|
 |
e58a44 |
From 9ff3ed399f9a5bb0c6101a986798d80ecc7a1b92 Mon Sep 17 00:00:00 2001
|
|
|
e58a44 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
e58a44 |
Date: Mon, 31 Jul 2017 16:03:41 -0400
|
|
|
e58a44 |
Subject: [PATCH] Remove incomplete PKINIT OCSP support
|
|
|
e58a44 |
|
|
|
e58a44 |
pkinit_kdc_ocsp is non-functional in the PKINIT OpenSSL crypto
|
|
|
e58a44 |
implementation, so remove most traces of it, including its man page
|
|
|
e58a44 |
entry. If it is present in kdc.conf, error out of PKINIT
|
|
|
e58a44 |
initialization instead of silently ignoring the realm entirely.
|
|
|
e58a44 |
|
|
|
e58a44 |
ticket: 8603 (new)
|
|
|
e58a44 |
(cherry picked from commit 3ff426b9048a8024e5c175256c63cd0ad0572320)
|
|
|
e58a44 |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
e58a44 |
---
|
|
|
e58a44 |
doc/admin/conf_files/kdc_conf.rst | 3 ---
|
|
|
e58a44 |
src/man/kdc.conf.man | 3 ---
|
|
|
e58a44 |
src/plugins/preauth/pkinit/pkinit.h | 2 +-
|
|
|
e58a44 |
src/plugins/preauth/pkinit/pkinit_identity.c | 11 -----------
|
|
|
e58a44 |
src/plugins/preauth/pkinit/pkinit_srv.c | 12 ++++++++++--
|
|
|
e58a44 |
5 files changed, 11 insertions(+), 20 deletions(-)
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
|
|
|
e58a44 |
index 13077ecf4..a4b2a5432 100644
|
|
|
e58a44 |
--- a/doc/admin/conf_files/kdc_conf.rst
|
|
|
e58a44 |
+++ b/doc/admin/conf_files/kdc_conf.rst
|
|
|
e58a44 |
@@ -765,9 +765,6 @@ For information about the syntax of some of these options, see
|
|
|
e58a44 |
pkinit is used to authenticate. This option may be specified
|
|
|
e58a44 |
multiple times. (New in release 1.14.)
|
|
|
e58a44 |
|
|
|
e58a44 |
-**pkinit_kdc_ocsp**
|
|
|
e58a44 |
- Specifies the location of the KDC's OCSP.
|
|
|
e58a44 |
-
|
|
|
e58a44 |
**pkinit_pool**
|
|
|
e58a44 |
Specifies the location of intermediate certificates which may be
|
|
|
e58a44 |
used by the KDC to complete the trust chain between a client's
|
|
|
e58a44 |
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
|
|
|
e58a44 |
index 10b333c38..166e68f9a 100644
|
|
|
e58a44 |
--- a/src/man/kdc.conf.man
|
|
|
e58a44 |
+++ b/src/man/kdc.conf.man
|
|
|
e58a44 |
@@ -886,9 +886,6 @@ Specifies an authentication indicator to include in the ticket if
|
|
|
e58a44 |
pkinit is used to authenticate. This option may be specified
|
|
|
e58a44 |
multiple times. (New in release 1.14.)
|
|
|
e58a44 |
.TP
|
|
|
e58a44 |
-.B \fBpkinit_kdc_ocsp\fP
|
|
|
e58a44 |
-Specifies the location of the KDC\(aqs OCSP.
|
|
|
e58a44 |
-.TP
|
|
|
e58a44 |
.B \fBpkinit_pool\fP
|
|
|
e58a44 |
Specifies the location of intermediate certificates which may be
|
|
|
e58a44 |
used by the KDC to complete the trust chain between a client\(aqs
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
|
|
e58a44 |
index 876db94c3..a49f3078e 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit.h
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
|
|
e58a44 |
@@ -73,6 +73,7 @@
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
|
|
|
e58a44 |
+/* pkinit_kdc_ocsp has been removed */
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
|
|
|
e58a44 |
#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
|
|
|
e58a44 |
@@ -173,7 +174,6 @@ typedef struct _pkinit_identity_opts {
|
|
|
e58a44 |
char **anchors;
|
|
|
e58a44 |
char **intermediates;
|
|
|
e58a44 |
char **crls;
|
|
|
e58a44 |
- char *ocsp;
|
|
|
e58a44 |
int idtype;
|
|
|
e58a44 |
char *cert_filename;
|
|
|
e58a44 |
char *key_filename;
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
|
|
|
e58a44 |
index 177a2cad8..a897efa25 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
|
|
|
e58a44 |
@@ -125,7 +125,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts)
|
|
|
e58a44 |
opts->anchors = NULL;
|
|
|
e58a44 |
opts->intermediates = NULL;
|
|
|
e58a44 |
opts->crls = NULL;
|
|
|
e58a44 |
- opts->ocsp = NULL;
|
|
|
e58a44 |
|
|
|
e58a44 |
opts->cert_filename = NULL;
|
|
|
e58a44 |
opts->key_filename = NULL;
|
|
|
e58a44 |
@@ -174,12 +173,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
|
|
|
e58a44 |
if (retval)
|
|
|
e58a44 |
goto cleanup;
|
|
|
e58a44 |
|
|
|
e58a44 |
- if (src_opts->ocsp != NULL) {
|
|
|
e58a44 |
- newopts->ocsp = strdup(src_opts->ocsp);
|
|
|
e58a44 |
- if (newopts->ocsp == NULL)
|
|
|
e58a44 |
- goto cleanup;
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
-
|
|
|
e58a44 |
if (src_opts->cert_filename != NULL) {
|
|
|
e58a44 |
newopts->cert_filename = strdup(src_opts->cert_filename);
|
|
|
e58a44 |
if (newopts->cert_filename == NULL)
|
|
|
e58a44 |
@@ -674,10 +667,6 @@ pkinit_identity_prompt(krb5_context context,
|
|
|
e58a44 |
if (retval)
|
|
|
e58a44 |
goto errout;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
- if (idopts->ocsp != NULL) {
|
|
|
e58a44 |
- retval = ENOTSUP;
|
|
|
e58a44 |
- goto errout;
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
|
|
|
e58a44 |
errout:
|
|
|
e58a44 |
return retval;
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
index 731d14eb8..32ca122f2 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
@@ -1252,7 +1252,7 @@ static krb5_error_code
|
|
|
e58a44 |
pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
|
|
|
e58a44 |
{
|
|
|
e58a44 |
krb5_error_code retval;
|
|
|
e58a44 |
- char *eku_string = NULL;
|
|
|
e58a44 |
+ char *eku_string = NULL, *ocsp_check = NULL;
|
|
|
e58a44 |
|
|
|
e58a44 |
pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname);
|
|
|
e58a44 |
retval = pkinit_kdcdefault_string(context, plgctx->realmname,
|
|
|
e58a44 |
@@ -1287,7 +1287,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
|
|
|
e58a44 |
|
|
|
e58a44 |
pkinit_kdcdefault_string(context, plgctx->realmname,
|
|
|
e58a44 |
KRB5_CONF_PKINIT_KDC_OCSP,
|
|
|
e58a44 |
- &plgctx->idopts->ocsp);
|
|
|
e58a44 |
+ &ocsp_check);
|
|
|
e58a44 |
+ if (ocsp_check != NULL) {
|
|
|
e58a44 |
+ free(ocsp_check);
|
|
|
e58a44 |
+ retval = ENOTSUP;
|
|
|
e58a44 |
+ krb5_set_error_message(context, retval,
|
|
|
e58a44 |
+ _("OCSP is not supported: (realm: %s)"),
|
|
|
e58a44 |
+ plgctx->realmname);
|
|
|
e58a44 |
+ goto errout;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
|
|
|
e58a44 |
pkinit_kdcdefault_integer(context, plgctx->realmname,
|
|
|
e58a44 |
KRB5_CONF_PKINIT_DH_MIN_BITS,
|