From 6b14b0329fe5d0be9ac2f1d6ac86fa9e9ed0fcf4 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 26 May 2009 07:58:28 +0000 Subject: [PATCH] pull up r22381 from trunk ------------------------------------------------------------------------ r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines ticket: 6501 subject: Temporarily disable FAST PKINIT for 1.7 release tags: pullup target_version: 1.7 There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. ticket: 6501 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22385 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_clnt.c | 12 ++++++++++++ src/plugins/preauth/pkinit/pkinit_srv.c | 23 +++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 13651c57a..f7cd99890 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -40,6 +40,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + #ifdef LONGHORN_BETA_COMPAT /* * It is anticipated that all the special checks currently @@ -1027,10 +1030,19 @@ pkinit_client_process(krb5_context context, int processing_request = 0; pkinit_context plgctx = (pkinit_context)plugin_context; pkinit_req_context reqctx = (pkinit_req_context)request_context; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't use PKINIT if also using FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (plgctx == NULL || reqctx == NULL) return EINVAL; diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 228815511..031752974 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -35,6 +35,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req * request, @@ -146,9 +149,19 @@ pkinit_server_get_edata(krb5_context context, { krb5_error_code retval = 0; pkinit_kdc_context plgctx = NULL; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_server_get_edata: entered!\n"); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't advertise PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + /* * If we don't have a realm context for the given realm, * don't tell the client that we support pkinit! @@ -344,11 +357,21 @@ pkinit_server_verify_padata(krb5_context context, krb5_authdata **my_authz_data = NULL, *pkinit_authz_data = NULL; krb5_kdc_req *tmp_as_req = NULL; krb5_data k5data; + krb5_keyblock *armor_key; pkiDebug("pkinit_verify_padata: entered!\n"); if (data == NULL || data->length <= 0 || data->contents == NULL) return 0; + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't allow PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (pa_plugin_context == NULL || e_data == NULL) return EINVAL; -- 2.26.2