 +1765,6 @@ ktest_empty_reply_key_pack(krb5_reply_key_pack *p) + ktest_empty_checksum(&p->asChecksum); + } + +-void +-ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p) +-{ +- ktest_empty_keyblock(&p->replyKey); +-} +- + void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p) + { + ktest_empty_algorithm_identifier(&p->algorithm_identifier); +diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h +index 1413cfae1..d9cc90a5c 100644 +--- a/src/tests/asn.1/ktest.h ++++ b/src/tests/asn.1/ktest.h +@@ -101,18 +101,11 @@ void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p); + + #ifndef DISABLE_PKINIT + void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p); +-void ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p); + void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p); + void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p); +-void ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData( +- krb5_pa_pk_as_rep_draft9 *p); +-void ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack( +- krb5_pa_pk_as_rep_draft9 *p); + void ktest_make_sample_auth_pack(krb5_auth_pack *p); +-void ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p); + void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p); + void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p); +-void ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p); + void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p); + void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); + #endif +@@ -197,14 +190,10 @@ void ktest_empty_pa_otp_req(krb5_pa_otp_req *p); + + #ifndef DISABLE_PKINIT + void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p); +-void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p); + void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p); +-void ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p); + void ktest_empty_auth_pack(krb5_auth_pack *p); +-void ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p); + void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p); + void ktest_empty_reply_key_pack(krb5_reply_key_pack *p); +-void ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p); + void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p); + void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p); + #endif +diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c +index 714cc4398..8a3911cdc 100644 +--- a/src/tests/asn.1/ktest_equal.c ++++ b/src/tests/asn.1/ktest_equal.c +@@ -876,20 +876,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref, + return p; + } + +-static int +-ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref, +- krb5_pk_authenticator_draft9 *var) +-{ +- int p = TRUE; +- if (ref == var) return TRUE; +- else if (ref == NULL || var == NULL) return FALSE; +- p = p && ptr_equal(kdcName, ktest_equal_principal_data); +- p = p && scalar_equal(cusec); +- p = p && scalar_equal(ctime); +- p = p && scalar_equal(nonce); +- return p; +-} +- + static int + ktest_equal_subject_pk_info(krb5_subject_pk_info *ref, + krb5_subject_pk_info *var) +@@ -937,18 +923,6 @@ ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var) + return p; + } + +-int +-ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref, +- krb5_pa_pk_as_req_draft9 *var) +-{ +- int p = TRUE; +- if (ref == var) return TRUE; +- else if (ref == NULL || var == NULL) return FALSE; +- p = p && equal_str(signedAuthPack); +- p = p && equal_str(kdcCert); +- return p; +-} +- + static int + ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var) + { +@@ -996,19 +970,6 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var) + return p; + } + +-int +-ktest_equal_auth_pack_draft9(krb5_auth_pack_draft9 *ref, +- krb5_auth_pack_draft9 *var) +-{ +- int p = TRUE; +- if (ref == var) return TRUE; +- else if (ref == NULL || var == NULL) return FALSE; +- p = p && struct_equal(pkAuthenticator, +- ktest_equal_pk_authenticator_draft9); +- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info); +- return p; +-} +- + int + ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref, + krb5_kdc_dh_key_info *var) +@@ -1033,18 +994,6 @@ ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var) + return p; + } + +-int +-ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref, +- krb5_reply_key_pack_draft9 *var) +-{ +- int p = TRUE; +- if (ref == var) return TRUE; +- else if (ref == NULL || var == NULL) return FALSE; +- p = p && struct_equal(replyKey, ktest_equal_keyblock); +- p = p && scalar_equal(nonce); +- return p; +-} +- + #endif /* not DISABLE_PKINIT */ + + int +diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h +index cfa82ac6e..80a0d781a 100644 +--- a/src/tests/asn.1/ktest_equal.h ++++ b/src/tests/asn.1/ktest_equal.h +@@ -139,13 +139,10 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref, + + #ifndef DISABLE_PKINIT + generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req); +-generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9); + generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep); + generic(ktest_equal_auth_pack, krb5_auth_pack); +-generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9); + generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info); + generic(ktest_equal_reply_key_pack, krb5_reply_key_pack); +-generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9); + #endif /* not DISABLE_PKINIT */ + + int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref, +diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out +index 55a60bbef..9bd08e159 100644 +--- a/src/tests/asn.1/pkinit_encode.out ++++ b/src/tests/asn.1/pkinit_encode.out +@@ -1,13 +1,8 @@ + encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 +-encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 + encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 + encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 +-encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61 +-encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 + encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 +-encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 + encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A + encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 +-encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A + encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 + encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61 +diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out +index 9557188a8..3675fba38 100644 +--- a/src/tests/asn.1/pkinit_trval.out ++++ b/src/tests/asn.1/pkinit_trval.out +@@ -15,14 +15,6 @@ encode_krb5_pa_pk_as_req: + . [2] <8> + 6b 72 62 35 64 61 74 61 krb5data + +-encode_krb5_pa_pk_as_req_draft9: +- +-[Sequence/Sequence Of] +-. [0] <8> +- 6b 72 62 35 64 61 74 61 krb5data +-. [2] <8> +- 6b 72 62 35 64 61 74 61 krb5data +- + encode_krb5_pa_pk_as_rep(dhInfo): + + [CONT 0] +@@ -36,16 +28,6 @@ encode_krb5_pa_pk_as_rep(dhInfo): + + encode_krb5_pa_pk_as_rep(encKeyPack): + +-[CONT 1] <8> +- 6b 72 62 35 64 61 74 61 krb5data +- +-encode_krb5_pa_pk_as_rep_draft9(dhSignedData): +- +-[CONT 0] <8> +- 6b 72 62 35 64 61 74 61 krb5data +- +-encode_krb5_pa_pk_as_rep_draft9(encKeyPack): +- + [CONT 1] <8> + 6b 72 62 35 64 61 74 61 krb5data + +@@ -79,27 +61,6 @@ encode_krb5_auth_pack: + . . . [0] [Object Identifier] <8> + 6b 72 62 35 64 61 74 61 krb5data + +-encode_krb5_auth_pack_draft9: +- +-[Sequence/Sequence Of] +-. [0] [Sequence/Sequence Of] +-. . [0] [Sequence/Sequence Of] +-. . . [0] [Integer] 1 +-. . . [1] [Sequence/Sequence Of] +-. . . . [General string] "hftsai" +-. . . . [General string] "extra" +-. . [1] [General string] "ATHENA.MIT.EDU" +-. . [2] [Integer] 123456 +-. . [3] [Generalized Time] "19940610060317Z" +-. . [4] [Integer] 42 +-. [1] [Sequence/Sequence Of] +-. . [Sequence/Sequence Of] +-. . . [Object Identifier] <9> +- 2a 86 48 86 f7 12 01 02 02 *.H...... +-. . . [Octet String] "params" +-. . [Bit String] <9> +- 00 6b 72 62 35 64 61 74 61 .krb5data +- + encode_krb5_kdc_dh_key_info: + + [Sequence/Sequence Of] +@@ -118,14 +79,6 @@ encode_krb5_reply_key_pack: + . . [0] [Integer] 1 + . . [1] [Octet String] "1234" + +-encode_krb5_reply_key_pack_draft9: +- +-[Sequence/Sequence Of] +-. [0] [Sequence/Sequence Of] +-. . [0] [Integer] 1 +-. . [1] [Octet String] "12345678" +-. [1] [Integer] 42 +- + encode_krb5_sp80056a_other_info: + + [Sequence/Sequence Of] diff --git a/Remove-PKINIT-draft-9-support.patch b/Remove-PKINIT-draft-9-support.patch new file mode 100644 index 0000000..3a25343 --- /dev/null +++ b/Remove-PKINIT-draft-9-support.patch @@ -0,0 +1,1712 @@ +From b26cbaa597305c9e16b455e4bd310ac86b6221cc Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 18 Jun 2019 13:06:44 -0400 +Subject: [PATCH] Remove PKINIT draft 9 support + +PKINIT draft 9 support is required to interoperate with Windows 2000, +Windows XP, and Windows Server 2003, all of which are well beyond +end-of-life. Remove it. + +ticket: 8817 (new) +(cherry picked from commit bb82690be39a033669388154964486e213d84e76) +--- + src/plugins/preauth/pkinit/pkinit.h | 9 - + src/plugins/preauth/pkinit/pkinit_accessor.c | 12 - + src/plugins/preauth/pkinit/pkinit_accessor.h | 6 - + src/plugins/preauth/pkinit/pkinit_clnt.c | 231 +++----- + src/plugins/preauth/pkinit/pkinit_crypto.h | 1 - + .../preauth/pkinit/pkinit_crypto_openssl.c | 219 ++----- + src/plugins/preauth/pkinit/pkinit_lib.c | 65 --- + src/plugins/preauth/pkinit/pkinit_srv.c | 543 ++++++------------ + src/plugins/preauth/pkinit/pkinit_trace.h | 4 - + src/tests/t_pkinit.py | 6 +- + 10 files changed, 282 insertions(+), 814 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h +index fe2ec0d31..b437fd53f 100644 +--- a/src/plugins/preauth/pkinit/pkinit.h ++++ b/src/plugins/preauth/pkinit/pkinit.h +@@ -213,7 +213,6 @@ struct _pkinit_req_context { + pkinit_identity_opts *idopts; + int do_identity_matching; + krb5_preauthtype pa_type; +- int rfc4556_kdc; + int rfc6112_kdc; + int identity_initialized; + int identity_prompted; +@@ -244,7 +243,6 @@ struct _pkinit_kdc_req_context { + int magic; + pkinit_req_crypto_context cryptoctx; + krb5_auth_pack *rcv_auth_pack; +- krb5_auth_pack_draft9 *rcv_auth_pack9; + krb5_preauthtype pa_type; + }; + typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context; +@@ -329,22 +327,15 @@ void pkinit_free_deferred_ids(pkinit_deferred_id *identities); + * initialization and free functions + */ + void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in); +-void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in); + void init_krb5_reply_key_pack(krb5_reply_key_pack **in); +-void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in); + + void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); +-void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); + void init_krb5_subject_pk_info(krb5_subject_pk_info **in); + + void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in); +-void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in); + void free_krb5_reply_key_pack(krb5_reply_key_pack **in); +-void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in); + void free_krb5_auth_pack(krb5_auth_pack **in); +-void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in); + void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in); +-void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in); + void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in); + void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in); + void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in); +diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.c b/src/plugins/preauth/pkinit/pkinit_accessor.c +index 6bae94969..0908f1b9b 100644 +--- a/src/plugins/preauth/pkinit/pkinit_accessor.c ++++ b/src/plugins/preauth/pkinit/pkinit_accessor.c +@@ -41,22 +41,15 @@ + krb5_error_code (*k5int_decode_##type)(const krb5_data *, type ***) + + DEF_FUNC_PTRS(krb5_auth_pack); +-DEF_FUNC_PTRS(krb5_auth_pack_draft9); + DEF_FUNC_PTRS(krb5_kdc_dh_key_info); + DEF_FUNC_PTRS(krb5_pa_pk_as_rep); + DEF_FUNC_PTRS(krb5_pa_pk_as_req); +-DEF_FUNC_PTRS(krb5_pa_pk_as_req_draft9); + DEF_FUNC_PTRS(krb5_reply_key_pack); +-DEF_FUNC_PTRS(krb5_reply_key_pack_draft9); + + /* special cases... */ + krb5_error_code + (*k5int_decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **); + +-krb5_error_code +-(*k5int_encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *, +- krb5_data **code); +- + krb5_error_code + (*k5int_encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *, + krb5_data **code); +@@ -101,21 +94,16 @@ pkinit_accessor_init(void) + k5int_decode_##type = k5int.decode_##type; + + SET_PTRS(krb5_auth_pack); +- SET_PTRS(krb5_auth_pack_draft9); + SET_PTRS(krb5_kdc_dh_key_info); + SET_PTRS(krb5_pa_pk_as_rep); + SET_PTRS(krb5_pa_pk_as_req); +- SET_PTRS(krb5_pa_pk_as_req_draft9); + SET_PTRS(krb5_reply_key_pack); +- SET_PTRS(krb5_reply_key_pack_draft9); + SET_PTRS(krb5_td_dh_parameters); + SET_PTRS(krb5_td_trusted_certifiers); + + /* special cases... */ + k5int_decode_krb5_principal_name = k5int.decode_krb5_principal_name; + k5int_encode_krb5_kdc_req_body = k5int.encode_krb5_kdc_req_body; +- k5int_encode_krb5_pa_pk_as_rep_draft9 = \ +- k5int.encode_krb5_pa_pk_as_rep_draft9; + k5int_krb5_free_kdc_req = k5int.free_kdc_req; + k5int_set_prompt_types = k5int.set_prompt_types; + return 0; +diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.h b/src/plugins/preauth/pkinit/pkinit_accessor.h +index dcee3db53..e510ab624 100644 +--- a/src/plugins/preauth/pkinit/pkinit_accessor.h ++++ b/src/plugins/preauth/pkinit/pkinit_accessor.h +@@ -45,21 +45,15 @@ extern krb5_error_code (*k5int_encode_##type)(const type **, krb5_data **); \ + extern krb5_error_code (*k5int_decode_##type)(const krb5_data *, type ***) + + DEF_EXT_FUNC_PTRS(krb5_auth_pack); +-DEF_EXT_FUNC_PTRS(krb5_auth_pack_draft9); + DEF_EXT_FUNC_PTRS(krb5_kdc_dh_key_info); + DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_rep); + DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req); +-DEF_EXT_FUNC_PTRS(krb5_pa_pk_as_req_draft9); + DEF_EXT_FUNC_PTRS(krb5_reply_key_pack); +-DEF_EXT_FUNC_PTRS(krb5_reply_key_pack_draft9); + + /* special cases... */ + extern krb5_error_code (*k5int_decode_krb5_principal_name) + (const krb5_data *, krb5_principal_data **); + +-extern krb5_error_code (*k5int_encode_krb5_pa_pk_as_rep_draft9) +- (const krb5_pa_pk_as_rep_draft9 *, krb5_data **code); +- + extern krb5_error_code (*k5int_encode_krb5_td_dh_parameters) + (krb5_algorithm_identifier *const *, krb5_data **code); + extern krb5_error_code (*k5int_decode_krb5_td_dh_parameters) +diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c +index 58400d555..1a642139a 100644 +--- a/src/plugins/preauth/pkinit/pkinit_clnt.c ++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +@@ -148,11 +148,7 @@ pa_pkinit_gen_req(krb5_context context, + goto cleanup; + } + +- /* +- * The most we'll return is two pa_data, normally just one. +- * We need to make room for the NULL terminator. +- */ +- return_pa_data = k5calloc(3, sizeof(*return_pa_data), &retval); ++ return_pa_data = k5calloc(2, sizeof(*return_pa_data), &retval); + if (return_pa_data == NULL) + goto cleanup; + +@@ -162,21 +158,11 @@ pa_pkinit_gen_req(krb5_context context, + + return_pa_data[0]->magic = KV5M_PA_DATA; + +- if (pa_type == KRB5_PADATA_PK_AS_REQ_OLD) +- return_pa_data[0]->pa_type = KRB5_PADATA_PK_AS_REP_OLD; +- else +- return_pa_data[0]->pa_type = pa_type; ++ return_pa_data[0]->pa_type = pa_type; + return_pa_data[0]->length = out_data->length; + return_pa_data[0]->contents = (krb5_octet *) out_data->data; + *out_data = empty_data(); + +- if (return_pa_data[0]->pa_type == KRB5_PADATA_PK_AS_REP_OLD) { +- return_pa_data[1] = k5alloc(sizeof(*return_pa_data[1]), &retval); +- if (return_pa_data[1] == NULL) +- goto cleanup; +- return_pa_data[1]->pa_type = KRB5_PADATA_AS_CHECKSUM; +- } +- + *out_padata = return_pa_data; + return_pa_data = NULL; + cb->disable_fallback(context, rock); +@@ -206,8 +192,6 @@ pkinit_as_req_create(krb5_context context, + krb5_data *coded_auth_pack = NULL; + krb5_auth_pack auth_pack; + krb5_pa_pk_as_req *req = NULL; +- krb5_auth_pack_draft9 auth_pack9; +- krb5_pa_pk_as_req_draft9 *req9 = NULL; + krb5_algorithm_identifier **cmstypes = NULL; + int protocol = reqctx->opts->dh_or_rsa; + unsigned char *dh_params = NULL, *dh_pubkey = NULL; +@@ -216,42 +200,25 @@ pkinit_as_req_create(krb5_context context, + pkiDebug("pkinit_as_req_create pa_type = %d\n", reqctx->pa_type); + + /* Create the authpack */ +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ_OLD: +- protocol = RSA_PROTOCOL; +- memset(&auth_pack9, 0, sizeof(auth_pack9)); +- auth_pack9.pkAuthenticator.ctime = ctsec; +- auth_pack9.pkAuthenticator.cusec = cusec; +- auth_pack9.pkAuthenticator.nonce = nonce; +- auth_pack9.pkAuthenticator.kdcName = server; +- break; +- case KRB5_PADATA_PK_AS_REQ: +- memset(&info, 0, sizeof(info)); +- memset(&auth_pack, 0, sizeof(auth_pack)); +- auth_pack.pkAuthenticator.ctime = ctsec; +- auth_pack.pkAuthenticator.cusec = cusec; +- auth_pack.pkAuthenticator.nonce = nonce; +- auth_pack.pkAuthenticator.paChecksum = *cksum; +- if (!reqctx->opts->disable_freshness) +- auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token; +- auth_pack.clientDHNonce.length = 0; +- auth_pack.clientPublicValue = &info; +- auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; ++ memset(&info, 0, sizeof(info)); ++ memset(&auth_pack, 0, sizeof(auth_pack)); ++ auth_pack.pkAuthenticator.ctime = ctsec; ++ auth_pack.pkAuthenticator.cusec = cusec; ++ auth_pack.pkAuthenticator.nonce = nonce; ++ auth_pack.pkAuthenticator.paChecksum = *cksum; ++ if (!reqctx->opts->disable_freshness) ++ auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token; ++ auth_pack.clientDHNonce.length = 0; ++ auth_pack.clientPublicValue = &info; ++ auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; + +- /* add List of CMS algorithms */ +- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, +- reqctx->cryptoctx, +- reqctx->idctx, &cmstypes); +- auth_pack.supportedCMSTypes = cmstypes; +- if (retval) +- goto cleanup; +- break; +- default: +- pkiDebug("as_req: unrecognized pa_type = %d\n", +- (int)reqctx->pa_type); +- retval = -1; ++ /* add List of CMS algorithms */ ++ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, ++ reqctx->idctx, &cmstypes); ++ auth_pack.supportedCMSTypes = cmstypes; ++ if (retval) + goto cleanup; +- } + + switch(protocol) { + case DH_PROTOCOL: +@@ -274,14 +241,7 @@ pkinit_as_req_create(krb5_context context, + case RSA_PROTOCOL: + TRACE_PKINIT_CLIENT_REQ_RSA(context); + pkiDebug("as_req: RSA key transport algorithm\n"); +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ_OLD: +- auth_pack9.clientPublicValue = NULL; +- break; +- case KRB5_PADATA_PK_AS_REQ: +- auth_pack.clientPublicValue = NULL; +- break; +- } ++ auth_pack.clientPublicValue = NULL; + break; + default: + pkiDebug("as_req: unknown key transport protocol %d\n", +@@ -290,16 +250,7 @@ pkinit_as_req_create(krb5_context context, + goto cleanup; + } + +- /* Encode the authpack */ +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- retval = k5int_encode_krb5_auth_pack(&auth_pack, &coded_auth_pack); +- break; +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = k5int_encode_krb5_auth_pack_draft9(&auth_pack9, +- &coded_auth_pack); +- break; +- } ++ retval = k5int_encode_krb5_auth_pack(&auth_pack, &coded_auth_pack); + if (retval) { + pkiDebug("failed to encode the AuthPack %d\n", retval); + goto cleanup; +@@ -311,60 +262,39 @@ pkinit_as_req_create(krb5_context context, + #endif + + /* create PKCS7 object from authpack */ +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- init_krb5_pa_pk_as_req(&req); +- if (req == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- if (use_content_info(context, reqctx, client)) { +- retval = cms_contentinfo_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- CMS_SIGN_CLIENT, +- (unsigned char *) +- coded_auth_pack->data, +- coded_auth_pack->length, +- (unsigned char **) +- &req->signedAuthPack.data, +- &req->signedAuthPack.length); +- } else { +- retval = cms_signeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- CMS_SIGN_CLIENT, 1, +- (unsigned char *) +- coded_auth_pack->data, +- coded_auth_pack->length, +- (unsigned char **) +- &req->signedAuthPack.data, +- &req->signedAuthPack.length); +- } +-#ifdef DEBUG_ASN1 +- print_buffer_bin((unsigned char *)req->signedAuthPack.data, +- req->signedAuthPack.length, +- "/tmp/client_signed_data"); +-#endif +- break; +- case KRB5_PADATA_PK_AS_REQ_OLD: +- init_krb5_pa_pk_as_req_draft9(&req9); +- if (req9 == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } ++ init_krb5_pa_pk_as_req(&req); ++ if (req == NULL) { ++ retval = ENOMEM; ++ goto cleanup; ++ } ++ if (use_content_info(context, reqctx, client)) { ++ retval = cms_contentinfo_create(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, reqctx->idctx, ++ CMS_SIGN_CLIENT, ++ (unsigned char *) ++ coded_auth_pack->data, ++ coded_auth_pack->length, ++ (unsigned char **) ++ &req->signedAuthPack.data, ++ &req->signedAuthPack.length); ++ } else { + retval = cms_signeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1, +- (unsigned char *)coded_auth_pack->data, ++ reqctx->cryptoctx, reqctx->idctx, ++ CMS_SIGN_CLIENT, 1, ++ (unsigned char *) ++ coded_auth_pack->data, + coded_auth_pack->length, + (unsigned char **) +- &req9->signedAuthPack.data, +- &req9->signedAuthPack.length); +- break; +-#ifdef DEBUG_ASN1 +- print_buffer_bin((unsigned char *)req9->signedAuthPack.data, +- req9->signedAuthPack.length, +- "/tmp/client_signed_data_draft9"); +-#endif ++ &req->signedAuthPack.data, ++ &req->signedAuthPack.length); + } ++ ++#ifdef DEBUG_ASN1 ++ print_buffer_bin((unsigned char *)req->signedAuthPack.data, ++ req->signedAuthPack.length, ++ "/tmp/client_signed_data"); ++#endif ++ + krb5_free_data(context, coded_auth_pack); + if (retval) { + pkiDebug("failed to create pkcs7 signed data\n"); +@@ -372,33 +302,21 @@ pkinit_as_req_create(krb5_context context, + } + + /* create a list of trusted CAs */ +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- retval = create_krb5_trustedCertifiers(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, &req->trustedCertifiers); +- if (retval) +- goto cleanup; +- retval = create_issuerAndSerial(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- (unsigned char **)&req->kdcPkId.data, +- &req->kdcPkId.length); +- if (retval) +- goto cleanup; ++ retval = create_krb5_trustedCertifiers(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, reqctx->idctx, ++ &req->trustedCertifiers); ++ if (retval) ++ goto cleanup; ++ retval = create_issuerAndSerial(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, reqctx->idctx, ++ (unsigned char **)&req->kdcPkId.data, ++ &req->kdcPkId.length); ++ if (retval) ++ goto cleanup; ++ ++ /* Encode the as-req */ ++ retval = k5int_encode_krb5_pa_pk_as_req(req, as_req); + +- /* Encode the as-req */ +- retval = k5int_encode_krb5_pa_pk_as_req(req, as_req); +- break; +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = create_issuerAndSerial(context, plgctx->cryptoctx, +- reqctx->cryptoctx, reqctx->idctx, +- (unsigned char **)&req9->kdcCert.data, +- &req9->kdcCert.length); +- if (retval) +- goto cleanup; +- /* Encode the as-req */ +- retval = k5int_encode_krb5_pa_pk_as_req_draft9(req9, as_req); +- break; +- } + #ifdef DEBUG_ASN1 + if (!retval) + print_buffer_bin((unsigned char *)(*as_req)->data, (*as_req)->length, +@@ -410,7 +328,6 @@ cleanup: + free(dh_params); + free(dh_pubkey); + free_krb5_pa_pk_as_req(&req); +- free_krb5_pa_pk_as_req_draft9(&req9); + + pkiDebug("pkinit_as_req_create retval=%d\n", (int) retval); + +@@ -1165,31 +1082,13 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, + d = make_data(in_padata->contents, in_padata->length); + return krb5_copy_data(context, &d, &reqctx->freshness_token); + case KRB5_PADATA_PK_AS_REQ: +- reqctx->rfc4556_kdc = 1; + pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); + processing_request = 1; + break; + + case KRB5_PADATA_PK_AS_REP: +- reqctx->rfc4556_kdc = 1; + pkiDebug("processing KRB5_PADATA_PK_AS_REP\n"); + break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- /* Don't fall back to draft9 code if the KDC supports RFC 4556. */ +- if (reqctx->rfc4556_kdc) { +- TRACE_PKINIT_CLIENT_NO_DRAFT9(context); +- return KRB5KDC_ERR_PREAUTH_FAILED; +- } +- if (in_padata->length == 0) { +- pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); +- in_padata->pa_type = KRB5_PADATA_PK_AS_REQ_OLD; +- processing_request = 1; +- } else { +- pkiDebug("processing KRB5_PADATA_PK_AS_REP_OLD\n"); +- in_padata->pa_type = KRB5_PADATA_PK_AS_REP_OLD; +- } +- break; + default: + pkiDebug("unrecognized patype = %d for PKINIT\n", + in_padata->pa_type); +@@ -1363,8 +1262,6 @@ pkinit_client_get_flags(krb5_context kcontext, krb5_preauthtype patype) + static krb5_preauthtype supported_client_pa_types[] = { + KRB5_PADATA_PK_AS_REP, + KRB5_PADATA_PK_AS_REQ, +- KRB5_PADATA_PK_AS_REP_OLD, +- KRB5_PADATA_PK_AS_REQ_OLD, + KRB5_PADATA_PKINIT_KX, + KRB5_PADATA_AS_FRESHNESS, + 0 +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index 0acb731cd..8064a07d0 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -46,7 +46,6 @@ + */ + enum cms_msg_types { + CMS_SIGN_CLIENT, +- CMS_SIGN_DRAFT9, + CMS_SIGN_SERVER, + CMS_ENVEL_SERVER + }; +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 8aa2c5257..8c7fd0cca 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1050,17 +1050,11 @@ create_contentinfo(krb5_context context, ASN1_OBJECT *oid, + if (p7->type == NULL) + goto oom; + +- if (OBJ_obj2nid(oid) == NID_pkcs7_data) { +- /* Draft 9 uses id-pkcs7-data for signed data. For this type OpenSSL +- * expects an octet string in d.data. */ +- p7->d.data = ostr; +- } else { +- p7->d.other = ASN1_TYPE_new(); +- if (p7->d.other == NULL) +- goto oom; +- p7->d.other->type = V_ASN1_OCTET_STRING; +- p7->d.other->value.octet_string = ostr; +- } ++ p7->d.other = ASN1_TYPE_new(); ++ if (p7->d.other == NULL) ++ goto oom; ++ p7->d.other->type = V_ASN1_OCTET_STRING; ++ p7->d.other->value.octet_string = ostr; + + *p7_out = p7; + return 0; +@@ -1249,43 +1243,37 @@ cms_signeddata_create(krb5_context context, + goto cleanup; + p7si->digest_enc_alg->parameter->type = V_ASN1_NULL; + +- if (cms_msg_type == CMS_SIGN_DRAFT9){ +- /* don't include signed attributes for pa-type 15 request */ +- abuf = data; +- alen = data_len; +- } else { +- /* add signed attributes */ +- /* compute sha1 digest over the EncapsulatedContentInfo */ +- ctx = EVP_MD_CTX_new(); +- if (ctx == NULL) +- goto cleanup; +- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); +- EVP_DigestUpdate(ctx, data, data_len); +- md_tmp = EVP_MD_CTX_md(ctx); +- EVP_DigestFinal_ex(ctx, md_data, &md_len); +- EVP_MD_CTX_free(ctx); ++ /* add signed attributes */ ++ /* compute sha1 digest over the EncapsulatedContentInfo */ ++ ctx = EVP_MD_CTX_new(); ++ if (ctx == NULL) ++ goto cleanup; ++ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); ++ EVP_DigestUpdate(ctx, data, data_len); ++ md_tmp = EVP_MD_CTX_md(ctx); ++ EVP_DigestFinal_ex(ctx, md_data, &md_len); ++ EVP_MD_CTX_free(ctx); + +- /* create a message digest attr */ +- digest_attr = ASN1_OCTET_STRING_new(); +- ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len); +- PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest, +- V_ASN1_OCTET_STRING, (char *) digest_attr); ++ /* create a message digest attr */ ++ digest_attr = ASN1_OCTET_STRING_new(); ++ ASN1_OCTET_STRING_set(digest_attr, md_data, (int)md_len); ++ PKCS7_add_signed_attribute(p7si, NID_pkcs9_messageDigest, ++ V_ASN1_OCTET_STRING, (char *)digest_attr); + +- /* create a content-type attr */ +- oid_copy = OBJ_dup(oid); +- if (oid_copy == NULL) +- goto cleanup2; +- PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, +- V_ASN1_OBJECT, oid_copy); ++ /* create a content-type attr */ ++ oid_copy = OBJ_dup(oid); ++ if (oid_copy == NULL) ++ goto cleanup2; ++ PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, ++ V_ASN1_OBJECT, oid_copy); + +- /* create the signature over signed attributes. get DER encoded value */ +- /* This is the place where smartcard signature needs to be calculated */ +- sk = p7si->auth_attr; +- alen = ASN1_item_i2d((ASN1_VALUE *) sk, &abuf, +- ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); +- if (abuf == NULL) +- goto cleanup2; +- } /* signed attributes */ ++ /* create the signature over signed attributes. get DER encoded value */ ++ /* This is the place where smartcard signature needs to be calculated */ ++ sk = p7si->auth_attr; ++ alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, ++ ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); ++ if (abuf == NULL) ++ goto cleanup2; + + #ifndef WITHOUT_PKCS11 + /* Some tokens can only do RSAEncryption without sha1 hash */ +@@ -1301,11 +1289,7 @@ cms_signeddata_create(krb5_context context, + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + goto cleanup; +- /* if this is not draft9 request, include digest signed attribute */ +- if (cms_msg_type != CMS_SIGN_DRAFT9) +- EVP_DigestInit_ex(ctx, md_tmp, NULL); +- else +- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); ++ EVP_DigestInit_ex(ctx, md_tmp, NULL); + EVP_DigestUpdate(ctx, abuf, alen); + EVP_DigestFinal_ex(ctx, md_data2, &md_len2); + EVP_MD_CTX_free(ctx); +@@ -1349,8 +1333,7 @@ cms_signeddata_create(krb5_context context, + #ifdef DEBUG_SIG + print_buffer(sig, sig_len); + #endif +- if (cms_msg_type != CMS_SIGN_DRAFT9 ) +- free(abuf); ++ free(abuf); + if (retval) + goto cleanup2; + +@@ -1393,19 +1376,13 @@ cms_signeddata_create(krb5_context context, + print_buffer_bin(*signed_data, *signed_data_len, + "/tmp/client_pkcs7_signeddata"); + } else { +- if (cms_msg_type == CMS_SIGN_SERVER) { +- print_buffer_bin(*signed_data, *signed_data_len, +- "/tmp/kdc_pkcs7_signeddata"); +- } else { +- print_buffer_bin(*signed_data, *signed_data_len, +- "/tmp/draft9_pkcs7_signeddata"); +- } ++ print_buffer_bin(*signed_data, *signed_data_len, ++ "/tmp/kdc_pkcs7_signeddata"); + } + #endif + + cleanup2: + if (p7si) { +- if (cms_msg_type != CMS_SIGN_DRAFT9) + #ifndef WITHOUT_PKCS11 + if (id_cryptoctx->pkcs11_method == 1 && + id_cryptoctx->mech == CKM_RSA_PKCS) { +@@ -1692,15 +1669,13 @@ cms_signeddata_verify(krb5_context context, + #endif + } else { + /* retrieve verified certificate chain */ +- if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) ++ if (cms_msg_type == CMS_SIGN_CLIENT) + verified_chain = X509_STORE_CTX_get1_chain(cert_ctx); + } + X509_STORE_CTX_free(cert_ctx); + if (i <= 0) + goto cleanup; + out = BIO_new(BIO_s_mem()); +- if (cms_msg_type == CMS_SIGN_DRAFT9) +- flags |= CMS_NOATTR; + if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { + unsigned long err = ERR_peek_error(); + switch(ERR_GET_REASON(err)) { +@@ -1717,21 +1692,6 @@ cms_signeddata_verify(krb5_context context, + } /* message was signed */ + if (!OBJ_cmp(etype, oid)) + valid_oid = 1; +- else if (cms_msg_type == CMS_SIGN_DRAFT9) { +- /* +- * Various implementations of the pa-type 15 request use +- * different OIDS. We check that the returned object +- * has any of the acceptable OIDs +- */ +- ASN1_OBJECT *client_oid = NULL, *server_oid = NULL, *rsa_oid = NULL; +- client_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_CLIENT); +- server_oid = pkinit_pkcs7type2oid(plgctx, CMS_SIGN_SERVER); +- rsa_oid = pkinit_pkcs7type2oid(plgctx, CMS_ENVEL_SERVER); +- if (!OBJ_cmp(etype, client_oid) || +- !OBJ_cmp(etype, server_oid) || +- !OBJ_cmp(etype, rsa_oid)) +- valid_oid = 1; +- } + + if (valid_oid) + pkiDebug("CMS Verification successful\n"); +@@ -1761,7 +1721,7 @@ cms_signeddata_verify(krb5_context context, + reqctx->received_cert = X509_dup(x); + + /* generate authorization data */ +- if (cms_msg_type == CMS_SIGN_CLIENT || cms_msg_type == CMS_SIGN_DRAFT9) { ++ if (cms_msg_type == CMS_SIGN_CLIENT) { + + if (authz_data == NULL || authz_data_len == NULL) + goto out; +@@ -1841,24 +1801,11 @@ cms_envelopeddata_create(krb5_context context, + int signed_data_len = 0, enc_data_len = 0, flags = PKCS7_BINARY; + STACK_OF(X509) *encerts = NULL; + const EVP_CIPHER *cipher = NULL; +- int cms_msg_type; +- +- /* create the PKCS7 SignedData portion of the PKCS7 EnvelopedData */ +- switch ((int)pa_type) { +- case KRB5_PADATA_PK_AS_REQ_OLD: +- case KRB5_PADATA_PK_AS_REP_OLD: +- cms_msg_type = CMS_SIGN_DRAFT9; +- break; +- case KRB5_PADATA_PK_AS_REQ: +- cms_msg_type = CMS_ENVEL_SERVER; +- break; +- default: +- goto cleanup; +- } + + retval = cms_signeddata_create(context, plgctx, reqctx, idctx, +- cms_msg_type, include_certchain, key_pack, key_pack_len, +- &signed_data, (unsigned int *)&signed_data_len); ++ CMS_ENVEL_SERVER, include_certchain, ++ key_pack, key_pack_len, &signed_data, ++ (unsigned int *)&signed_data_len); + if (retval) { + pkiDebug("failed to create pkcs7 signed data\n"); + goto cleanup; +@@ -1874,26 +1821,11 @@ cms_envelopeddata_create(krb5_context context, + + cipher = EVP_des_ede3_cbc(); + in = BIO_new(BIO_s_mem()); +- switch (pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- prepare_enc_data(signed_data, signed_data_len, &enc_data, +- &enc_data_len); +- retval = BIO_write(in, enc_data, enc_data_len); +- if (retval != enc_data_len) { +- pkiDebug("BIO_write only wrote %d\n", retval); +- goto cleanup; +- } +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = BIO_write(in, signed_data, signed_data_len); +- if (retval != signed_data_len) { +- pkiDebug("BIO_write only wrote %d\n", retval); +- goto cleanup; +- } +- break; +- default: +- retval = -1; ++ prepare_enc_data(signed_data, signed_data_len, &enc_data, ++ &enc_data_len); ++ retval = BIO_write(in, enc_data, enc_data_len); ++ if (retval != enc_data_len) { ++ pkiDebug("BIO_write only wrote %d\n", retval); + goto cleanup; + } + +@@ -1902,20 +1834,7 @@ cms_envelopeddata_create(krb5_context context, + retval = oerr(context, 0, _("Failed to encrypt PKCS7 object")); + goto cleanup; + } +- switch (pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- p7->d.enveloped->enc_data->content_type = +- OBJ_nid2obj(NID_pkcs7_signed); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- p7->d.enveloped->enc_data->content_type = +- OBJ_nid2obj(NID_pkcs7_data); +- break; +- break; +- break; +- break; +- } ++ p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_signed); + + *out_len = i2d_PKCS7(p7, NULL); + if (!*out_len || (p = *out = malloc(*out_len)) == NULL) { +@@ -1963,7 +1882,6 @@ cms_envelopeddata_verify(krb5_context context, + const unsigned char *p = enveloped_data; + unsigned int tmp_buf_len = 0, tmp_buf2_len = 0, vfy_buf_len = 0; + unsigned char *tmp_buf = NULL, *tmp_buf2 = NULL, *vfy_buf = NULL; +- int msg_type = 0; + + #ifdef DEBUG_ASN1 + print_buffer_bin(enveloped_data, enveloped_data_len, +@@ -1995,46 +1913,21 @@ cms_envelopeddata_verify(krb5_context context, + print_buffer_bin(tmp_buf, tmp_buf_len, "/tmp/client_enc_keypack"); + #endif + /* verify PKCS7 SignedData message */ +- switch (pa_type) { +- case KRB5_PADATA_PK_AS_REP: +- msg_type = CMS_ENVEL_SERVER; +- +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- msg_type = CMS_SIGN_DRAFT9; +- break; +- default: +- pkiDebug("%s: unrecognized pa_type = %d\n", __FUNCTION__, pa_type); +- retval = KRB5KDC_ERR_PREAUTH_FAILED; ++ /* Wrap the signed data to make decoding easier in the verify routine. */ ++ retval = wrap_signeddata(tmp_buf, tmp_buf_len, &tmp_buf2, &tmp_buf2_len); ++ if (retval) { ++ pkiDebug("failed to encode signeddata\n"); + goto cleanup; + } +- /* +- * If this is the RFC style, wrap the signed data to make +- * decoding easier in the verify routine. +- * For draft9-compatible, we don't do anything because it +- * is already wrapped. +- */ +- if (msg_type == CMS_ENVEL_SERVER) { +- retval = wrap_signeddata(tmp_buf, tmp_buf_len, +- &tmp_buf2, &tmp_buf2_len); +- if (retval) { +- pkiDebug("failed to encode signeddata\n"); +- goto cleanup; +- } +- vfy_buf = tmp_buf2; +- vfy_buf_len = tmp_buf2_len; +- +- } else { +- vfy_buf = tmp_buf; +- vfy_buf_len = tmp_buf_len; +- } ++ vfy_buf = tmp_buf2; ++ vfy_buf_len = tmp_buf2_len; + + #ifdef DEBUG_ASN1 + print_buffer_bin(vfy_buf, vfy_buf_len, "/tmp/client_enc_keypack2"); + #endif + + retval = cms_signeddata_verify(context, plg_cryptoctx, req_cryptoctx, +- id_cryptoctx, msg_type, ++ id_cryptoctx, CMS_ENVEL_SERVER, + require_crl_checking, + vfy_buf, vfy_buf_len, + data, data_len, NULL, NULL, NULL); +@@ -3580,8 +3473,6 @@ pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) + switch (pkcs7_type) { + case CMS_SIGN_CLIENT: + return cryptoctx->id_pkinit_authData; +- case CMS_SIGN_DRAFT9: +- return OBJ_nid2obj(NID_pkcs7_data); + case CMS_SIGN_SERVER: + return cryptoctx->id_pkinit_DHKeyData; + case CMS_ENVEL_SERVER: +diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c +index d5858c424..bb2916bd5 100644 +--- a/src/plugins/preauth/pkinit/pkinit_lib.c ++++ b/src/plugins/preauth/pkinit/pkinit_lib.c +@@ -110,15 +110,6 @@ free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in) + free(*in); + } + +-void +-free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) +-{ +- if (*in == NULL) return; +- free((*in)->signedAuthPack.data); +- free((*in)->kdcCert.data); +- free(*in); +-} +- + void + free_krb5_reply_key_pack(krb5_reply_key_pack **in) + { +@@ -128,14 +119,6 @@ free_krb5_reply_key_pack(krb5_reply_key_pack **in) + free(*in); + } + +-void +-free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in) +-{ +- if (*in == NULL) return; +- free((*in)->replyKey.contents); +- free(*in); +-} +- + void + free_krb5_auth_pack(krb5_auth_pack **in) + { +@@ -160,15 +143,6 @@ free_krb5_auth_pack(krb5_auth_pack **in) + free(*in); + } + +-void +-free_krb5_auth_pack_draft9(krb5_context context, +- krb5_auth_pack_draft9 **in) +-{ +- if ((*in) == NULL) return; +- krb5_free_principal(context, (*in)->pkAuthenticator.kdcName); +- free(*in); +-} +- + void + free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) + { +@@ -187,14 +161,6 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) + free(*in); + } + +-void +-free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in) +-{ +- if (*in == NULL) return; +- free((*in)->u.encKeyPack.data); +- free(*in); +-} +- + void + free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in) + { +@@ -261,17 +227,6 @@ init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in) + (*in)->kdcPkId.length = 0; + } + +-void +-init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in) +-{ +- (*in) = malloc(sizeof(krb5_pa_pk_as_req_draft9)); +- if ((*in) == NULL) return; +- (*in)->signedAuthPack.data = NULL; +- (*in)->signedAuthPack.length = 0; +- (*in)->kdcCert.data = NULL; +- (*in)->kdcCert.length = 0; +-} +- + void + init_krb5_reply_key_pack(krb5_reply_key_pack **in) + { +@@ -283,15 +238,6 @@ init_krb5_reply_key_pack(krb5_reply_key_pack **in) + (*in)->asChecksum.length = 0; + } + +-void +-init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in) +-{ +- (*in) = malloc(sizeof(krb5_reply_key_pack_draft9)); +- if ((*in) == NULL) return; +- (*in)->replyKey.contents = NULL; +- (*in)->replyKey.length = 0; +-} +- + void + init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) + { +@@ -306,17 +252,6 @@ init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) + (*in)->u.dh_Info.kdfID = NULL; + } + +-void +-init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in) +-{ +- (*in) = malloc(sizeof(krb5_pa_pk_as_rep_draft9)); +- if ((*in) == NULL) return; +- (*in)->u.dhSignedData.length = 0; +- (*in)->u.dhSignedData.data = NULL; +- (*in)->u.encKeyPack.length = 0; +- (*in)->u.encKeyPack.data = NULL; +-} +- + void + init_krb5_subject_pk_info(krb5_subject_pk_info **in) + { +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 6aa646cc6..c44be9c74 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -421,9 +421,7 @@ pkinit_server_verify_padata(krb5_context context, + krb5_error_code retval = 0; + krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; + krb5_pa_pk_as_req *reqp = NULL; +- krb5_pa_pk_as_req_draft9 *reqp9 = NULL; + krb5_auth_pack *auth_pack = NULL; +- krb5_auth_pack_draft9 *auth_pack9 = NULL; + pkinit_kdc_context plgctx = NULL; + pkinit_kdc_req_context reqctx = NULL; + krb5_checksum cksum = {0, 0, 0, NULL}; +@@ -464,58 +462,32 @@ pkinit_server_verify_padata(krb5_context context, + + PADATA_TO_KRB5DATA(data, &k5data); + +- switch ((int)data->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- TRACE_PKINIT_SERVER_PADATA_VERIFY(context); +- retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); +- if (retval) { +- pkiDebug("decode_krb5_pa_pk_as_req failed\n"); +- goto cleanup; +- } +-#ifdef DEBUG_ASN1 +- print_buffer_bin(reqp->signedAuthPack.data, +- reqp->signedAuthPack.length, +- "/tmp/kdc_signed_data"); +-#endif +- retval = cms_signeddata_verify(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT, +- plgctx->opts->require_crl_checking, +- (unsigned char *) +- reqp->signedAuthPack.data, reqp->signedAuthPack.length, +- (unsigned char **)&authp_data.data, +- &authp_data.length, +- (unsigned char **)&krb5_authz.data, +- &krb5_authz.length, &is_signed); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); +- retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); +- if (retval) { +- pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); +- goto cleanup; +- } +-#ifdef DEBUG_ASN1 +- print_buffer_bin(reqp9->signedAuthPack.data, +- reqp9->signedAuthPack.length, +- "/tmp/kdc_signed_data_draft9"); +-#endif +- +- retval = cms_signeddata_verify(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, +- plgctx->opts->require_crl_checking, +- (unsigned char *) +- reqp9->signedAuthPack.data, reqp9->signedAuthPack.length, +- (unsigned char **)&authp_data.data, +- &authp_data.length, +- (unsigned char **)&krb5_authz.data, +- &krb5_authz.length, NULL); +- break; +- default: ++ if (data->pa_type != KRB5_PADATA_PK_AS_REQ) { + pkiDebug("unrecognized pa_type = %d\n", data->pa_type); + retval = EINVAL; + goto cleanup; + } ++ ++ TRACE_PKINIT_SERVER_PADATA_VERIFY(context); ++ retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); ++ if (retval) { ++ pkiDebug("decode_krb5_pa_pk_as_req failed\n"); ++ goto cleanup; ++ } ++#ifdef DEBUG_ASN1 ++ print_buffer_bin(reqp->signedAuthPack.data, reqp->signedAuthPack.length, ++ "/tmp/kdc_signed_data"); ++#endif ++ retval = cms_signeddata_verify(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ CMS_SIGN_CLIENT, ++ plgctx->opts->require_crl_checking, ++ (unsigned char *)reqp->signedAuthPack.data, ++ reqp->signedAuthPack.length, ++ (unsigned char **)&authp_data.data, ++ &authp_data.length, ++ (unsigned char **)&krb5_authz.data, ++ &krb5_authz.length, &is_signed); + if (retval) { + TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); + goto cleanup; +@@ -541,118 +513,88 @@ pkinit_server_verify_padata(krb5_context context, + #endif + + OCTETDATA_TO_KRB5DATA(&authp_data, &k5data); +- switch ((int)data->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- retval = k5int_decode_krb5_auth_pack(&k5data, &auth_pack); ++ retval = k5int_decode_krb5_auth_pack(&k5data, &auth_pack); ++ if (retval) { ++ pkiDebug("failed to decode krb5_auth_pack\n"); ++ goto cleanup; ++ } ++ ++ retval = krb5_check_clockskew(context, auth_pack->pkAuthenticator.ctime); ++ if (retval) ++ goto cleanup; ++ ++ /* check dh parameters */ ++ if (auth_pack->clientPublicValue != NULL) { ++ retval = server_check_dh(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ &auth_pack->clientPublicValue->algorithm.parameters, ++ plgctx->opts->dh_min_bits); + if (retval) { +- pkiDebug("failed to decode krb5_auth_pack\n"); ++ pkiDebug("bad dh parameters\n"); + goto cleanup; + } +- +- retval = krb5_check_clockskew(context, +- auth_pack->pkAuthenticator.ctime); +- if (retval) +- goto cleanup; +- +- /* check dh parameters */ +- if (auth_pack->clientPublicValue != NULL) { +- retval = server_check_dh(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, +- &auth_pack->clientPublicValue->algorithm.parameters, +- plgctx->opts->dh_min_bits); +- +- if (retval) { +- pkiDebug("bad dh parameters\n"); +- goto cleanup; +- } +- } else if (!is_signed) { +- /*Anonymous pkinit requires DH*/ +- retval = KRB5KDC_ERR_PREAUTH_FAILED; +- krb5_set_error_message(context, retval, +- _("Anonymous pkinit without DH public " +- "value not supported.")); +- goto cleanup; +- } +- der_req = cb->request_body(context, rock); +- retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, +- 0, der_req, &cksum); +- if (retval) { +- pkiDebug("unable to calculate AS REQ checksum\n"); +- goto cleanup; +- } +- if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length || +- k5_bcmp(cksum.contents, +- auth_pack->pkAuthenticator.paChecksum.contents, +- cksum.length) != 0) { +- pkiDebug("failed to match the checksum\n"); ++ } else if (!is_signed) { ++ /*Anonymous pkinit requires DH*/ ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; ++ krb5_set_error_message(context, retval, ++ _("Anonymous pkinit without DH public " ++ "value not supported.")); ++ goto cleanup; ++ } ++ der_req = cb->request_body(context, rock); ++ retval = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, ++ der_req, &cksum); ++ if (retval) { ++ pkiDebug("unable to calculate AS REQ checksum\n"); ++ goto cleanup; ++ } ++ if (cksum.length != auth_pack->pkAuthenticator.paChecksum.length || ++ k5_bcmp(cksum.contents, auth_pack->pkAuthenticator.paChecksum.contents, ++ cksum.length) != 0) { ++ pkiDebug("failed to match the checksum\n"); + #ifdef DEBUG_CKSUM +- pkiDebug("calculating checksum on buf size (%d)\n", +- req_pkt->length); +- print_buffer(req_pkt->data, req_pkt->length); +- pkiDebug("received checksum type=%d size=%d ", +- auth_pack->pkAuthenticator.paChecksum.checksum_type, ++ pkiDebug("calculating checksum on buf size (%d)\n", req_pkt->length); ++ print_buffer(req_pkt->data, req_pkt->length); ++ pkiDebug("received checksum type=%d size=%d ", ++ auth_pack->pkAuthenticator.paChecksum.checksum_type, ++ auth_pack->pkAuthenticator.paChecksum.length); ++ print_buffer(auth_pack->pkAuthenticator.paChecksum.contents, + auth_pack->pkAuthenticator.paChecksum.length); +- print_buffer(auth_pack->pkAuthenticator.paChecksum.contents, +- auth_pack->pkAuthenticator.paChecksum.length); +- pkiDebug("expected checksum type=%d size=%d ", +- cksum.checksum_type, cksum.length); +- print_buffer(cksum.contents, cksum.length); ++ pkiDebug("expected checksum type=%d size=%d ", ++ cksum.checksum_type, cksum.length); ++ print_buffer(cksum.contents, cksum.length); + #endif + +- retval = KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; +- goto cleanup; +- } +- +- ftoken = auth_pack->pkAuthenticator.freshnessToken; +- if (ftoken != NULL) { +- retval = cb->check_freshness_token(context, rock, ftoken); +- if (retval) +- goto cleanup; +- valid_freshness_token = TRUE; +- } +- +- /* check if kdcPkId present and match KDC's subjectIdentifier */ +- if (reqp->kdcPkId.data != NULL) { +- int valid_kdcPkId = 0; +- retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, +- (unsigned char *)reqp->kdcPkId.data, +- reqp->kdcPkId.length, &valid_kdcPkId); +- if (retval) +- goto cleanup; +- if (!valid_kdcPkId) +- pkiDebug("kdcPkId in AS_REQ does not match KDC's cert" +- "RFC says to ignore and proceed\n"); +- +- } +- /* remember the decoded auth_pack for verify_padata routine */ +- reqctx->rcv_auth_pack = auth_pack; +- auth_pack = NULL; +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = k5int_decode_krb5_auth_pack_draft9(&k5data, &auth_pack9); +- if (retval) { +- pkiDebug("failed to decode krb5_auth_pack_draft9\n"); +- goto cleanup; +- } +- if (auth_pack9->clientPublicValue != NULL) { +- retval = server_check_dh(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, +- &auth_pack9->clientPublicValue->algorithm.parameters, +- plgctx->opts->dh_min_bits); +- +- if (retval) { +- pkiDebug("bad dh parameters\n"); +- goto cleanup; +- } +- } +- /* remember the decoded auth_pack for verify_padata routine */ +- reqctx->rcv_auth_pack9 = auth_pack9; +- auth_pack9 = NULL; +- break; ++ retval = KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; ++ goto cleanup; + } + ++ ftoken = auth_pack->pkAuthenticator.freshnessToken; ++ if (ftoken != NULL) { ++ retval = cb->check_freshness_token(context, rock, ftoken); ++ if (retval) ++ goto cleanup; ++ valid_freshness_token = TRUE; ++ } ++ ++ /* check if kdcPkId present and match KDC's subjectIdentifier */ ++ if (reqp->kdcPkId.data != NULL) { ++ int valid_kdcPkId = 0; ++ retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ (unsigned char *)reqp->kdcPkId.data, ++ reqp->kdcPkId.length, &valid_kdcPkId); ++ if (retval) ++ goto cleanup; ++ if (!valid_kdcPkId) { ++ pkiDebug("kdcPkId in AS_REQ does not match KDC's cert; " ++ "RFC says to ignore and proceed\n"); ++ } ++ } ++ /* remember the decoded auth_pack for verify_padata routine */ ++ reqctx->rcv_auth_pack = auth_pack; ++ auth_pack = NULL; ++ + if (is_signed) { + retval = check_log_freshness(context, plgctx, request, + valid_freshness_token); +@@ -682,21 +624,13 @@ cleanup: + pkiDebug("pkinit_create_edata failed\n"); + } + +- switch ((int)data->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- free_krb5_pa_pk_as_req(&reqp); +- free(cksum.contents); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- free_krb5_pa_pk_as_req_draft9(&reqp9); +- } ++ free_krb5_pa_pk_as_req(&reqp); ++ free(cksum.contents); + free(authp_data.data); + free(krb5_authz.data); + if (reqctx != NULL) + pkinit_fini_kdc_req_context(context, reqctx); + free_krb5_auth_pack(&auth_pack); +- free_krb5_auth_pack_draft9(context, &auth_pack9); + + (*respond)(arg, retval, modreq, e_data, NULL); + } +@@ -817,7 +751,6 @@ pkinit_server_return_padata(krb5_context context, + krb5_error_code retval = 0; + krb5_data scratch = {0, 0, NULL}; + krb5_pa_pk_as_req *reqp = NULL; +- krb5_pa_pk_as_req_draft9 *reqp9 = NULL; + int i = 0; + + unsigned char *subjectPublicKey = NULL; +@@ -828,21 +761,17 @@ pkinit_server_return_padata(krb5_context context, + krb5_kdc_dh_key_info dhkey_info; + krb5_data *encoded_dhkey_info = NULL; + krb5_pa_pk_as_rep *rep = NULL; +- krb5_pa_pk_as_rep_draft9 *rep9 = NULL; + krb5_data *out_data = NULL; + krb5_data secret; + + krb5_enctype enctype = -1; + + krb5_reply_key_pack *key_pack = NULL; +- krb5_reply_key_pack_draft9 *key_pack9 = NULL; + krb5_data *encoded_key_pack = NULL; + + pkinit_kdc_context plgctx; + pkinit_kdc_req_context reqctx; + +- int fixed_keypack = 0; +- + *send_pa = NULL; + if (padata->pa_type == KRB5_PADATA_PKINIT_KX) { + return return_pkinit_kx(context, request, reply, +@@ -886,29 +815,13 @@ pkinit_server_return_padata(krb5_context context, + goto cleanup; + } + +- switch((int)reqctx->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- init_krb5_pa_pk_as_rep(&rep); +- if (rep == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- /* let's assume it's RSA. we'll reset it to DH if needed */ +- rep->choice = choice_pa_pk_as_rep_encKeyPack; +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- init_krb5_pa_pk_as_rep_draft9(&rep9); +- if (rep9 == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; +- break; +- default: +- retval = KRB5KDC_ERR_PREAUTH_FAILED; ++ init_krb5_pa_pk_as_rep(&rep); ++ if (rep == NULL) { ++ retval = ENOMEM; + goto cleanup; + } ++ /* let's assume it's RSA. we'll reset it to DH if needed */ ++ rep->choice = choice_pa_pk_as_rep_encKeyPack; + + if (reqctx->rcv_auth_pack != NULL && + reqctx->rcv_auth_pack->clientPublicValue != NULL) { +@@ -917,18 +830,7 @@ pkinit_server_return_padata(krb5_context context, + subjectPublicKey_len = + reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; + rep->choice = choice_pa_pk_as_rep_dhInfo; +- } else if (reqctx->rcv_auth_pack9 != NULL && +- reqctx->rcv_auth_pack9->clientPublicValue != NULL) { +- subjectPublicKey = (unsigned char *) +- reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data; +- subjectPublicKey_len = +- reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length; +- rep9->choice = choice_pa_pk_as_rep_draft9_dhSignedData; +- } + +- /* if this DH, then process finish computing DH key */ +- if (rep != NULL && (rep->choice == choice_pa_pk_as_rep_dhInfo || +- rep->choice == choice_pa_pk_as_rep_draft9_dhSignedData)) { + pkiDebug("received DH key delivery AS REQ\n"); + retval = server_process_dh(context, plgctx->cryptoctx, + reqctx->cryptoctx, plgctx->idctx, subjectPublicKey, +@@ -938,10 +840,6 @@ pkinit_server_return_padata(krb5_context context, + pkiDebug("failed to process/create dh paramters\n"); + goto cleanup; + } +- } +- if ((rep9 != NULL && +- rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || +- (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { + + /* + * This is DH, so don't generate the key until after we +@@ -966,36 +864,18 @@ pkinit_server_return_padata(krb5_context context, + "/tmp/kdc_dh_key_info"); + #endif + +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- retval = cms_signeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1, +- (unsigned char *) +- encoded_dhkey_info->data, +- encoded_dhkey_info->length, +- (unsigned char **) +- &rep->u.dh_Info.dhSignedData.data, +- &rep->u.dh_Info.dhSignedData.length); +- if (retval) { +- pkiDebug("failed to create pkcs7 signed data\n"); +- goto cleanup; +- } +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = cms_signeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1, +- (unsigned char *) +- encoded_dhkey_info->data, +- encoded_dhkey_info->length, +- (unsigned char **) +- &rep9->u.dhSignedData.data, +- &rep9->u.dhSignedData.length); +- if (retval) { +- pkiDebug("failed to create pkcs7 signed data\n"); +- goto cleanup; +- } +- break; ++ retval = cms_signeddata_create(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ CMS_SIGN_SERVER, 1, ++ (unsigned char *) ++ encoded_dhkey_info->data, ++ encoded_dhkey_info->length, ++ (unsigned char **) ++ &rep->u.dh_Info.dhSignedData.data, ++ &rep->u.dh_Info.dhSignedData.length); ++ if (retval) { ++ pkiDebug("failed to create pkcs7 signed data\n"); ++ goto cleanup; + } + + } else { +@@ -1007,102 +887,49 @@ pkinit_server_return_padata(krb5_context context, + goto cleanup; + } + +- /* check if PA_TYPE of KRB5_PADATA_AS_CHECKSUM (132) is present which +- * means the client is requesting that a checksum is send back instead +- * of the nonce. +- */ +- for (i = 0; request->padata[i] != NULL; i++) { +- pkiDebug("%s: Checking pa_type 0x%08x\n", +- __FUNCTION__, request->padata[i]->pa_type); +- if (request->padata[i]->pa_type == KRB5_PADATA_AS_CHECKSUM) +- fixed_keypack = 1; ++ init_krb5_reply_key_pack(&key_pack); ++ if (key_pack == NULL) { ++ retval = ENOMEM; ++ goto cleanup; + } +- pkiDebug("%s: return checksum instead of nonce = %d\n", +- __FUNCTION__, fixed_keypack); + +- /* if this is an RFC reply or draft9 client requested a checksum +- * in the reply instead of the nonce, create an RFC-style keypack +- */ +- if ((int)padata->pa_type == KRB5_PADATA_PK_AS_REQ || fixed_keypack) { +- init_krb5_reply_key_pack(&key_pack); +- if (key_pack == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- +- retval = krb5_c_make_checksum(context, 0, +- encrypting_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, +- req_pkt, &key_pack->asChecksum); +- if (retval) { +- pkiDebug("unable to calculate AS REQ checksum\n"); +- goto cleanup; +- } ++ retval = krb5_c_make_checksum(context, 0, encrypting_key, ++ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, ++ req_pkt, &key_pack->asChecksum); ++ if (retval) { ++ pkiDebug("unable to calculate AS REQ checksum\n"); ++ goto cleanup; ++ } + #ifdef DEBUG_CKSUM +- pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); +- print_buffer(req_pkt->data, req_pkt->length); +- pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); +- print_buffer(key_pack->asChecksum.contents, +- key_pack->asChecksum.length); +- pkiDebug("encrypting key (%d)\n", encrypting_key->length); +- print_buffer(encrypting_key->contents, encrypting_key->length); ++ pkiDebug("calculating checksum on buf size = %d\n", req_pkt->length); ++ print_buffer(req_pkt->data, req_pkt->length); ++ pkiDebug("checksum size = %d\n", key_pack->asChecksum.length); ++ print_buffer(key_pack->asChecksum.contents, ++ key_pack->asChecksum.length); ++ pkiDebug("encrypting key (%d)\n", encrypting_key->length); ++ print_buffer(encrypting_key->contents, encrypting_key->length); + #endif + +- krb5_copy_keyblock_contents(context, encrypting_key, +- &key_pack->replyKey); ++ krb5_copy_keyblock_contents(context, encrypting_key, ++ &key_pack->replyKey); + +- retval = k5int_encode_krb5_reply_key_pack(key_pack, +- &encoded_key_pack); +- if (retval) { +- pkiDebug("failed to encode reply_key_pack\n"); +- goto cleanup; +- } ++ retval = k5int_encode_krb5_reply_key_pack(key_pack, ++ &encoded_key_pack); ++ if (retval) { ++ pkiDebug("failed to encode reply_key_pack\n"); ++ goto cleanup; + } + +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- rep->choice = choice_pa_pk_as_rep_encKeyPack; +- retval = cms_envelopeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, +- (unsigned char *) +- encoded_key_pack->data, +- encoded_key_pack->length, +- (unsigned char **) +- &rep->u.encKeyPack.data, +- &rep->u.encKeyPack.length); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- /* if the request is from the broken draft9 client that +- * expects back a nonce, create it now +- */ +- if (!fixed_keypack) { +- init_krb5_reply_key_pack_draft9(&key_pack9); +- if (key_pack9 == NULL) { +- retval = ENOMEM; +- goto cleanup; +- } +- key_pack9->nonce = reqctx->rcv_auth_pack9->pkAuthenticator.nonce; +- krb5_copy_keyblock_contents(context, encrypting_key, +- &key_pack9->replyKey); +- +- retval = k5int_encode_krb5_reply_key_pack_draft9(key_pack9, +- &encoded_key_pack); +- if (retval) { +- pkiDebug("failed to encode reply_key_pack\n"); +- goto cleanup; +- } +- } +- +- rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; +- retval = cms_envelopeddata_create(context, plgctx->cryptoctx, +- reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, +- (unsigned char *) +- encoded_key_pack->data, +- encoded_key_pack->length, +- (unsigned char **) +- &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length); +- break; +- } ++ rep->choice = choice_pa_pk_as_rep_encKeyPack; ++ retval = cms_envelopeddata_create(context, plgctx->cryptoctx, ++ reqctx->cryptoctx, plgctx->idctx, ++ padata->pa_type, 1, ++ (unsigned char *) ++ encoded_key_pack->data, ++ encoded_key_pack->length, ++ (unsigned char **) ++ &rep->u.encKeyPack.data, ++ &rep->u.encKeyPack.length); + if (retval) { + pkiDebug("failed to create pkcs7 enveloped data: %s\n", + error_message(retval)); +@@ -1112,23 +939,12 @@ pkinit_server_return_padata(krb5_context context, + print_buffer_bin((unsigned char *)encoded_key_pack->data, + encoded_key_pack->length, + "/tmp/kdc_key_pack"); +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- print_buffer_bin(rep->u.encKeyPack.data, +- rep->u.encKeyPack.length, +- "/tmp/kdc_enc_key_pack"); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- print_buffer_bin(rep9->u.encKeyPack.data, +- rep9->u.encKeyPack.length, +- "/tmp/kdc_enc_key_pack"); +- break; +- } ++ print_buffer_bin(rep->u.encKeyPack.data, rep->u.encKeyPack.length, ++ "/tmp/kdc_enc_key_pack"); + #endif + } + +- if ((rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo) && ++ if (rep->choice == choice_pa_pk_as_rep_dhInfo && + ((reqctx->rcv_auth_pack != NULL && + reqctx->rcv_auth_pack->supportedKDFs != NULL))) { + +@@ -1147,15 +963,7 @@ pkinit_server_return_padata(krb5_context context, + } + } + +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- retval = k5int_encode_krb5_pa_pk_as_rep(rep, &out_data); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- retval = k5int_encode_krb5_pa_pk_as_rep_draft9(rep9, &out_data); +- break; +- } ++ retval = k5int_encode_krb5_pa_pk_as_rep(rep, &out_data); + if (retval) { + pkiDebug("failed to encode AS_REP\n"); + goto cleanup; +@@ -1167,13 +975,11 @@ pkinit_server_return_padata(krb5_context context, + #endif + + /* If this is DH, we haven't computed the key yet, so do it now. */ +- if ((rep9 != NULL && +- rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || +- (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { ++ if (rep->choice == choice_pa_pk_as_rep_dhInfo) { + +- /* If we're not doing draft 9, and mutually supported KDFs were found, +- * use the algorithm agility KDF. */ +- if (rep != NULL && rep->u.dh_Info.kdfID) { ++ /* If mutually supported KDFs were found, use the algorithm agility ++ * KDF. */ ++ if (rep->u.dh_Info.kdfID) { + secret.data = (char *)server_key; + secret.length = server_key_len; + +@@ -1209,15 +1015,7 @@ pkinit_server_return_padata(krb5_context context, + goto cleanup; + } + (*send_pa)->magic = KV5M_PA_DATA; +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; +- break; +- case KRB5_PADATA_PK_AS_REQ_OLD: +- case KRB5_PADATA_PK_AS_REP_OLD: +- (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP_OLD; +- break; +- } ++ (*send_pa)->pa_type = KRB5_PADATA_PK_AS_REP; + (*send_pa)->length = out_data->length; + (*send_pa)->contents = (krb5_octet *) out_data->data; + +@@ -1231,23 +1029,9 @@ cleanup: + krb5_free_data(context, encoded_key_pack); + free(dh_pubkey); + free(server_key); +- +- switch ((int)padata->pa_type) { +- case KRB5_PADATA_PK_AS_REQ: +- free_krb5_pa_pk_as_req(&reqp); +- free_krb5_pa_pk_as_rep(&rep); +- free_krb5_reply_key_pack(&key_pack); +- break; +- case KRB5_PADATA_PK_AS_REP_OLD: +- case KRB5_PADATA_PK_AS_REQ_OLD: +- free_krb5_pa_pk_as_req_draft9(&reqp9); +- free_krb5_pa_pk_as_rep_draft9(&rep9); +- if (!fixed_keypack) +- free_krb5_reply_key_pack_draft9(&key_pack9); +- else +- free_krb5_reply_key_pack(&key_pack); +- break; +- } ++ free_krb5_pa_pk_as_req(&reqp); ++ free_krb5_pa_pk_as_rep(&rep); ++ free_krb5_reply_key_pack(&key_pack); + + if (retval) + pkiDebug("pkinit_verify_padata failure"); +@@ -1265,8 +1049,6 @@ pkinit_server_get_flags(krb5_context kcontext, krb5_preauthtype patype) + + static krb5_preauthtype supported_server_pa_types[] = { + KRB5_PADATA_PK_AS_REQ, +- KRB5_PADATA_PK_AS_REQ_OLD, +- KRB5_PADATA_PK_AS_REP_OLD, + KRB5_PADATA_PKINIT_KX, + 0 + }; +@@ -1796,7 +1578,6 @@ pkinit_init_kdc_req_context(krb5_context context, pkinit_kdc_req_context *ctx) + if (retval) + goto cleanup; + reqctx->rcv_auth_pack = NULL; +- reqctx->rcv_auth_pack9 = NULL; + + pkiDebug("%s: returning reqctx at %p\n", __FUNCTION__, reqctx); + *ctx = reqctx; +@@ -1822,8 +1603,6 @@ pkinit_fini_kdc_req_context(krb5_context context, void *ctx) + pkinit_fini_req_crypto(reqctx->cryptoctx); + if (reqctx->rcv_auth_pack != NULL) + free_krb5_auth_pack(&reqctx->rcv_auth_pack); +- if (reqctx->rcv_auth_pack9 != NULL) +- free_krb5_auth_pack_draft9(context, &reqctx->rcv_auth_pack9); + + free(reqctx); + } +diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h +index 4da735f80..bba3226bd 100644 +--- a/src/plugins/preauth/pkinit/pkinit_trace.h ++++ b/src/plugins/preauth/pkinit/pkinit_trace.h +@@ -49,8 +49,6 @@ + #define TRACE_PKINIT_CLIENT_KDF_OS2K(c, keyblock) \ + TRACE(c, "PKINIT client used octetstring2key to compute reply key " \ + "{keyblock}", keyblock) +-#define TRACE_PKINIT_CLIENT_NO_DRAFT9(c) \ +- TRACE(c, "PKINIT client ignoring draft 9 offer from RFC 4556 KDC") + #define TRACE_PKINIT_CLIENT_NO_IDENTITY(c) \ + TRACE(c, "PKINIT client has no configured identity; giving up") + #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ +@@ -115,8 +113,6 @@ + TRACE(c, "PKINIT server found no SAN in client cert") + #define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ + TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") +-#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ +- TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") + #define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ + TRACE(c, "PKINIT server failed to verify PA data") + #define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 1dadb1b96..93f0f2632 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -432,11 +432,9 @@ realm.kinit(realm.user_princ, + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + +-# Supply the wrong PIN, and verify that we ignore the draft9 padata offer +-# in the KDC method data after RFC 4556 PKINIT fails. ++# Supply the wrong PIN. + mark('PKCS11 identity, wrong PIN') +-expected_trace = ('PKINIT client has no configured identity; giving up', +- 'PKINIT client ignoring draft 9 offer from RFC 4556 KDC') ++expected_trace = ('PKINIT client has no configured identity; giving up',) + realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p11_identity], + password='wrong', expected_code=1, expected_trace=expected_trace) diff --git a/Remove-strerror-calls-from-k5_get_error.patch b/Remove-strerror-calls-from-k5_get_error.patch index 7ce77b3..6dbe4e1 100644 --- a/Remove-strerror-calls-from-k5_get_error.patch +++ b/Remove-strerror-calls-from-k5_get_error.patch @@ -1,4 +1,4 @@ -From f9c5dd7a9bb19dc99de8ee046b0ac1506c494f4e Mon Sep 17 00:00:00 2001 +From 80ce19337573b31c372251ea5af4e66f4b75e7ef Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 6 Jun 2019 11:46:58 -0400 Subject: [PATCH] Remove strerror() calls from k5_get_error() diff --git a/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch b/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch index 18ebb8c..334a93b 100644 --- a/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch +++ b/krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch @@ -1,4 +1,4 @@ -From a57e6f65c6368b3fe99baaaeafccd166dad006b4 Mon Sep 17 00:00:00 2001 +From fd2088635e27ce571e2d98c40fea34db15243b7a Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 9 Nov 2018 15:12:21 -0500 Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS diff --git a/krb5.spec b/krb5.spec index 7cd5bc8..7d9a5a6 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.17 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 31%{?dist} +Release: 32%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz @@ -105,9 +105,11 @@ Patch140: Display-unsupported-enctype-names.patch Patch142: Add-zapfreedata-convenience-function.patch Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch Patch144: Remove-krb5int_c_combine_keys.patch -Patch145: Remove-3des-support.patch Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch Patch147: Remove-strerror-calls-from-k5_get_error.patch +Patch148: Remove-PKINIT-draft-9-support.patch +Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch +Patch150: Remove-3des-support.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -717,6 +719,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Wed Jun 26 2019 Robbie Harwood - 1.17-32 +- Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows) + * Mon Jun 10 2019 Robbie Harwood - 1.17-31 - Remove strerror() calls from k5_get_error()