d738b9
From 771f85f6d84f1cce95c5246b700bd950295d8fb3 Mon Sep 17 00:00:00 2001
d738b9
From: Robbie Harwood <rharwood@redhat.com>
d738b9
Date: Mon, 31 Jul 2017 16:03:41 -0400
d738b9
Subject: [PATCH] Remove incomplete PKINIT OCSP support
d738b9
d738b9
pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
d738b9
implementation, so remove most traces of it, including its man page
d738b9
entry.  If it is present in kdc.conf, error out of PKINIT
d738b9
initialization instead of silently ignoring the realm entirely.
d738b9
d738b9
ticket: 8603 (new)
d738b9
(cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320)
d738b9
---
d738b9
 doc/admin/conf_files/kdc_conf.rst            |  3 ---
d738b9
 src/man/kdc.conf.man                         |  3 ---
d738b9
 src/plugins/preauth/pkinit/pkinit.h          |  2 +-
d738b9
 src/plugins/preauth/pkinit/pkinit_identity.c | 11 -----------
d738b9
 src/plugins/preauth/pkinit/pkinit_srv.c      | 12 ++++++++++--
d738b9
 5 files changed, 11 insertions(+), 20 deletions(-)
d738b9
d738b9
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
d738b9
index 13077ecf4..a4b2a5432 100644
d738b9
--- a/doc/admin/conf_files/kdc_conf.rst
d738b9
+++ b/doc/admin/conf_files/kdc_conf.rst
d738b9
@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see
d738b9
     pkinit is used to authenticate.  This option may be specified
d738b9
     multiple times.  (New in release 1.14.)
d738b9
 
d738b9
-**pkinit_kdc_ocsp**
d738b9
-    Specifies the location of the KDC's OCSP.
d738b9
-
d738b9
 **pkinit_pool**
d738b9
     Specifies the location of intermediate certificates which may be
d738b9
     used by the KDC to complete the trust chain between a client's
d738b9
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
d738b9
index 10b333c38..166e68f9a 100644
d738b9
--- a/src/man/kdc.conf.man
d738b9
+++ b/src/man/kdc.conf.man
d738b9
@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if
d738b9
 pkinit is used to authenticate.  This option may be specified
d738b9
 multiple times.  (New in release 1.14.)
d738b9
 .TP
d738b9
-.B \fBpkinit_kdc_ocsp\fP
d738b9
-Specifies the location of the KDC\(aqs OCSP.
d738b9
-.TP
d738b9
 .B \fBpkinit_pool\fP
d738b9
 Specifies the location of intermediate certificates which may be
d738b9
 used by the KDC to complete the trust chain between a client\(aqs
d738b9
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
d738b9
index 876db94c3..a49f3078e 100644
d738b9
--- a/src/plugins/preauth/pkinit/pkinit.h
d738b9
+++ b/src/plugins/preauth/pkinit/pkinit.h
d738b9
@@ -73,6 +73,7 @@
d738b9
 #define KRB5_CONF_PKINIT_IDENTITIES             "pkinit_identities"
d738b9
 #define KRB5_CONF_PKINIT_IDENTITY               "pkinit_identity"
d738b9
 #define KRB5_CONF_PKINIT_KDC_HOSTNAME           "pkinit_kdc_hostname"
d738b9
+/* pkinit_kdc_ocsp has been removed */
d738b9
 #define KRB5_CONF_PKINIT_KDC_OCSP               "pkinit_kdc_ocsp"
d738b9
 #define KRB5_CONF_PKINIT_POOL                   "pkinit_pool"
d738b9
 #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING   "pkinit_require_crl_checking"
d738b9
@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts {
d738b9
     char **anchors;
d738b9
     char **intermediates;
d738b9
     char **crls;
d738b9
-    char *ocsp;
d738b9
     int  idtype;
d738b9
     char *cert_filename;
d738b9
     char *key_filename;
d738b9
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
d738b9
index 177a2cad8..a897efa25 100644
d738b9
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
d738b9
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
d738b9
@@ -125,7 +125,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
d738b9
     opts->anchors = NULL;
d738b9
     opts->intermediates = NULL;
d738b9
     opts->crls = NULL;
d738b9
-    opts->ocsp = NULL;
d738b9
 
d738b9
     opts->cert_filename = NULL;
d738b9
     opts->key_filename = NULL;
d738b9
@@ -174,12 +173,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
d738b9
     if (retval)
d738b9
         goto cleanup;
d738b9
 
d738b9
-    if (src_opts->ocsp != NULL) {
d738b9
-        newopts->ocsp = strdup(src_opts->ocsp);
d738b9
-        if (newopts->ocsp == NULL)
d738b9
-            goto cleanup;
d738b9
-    }
d738b9
-
d738b9
     if (src_opts->cert_filename != NULL) {
d738b9
         newopts->cert_filename = strdup(src_opts->cert_filename);
d738b9
         if (newopts->cert_filename == NULL)
d738b9
@@ -674,10 +667,6 @@ pkinit_identity_prompt(krb5_context context,
d738b9
         if (retval)
d738b9
             goto errout;
d738b9
     }
d738b9
-    if (idopts->ocsp != NULL) {
d738b9
-        retval = ENOTSUP;
d738b9
-        goto errout;
d738b9
-    }
d738b9
 
d738b9
 errout:
d738b9
     return retval;
d738b9
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
d738b9
index 731d14eb8..32ca122f2 100644
d738b9
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
d738b9
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
d738b9
@@ -1252,7 +1252,7 @@ static krb5_error_code
d738b9
 pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
d738b9
 {
d738b9
     krb5_error_code retval;
d738b9
-    char *eku_string = NULL;
d738b9
+    char *eku_string = NULL, *ocsp_check = NULL;
d738b9
 
d738b9
     pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
d738b9
     retval = pkinit_kdcdefault_string(context, plgctx->realmname,
d738b9
@@ -1287,7 +1287,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
d738b9
 
d738b9
     pkinit_kdcdefault_string(context, plgctx->realmname,
d738b9
                              KRB5_CONF_PKINIT_KDC_OCSP,
d738b9
-                             &plgctx->idopts->ocsp);
d738b9
+                             &ocsp_check);
d738b9
+    if (ocsp_check != NULL) {
d738b9
+        free(ocsp_check);
d738b9
+        retval = ENOTSUP;
d738b9
+        krb5_set_error_message(context, retval,
d738b9
+                               _("OCSP is not supported: (realm: %s)"),
d738b9
+                               plgctx->realmname);
d738b9
+        goto errout;
d738b9
+    }
d738b9
 
d738b9
     pkinit_kdcdefault_integer(context, plgctx->realmname,
d738b9
                               KRB5_CONF_PKINIT_DH_MIN_BITS,