svn rev #25600: trunk/src/ include/ include/krb5/ lib/krb5/asn.1/ plugins/preauth/pkinit/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Dec 21 17:52:43 EST 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25600
Commit By: ghudson
Log Message:
Stop using krb5_octet_data
For consistency with the rest of the code base, make PKINIT use
krb5_data as a pointer/length container. Leave krb5_octet_data and
krb5_free_octet_data behind for API compatibility.
Changed Files:
U trunk/src/include/k5-int-pkinit.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/krb5/asn.1/asn1_decode.c
U trunk/src/lib/krb5/asn.1/asn1_decode.h
U trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode.h
U trunk/src/lib/krb5/asn.1/asn1_k_decode_kdc.c
U trunk/src/lib/krb5/asn.1/asn1_k_decode_macros.h
U trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U trunk/src/plugins/preauth/pkinit/pkinit.h
U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
U trunk/src/plugins/preauth/pkinit/pkinit_crypto.h
U trunk/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
U trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
U trunk/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
U trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c
U trunk/src/plugins/preauth/pkinit/pkinit_lib.c
U trunk/src/plugins/preauth/pkinit/pkinit_srv.c
Modified: trunk/src/include/k5-int-pkinit.h
===================================================================
--- trunk/src/include/k5-int-pkinit.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/include/k5-int-pkinit.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -47,7 +47,7 @@
/* PKAuthenticator draft9 */
typedef struct _krb5_pk_authenticator_draft9 {
krb5_principal kdcName;
- krb5_octet_data kdcRealm;
+ krb5_data kdcRealm;
krb5_int32 cusec; /* (0..999999) */
krb5_timestamp ctime;
krb5_int32 nonce; /* (0..4294967295) */
@@ -55,14 +55,14 @@
/* AlgorithmIdentifier */
typedef struct _krb5_algorithm_identifier {
- krb5_octet_data algorithm; /* OID */
- krb5_octet_data parameters; /* Optional */
+ krb5_data algorithm; /* OID */
+ krb5_data parameters; /* Optional */
} krb5_algorithm_identifier;
/* SubjectPublicKeyInfo */
typedef struct _krb5_subject_pk_info {
krb5_algorithm_identifier algorithm;
- krb5_octet_data subjectPublicKey; /* BIT STRING */
+ krb5_data subjectPublicKey; /* BIT STRING */
} krb5_subject_pk_info;
/** AuthPack from RFC 4556*/
@@ -70,8 +70,8 @@
krb5_pk_authenticator pkAuthenticator;
krb5_subject_pk_info *clientPublicValue; /* Optional */
krb5_algorithm_identifier **supportedCMSTypes; /* Optional */
- krb5_octet_data clientDHNonce; /* Optional */
- krb5_octet_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
+ krb5_data clientDHNonce; /* Optional */
+ krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
} krb5_auth_pack;
/* AuthPack draft9 */
@@ -82,9 +82,9 @@
/* ExternalPrincipalIdentifier */
typedef struct _krb5_external_principal_identifier {
- krb5_octet_data subjectName; /* Optional */
- krb5_octet_data issuerAndSerialNumber; /* Optional */
- krb5_octet_data subjectKeyIdentifier; /* Optional */
+ krb5_data subjectName; /* Optional */
+ krb5_data issuerAndSerialNumber; /* Optional */
+ krb5_data subjectKeyIdentifier; /* Optional */
} krb5_external_principal_identifier;
/* TrustedCas */
@@ -97,43 +97,43 @@
} choice;
union {
krb5_principal principalName;
- krb5_octet_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
- krb5_octet_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
+ krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
+ krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
} u;
} krb5_trusted_ca;
/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
typedef struct _krb5_pa_pk_as_req_draft9 {
- krb5_octet_data signedAuthPack;
+ krb5_data signedAuthPack;
krb5_trusted_ca **trustedCertifiers; /* Optional array */
- krb5_octet_data kdcCert; /* Optional */
- krb5_octet_data encryptionCert;
+ krb5_data kdcCert; /* Optional */
+ krb5_data encryptionCert;
} krb5_pa_pk_as_req_draft9;
/* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
typedef struct _krb5_pa_pk_as_req {
- krb5_octet_data signedAuthPack;
+ krb5_data signedAuthPack;
krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
- krb5_octet_data kdcPkId; /* Optional */
+ krb5_data kdcPkId; /* Optional */
} krb5_pa_pk_as_req;
/** Pkinit DHRepInfo */
typedef struct _krb5_dh_rep_info {
- krb5_octet_data dhSignedData;
- krb5_octet_data serverDHNonce; /* Optional */
- krb5_octet_data *kdfID; /* OID of selected KDF OPTIONAL */
+ krb5_data dhSignedData;
+ krb5_data serverDHNonce; /* Optional */
+ krb5_data *kdfID; /* OID of selected KDF OPTIONAL */
} krb5_dh_rep_info;
/* KDCDHKeyInfo */
typedef struct _krb5_kdc_dh_key_info {
- krb5_octet_data subjectPublicKey; /* BIT STRING */
+ krb5_data subjectPublicKey; /* BIT STRING */
krb5_int32 nonce; /* (0..4294967295) */
krb5_timestamp dhKeyExpiration; /* Optional */
} krb5_kdc_dh_key_info;
/* KDCDHKeyInfo draft9*/
typedef struct _krb5_kdc_dh_key_info_draft9 {
- krb5_octet_data subjectPublicKey; /* BIT STRING */
+ krb5_data subjectPublicKey; /* BIT STRING */
krb5_int32 nonce; /* (0..4294967295) */
} krb5_kdc_dh_key_info_draft9;
@@ -157,8 +157,8 @@
choice_pa_pk_as_rep_draft9_encKeyPack = 1
} choice;
union {
- krb5_octet_data dhSignedData;
- krb5_octet_data encKeyPack;
+ krb5_data dhSignedData;
+ krb5_data encKeyPack;
} u;
} krb5_pa_pk_as_rep_draft9;
@@ -171,7 +171,7 @@
} choice;
union {
krb5_dh_rep_info dh_Info;
- krb5_octet_data encKeyPack;
+ krb5_data encKeyPack;
} u;
} krb5_pa_pk_as_rep;
@@ -186,8 +186,8 @@
/* PkinitSuppPubInfo, for pkinit algorithm agility */
typedef struct _krb5_pkinit_supp_pub_info {
krb5_enctype enctype;
- krb5_octet_data as_req;
- krb5_octet_data pk_as_rep;
+ krb5_data as_req;
+ krb5_data pk_as_rep;
} krb5_pkinit_supp_pub_info;
/*
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/include/krb5/krb5.hin 2011-12-21 22:52:43 UTC (rev 25600)
@@ -207,6 +207,7 @@
char *data;
} krb5_data;
+/* Originally introduced for PKINIT; now unused. Do not use this. */
typedef struct _krb5_octet_data {
krb5_magic magic;
unsigned int length;
@@ -4651,15 +4652,7 @@
void KRB5_CALLCONV
krb5_free_data(krb5_context context, krb5_data *val);
-/**
- * Free storage associated with a @c krb5_octet_data structure and its pointer.
- *
- * @param [in] context Context structure
- * @param [in] val Data structure to be freed
- *
- * @return
- * None
- */
+/* Free a krb5_octet_data structure (should be unused). */
void KRB5_CALLCONV
krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
Modified: trunk/src/lib/krb5/asn.1/asn1_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_decode.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_decode.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -153,11 +153,11 @@
}
asn1_error_code
-asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val)
+asn1_decode_oid(asn1buf *buf, unsigned int *retlen, char **val)
{
setup();
tag(ASN1_OBJECTIDENTIFIER);
- retval = asn1buf_remove_octetstring(buf, length, val);
+ retval = asn1buf_remove_charstring(buf, length, val);
if (retval) return retval;
*retlen = length;
cleanup();
Modified: trunk/src/lib/krb5/asn.1/asn1_decode.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_decode.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_decode.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -67,7 +67,7 @@
asn1_error_code asn1_decode_null(asn1buf *buf);
asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen,
- asn1_octet **val);
+ char **val);
asn1_error_code asn1_decode_octetstring(asn1buf *buf, unsigned int *retlen,
asn1_octet **val);
asn1_error_code asn1_decode_generalstring(asn1buf *buf, unsigned int *retlen,
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -1187,9 +1187,12 @@
val->subjectKeyIdentifier.data = NULL;
{
begin_structure();
- opt_implicit_octet_string(val->subjectName.length, val->subjectName.data, 0);
- opt_implicit_octet_string(val->issuerAndSerialNumber.length, val->issuerAndSerialNumber.data, 1);
- opt_implicit_octet_string(val->subjectKeyIdentifier.length, val->subjectKeyIdentifier.data, 2);
+ opt_implicit_charstring(val->subjectName.length, val->subjectName.data,
+ 0);
+ opt_implicit_charstring(val->issuerAndSerialNumber.length,
+ val->issuerAndSerialNumber.data, 1);
+ opt_implicit_charstring(val->subjectKeyIdentifier.length,
+ val->subjectKeyIdentifier.data, 2);
end_structure();
}
return 0;
@@ -1305,12 +1308,14 @@
} else if (tagnum == choice_trusted_cas_caName) {
val->choice = choice_trusted_cas_caName;
val->u.caName.data = NULL;
- get_implicit_octet_string(val->u.caName.length, val->u.caName.data, choice_trusted_cas_caName);
+ get_implicit_charstring(val->u.caName.length, val->u.caName.data,
+ choice_trusted_cas_caName);
} else if (tagnum == choice_trusted_cas_issuerAndSerial) {
val->choice = choice_trusted_cas_issuerAndSerial;
val->u.issuerAndSerial.data = NULL;
- get_implicit_octet_string(val->u.issuerAndSerial.length, val->u.issuerAndSerial.data,
- choice_trusted_cas_issuerAndSerial);
+ get_implicit_charstring(val->u.issuerAndSerial.length,
+ val->u.issuerAndSerial.data,
+ choice_trusted_cas_issuerAndSerial);
} else clean_return(ASN1_BAD_ID);
end_choice();
}
@@ -1349,9 +1354,9 @@
}
static asn1_error_code
-asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_octet_data **valptr)
+asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_data **valptr)
{
- decode_ptr(krb5_octet_data *, asn1_decode_kdf_alg_id);
+ decode_ptr(krb5_data *, asn1_decode_kdf_alg_id);
}
asn1_error_code
@@ -1362,9 +1367,11 @@
val->serverDHNonce.data = NULL;
val->kdfID = NULL;
{ begin_structure();
- get_implicit_octet_string(val->dhSignedData.length, val->dhSignedData.data, 0);
+ get_implicit_charstring(val->dhSignedData.length,
+ val->dhSignedData.data, 0);
- opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1, asn1_decode_octetstring);
+ opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1,
+ asn1_decode_charstring);
opt_field(val->kdfID, 2, asn1_decode_kdf_alg_id_ptr, NULL);
end_structure();
}
@@ -1372,7 +1379,7 @@
error_out:
free(val->dhSignedData.data);
free(val->serverDHNonce.data);
- krb5_free_octet_data(NULL, val->kdfID);
+ krb5_free_data(NULL, val->kdfID);
val->kdfID = NULL;
val->dhSignedData.data = NULL;
val->serverDHNonce.data = NULL;
@@ -1451,8 +1458,8 @@
assert(subbuf.next >= subbuf.base);
if (length > (size_t)(subbuf.next - subbuf.base)) {
unsigned int size = length - (subbuf.next - subbuf.base);
- retval = asn1buf_remove_octetstring(&subbuf, size,
- &val->parameters.data);
+ retval = asn1buf_remove_charstring(&subbuf, size,
+ &val->parameters.data);
if (retval) clean_return(retval);
val->parameters.length = size;
}
@@ -1504,8 +1511,8 @@
val->subjectPublicKey.length = 0;
val->subjectPublicKey.data = NULL;
- retval = asn1buf_remove_octetstring(&subbuf, taglen,
- &val->subjectPublicKey.data);
+ retval = asn1buf_remove_charstring(&subbuf, taglen,
+ &val->subjectPublicKey.data);
if (retval) clean_return(retval);
val->subjectPublicKey.length = taglen;
/*
@@ -1549,7 +1556,8 @@
setup();
val->subjectPublicKey.data = NULL;
{ begin_structure();
- retval = asn1buf_remove_octetstring(&subbuf, taglen, &val->subjectPublicKey.data);
+ retval = asn1buf_remove_charstring(&subbuf, taglen,
+ &val->subjectPublicKey.data);
if (retval) clean_return(retval);
val->subjectPublicKey.length = taglen;
next_tag();
@@ -1641,8 +1649,9 @@
} else if (tagnum == choice_pa_pk_as_rep_encKeyPack) {
val->choice = choice_pa_pk_as_rep_encKeyPack;
val->u.encKeyPack.data = NULL;
- get_implicit_octet_string(val->u.encKeyPack.length, val->u.encKeyPack.data,
- choice_pa_pk_as_rep_encKeyPack);
+ get_implicit_charstring(val->u.encKeyPack.length,
+ val->u.encKeyPack.data,
+ choice_pa_pk_as_rep_encKeyPack);
} else {
val->choice = choice_pa_pk_as_rep_UNKNOWN;
}
@@ -1670,12 +1679,14 @@
val->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
val->u.dhSignedData.data = NULL;
get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data,
- choice_pa_pk_as_rep_draft9_dhSignedData, asn1_decode_octetstring);
+ choice_pa_pk_as_rep_draft9_dhSignedData,
+ asn1_decode_charstring);
} else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) {
val->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
val->u.encKeyPack.data = NULL;
get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data,
- choice_pa_pk_as_rep_draft9_encKeyPack, asn1_decode_octetstring);
+ choice_pa_pk_as_rep_draft9_encKeyPack,
+ asn1_decode_charstring);
} else {
val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
}
@@ -1692,7 +1703,7 @@
}
asn1_error_code
-asn1_decode_kdf_alg_id( asn1buf *buf, krb5_octet_data *val)
+asn1_decode_kdf_alg_id( asn1buf *buf, krb5_data *val)
{
setup();
val->data = NULL;
@@ -1707,11 +1718,9 @@
}
asn1_error_code
-asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf,
- krb5_octet_data ***val)
+asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val)
{
- decode_array_body(krb5_octet_data, asn1_decode_kdf_alg_id_ptr,
- krb5_free_octet_data);
+ decode_array_body(krb5_data, asn1_decode_kdf_alg_id_ptr, krb5_free_data);
}
#endif /* DISABLE_PKINIT */
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -277,10 +277,9 @@
krb5_iakerb_finished *val);
asn1_error_code
-asn1_decode_kdf_alg_id(asn1buf *buf, krb5_octet_data *val);
+asn1_decode_kdf_alg_id(asn1buf *buf, krb5_data *val);
asn1_error_code
-asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf,
- krb5_octet_data ***val);
+asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val);
#endif
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode_kdc.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode_kdc.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode_kdc.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -131,9 +131,9 @@
val->kdcPkId.data = NULL;
{
begin_structure();
- get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0);
+ get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0);
opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_external_principal_identifier, NULL);
- opt_implicit_octet_string(val->kdcPkId.length, val->kdcPkId.data, 2);
+ opt_implicit_charstring(val->kdcPkId.length, val->kdcPkId.data, 2);
end_structure();
}
return 0;
@@ -167,10 +167,10 @@
val->encryptionCert.data = NULL;
val->trustedCertifiers = NULL;
{ begin_structure();
- get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0);
+ get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0);
opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL);
- opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_octetstring);
- opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_octetstring);
+ opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_charstring);
+ opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_charstring);
end_structure();
}
return 0;
@@ -238,7 +238,7 @@
next_tag();
} else val->supportedCMSTypes = NULL;
}
- opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_octetstring);
+ opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_charstring);
opt_field(val->supportedKDFs, 4, asn1_decode_sequence_of_kdf_alg_id, NULL);
end_structure();
}
@@ -259,7 +259,7 @@
free(val->clientDHNonce.data);
if (val->supportedKDFs) {
for (i = 0; val->supportedKDFs[i]; i++)
- krb5_free_octet_data(NULL, val->supportedKDFs[i]);
+ krb5_free_data(NULL, val->supportedKDFs[i]);
free(val->supportedKDFs);
val->supportedKDFs = NULL;
}
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode_macros.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode_macros.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode_macros.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -202,20 +202,20 @@
/*
* Deal with implicitly tagged fields
*/
-#define get_implicit_octet_string(len, var, tagexpect) \
+#define get_implicit_charstring(len, var, tagexpect) \
if (tagnum != (tagexpect)) clean_return(ASN1_MISSING_FIELD); \
if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \
clean_return(ASN1_BAD_ID); \
- retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \
+ retval = asn1buf_remove_charstring(&subbuf, taglen, &(var)); \
if (retval) clean_return(retval); \
(len) = taglen; \
next_tag()
-#define opt_implicit_octet_string(len, var, tagexpect) \
+#define opt_implicit_charstring(len, var, tagexpect) \
if (tagnum == (tagexpect)) { \
if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \
clean_return(ASN1_BAD_ID); \
- retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \
+ retval = asn1buf_remove_charstring(&subbuf, taglen, &(var)); \
if (retval) clean_return(retval); \
(len) = taglen; \
next_tag(); \
Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -1622,15 +1622,15 @@
#ifndef DISABLE_PKINIT
DEFFNXTYPE(algorithm_identifier, krb5_algorithm_identifier, asn1_encode_algorithm_identifier);
-DEFFNLENTYPE(object_identifier, asn1_octet *, asn1_encode_oid);
-DEFFIELDTYPE(oid_data, krb5_octet_data,
- FIELDOF_STRING(krb5_octet_data,object_identifier, data, length, -1));
+DEFFNLENTYPE(object_identifier, char *, asn1_encode_oid);
+DEFFIELDTYPE(oid_data, krb5_data,
+ FIELDOF_STRING(krb5_data, object_identifier, data, length, -1));
DEFPTRTYPE(oid_data_ptr, oid_data);
static const struct field_info kdf_alg_id_fields[] = {
- FIELDOF_ENCODEAS(krb5_octet_data, oid_data, 0)
+ FIELDOF_ENCODEAS(krb5_data, oid_data, 0)
};
-DEFSEQTYPE(kdf_alg_id, krb5_octet_data, kdf_alg_id_fields, NULL);
+DEFSEQTYPE(kdf_alg_id, krb5_data, kdf_alg_id_fields, NULL);
DEFPTRTYPE(kdf_alg_id_ptr, kdf_alg_id);
DEFNONEMPTYNULLTERMSEQOFTYPE(supported_kdfs, kdf_alg_id_ptr);
DEFPTRTYPE(supported_kdfs_ptr, supported_kdfs);
@@ -1664,8 +1664,8 @@
/* For PkinitSuppPubInfo, for pkinit agility */
static const struct field_info pkinit_supp_pub_info_fields[] = {
FIELDOF_NORM(krb5_pkinit_supp_pub_info, int32, enctype, 0),
- FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, as_req.data, as_req.length, 1),
- FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, pk_as_rep.data, pk_as_rep.length, 2),
+ FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, as_req.data, as_req.length, 1),
+ FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, pk_as_rep.data, pk_as_rep.length, 2),
};
DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info, pkinit_supp_pub_info_fields, NULL);
Modified: trunk/src/plugins/preauth/pkinit/pkinit.h
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -115,7 +115,7 @@
#define OCTETDATA_TO_KRB5DATA(octd, k5d) \
(k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
-extern const krb5_octet_data dh_oid;
+extern const krb5_data dh_oid;
/*
* notes about crypto contexts:
@@ -322,7 +322,7 @@
void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
-krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
+krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src);
/*
Modified: trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -261,8 +261,7 @@
auth_pack9->pkAuthenticator.nonce = nonce;
auth_pack9->pkAuthenticator.kdcName = server;
auth_pack9->pkAuthenticator.kdcRealm.magic = 0;
- auth_pack9->pkAuthenticator.kdcRealm.data =
- (unsigned char *)server->realm.data;
+ auth_pack9->pkAuthenticator.kdcRealm.data = server->realm.data;
auth_pack9->pkAuthenticator.kdcRealm.length = server->realm.length;
free(cksum->contents);
break;
@@ -279,7 +278,7 @@
auth_pack->pkAuthenticator.paChecksum = *cksum;
auth_pack->clientDHNonce.length = 0;
auth_pack->clientPublicValue = info;
- auth_pack->supportedKDFs = (krb5_octet_data **) supported_kdf_alg_ids;
+ auth_pack->supportedKDFs = (krb5_data **) supported_kdf_alg_ids;
/* add List of CMS algorithms */
retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
@@ -298,7 +297,7 @@
switch(protocol) {
case DH_PROTOCOL:
pkiDebug("as_req: DH key transport algorithm\n");
- retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid);
+ retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid);
if (retval) {
pkiDebug("failed to copy dh_oid\n");
goto cleanup;
@@ -307,8 +306,10 @@
/* create client-side DH keys */
if ((retval = client_create_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, reqctx->opts->dh_size,
+ (unsigned char **)
&info->algorithm.parameters.data,
&info->algorithm.parameters.length,
+ (unsigned char **)
&info->subjectPublicKey.data,
&info->subjectPublicKey.length)) != 0) {
pkiDebug("failed to create dh parameters\n");
@@ -365,9 +366,11 @@
if (use_content_info(context, reqctx, client)) {
retval = cms_contentinfo_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
- CMS_SIGN_CLIENT, (unsigned char *)
+ CMS_SIGN_CLIENT,
+ (unsigned char *)
coded_auth_pack->data,
coded_auth_pack->length,
+ (unsigned char **)
&req->signedAuthPack.data,
&req->signedAuthPack.length);
} else {
@@ -377,6 +380,7 @@
(unsigned char *)
coded_auth_pack->data,
coded_auth_pack->length,
+ (unsigned char **)
&req->signedAuthPack.data,
&req->signedAuthPack.length);
}
@@ -394,8 +398,11 @@
}
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1,
- (unsigned char *)coded_auth_pack->data, coded_auth_pack->length,
- &req9->signedAuthPack.data, &req9->signedAuthPack.length);
+ (unsigned char *)coded_auth_pack->data,
+ coded_auth_pack->length,
+ (unsigned char **)
+ &req9->signedAuthPack.data,
+ &req9->signedAuthPack.length);
break;
#ifdef DEBUG_ASN1
print_buffer_bin((unsigned char *)req9->signedAuthPack.data,
@@ -417,7 +424,8 @@
if (retval)
goto cleanup;
retval = create_issuerAndSerial(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, &req->kdcPkId.data,
+ reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char **)&req->kdcPkId.data,
&req->kdcPkId.length);
if (retval)
goto cleanup;
@@ -435,7 +443,8 @@
#endif
retval = create_issuerAndSerial(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, &req9->kdcCert.data,
+ reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char **)&req9->kdcCert.data,
&req9->kdcCert.length);
if (retval)
goto cleanup;
@@ -678,12 +687,12 @@
krb5_kdc_dh_key_info *kdc_dh = NULL;
krb5_reply_key_pack *key_pack = NULL;
krb5_reply_key_pack_draft9 *key_pack9 = NULL;
- krb5_octet_data dh_data = { 0, 0, NULL };
+ krb5_data dh_data = { 0, 0, NULL };
unsigned char *client_key = NULL, *kdc_hostname = NULL;
unsigned int client_key_len = 0;
krb5_checksum cksum = {0, 0, 0, NULL};
krb5_data k5data;
- krb5_octet_data secret;
+ krb5_data secret;
int valid_san = 0;
int valid_eku = 0;
int need_eku_checking = 1;
@@ -710,9 +719,11 @@
if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER,
reqctx->opts->require_crl_checking,
+ (unsigned char *)
kdc_reply->u.dh_Info.dhSignedData.data,
kdc_reply->u.dh_Info.dhSignedData.length,
- &dh_data.data, &dh_data.length,
+ (unsigned char **)&dh_data.data,
+ &dh_data.length,
NULL, NULL, NULL)) != 0) {
pkiDebug("failed to verify pkcs7 signed data\n");
goto cleanup;
@@ -724,9 +735,11 @@
if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, pa_type,
reqctx->opts->require_crl_checking,
+ (unsigned char *)
kdc_reply->u.encKeyPack.data,
kdc_reply->u.encKeyPack.length,
- &dh_data.data, &dh_data.length)) != 0) {
+ (unsigned char **)&dh_data.data,
+ &dh_data.length)) != 0) {
pkiDebug("failed to verify pkcs7 enveloped data\n");
goto cleanup;
}
@@ -787,6 +800,7 @@
/* client after KDC reply */
if ((retval = client_process_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char *)
kdc_dh->subjectPublicKey.data,
kdc_dh->subjectPublicKey.length,
&client_key, &client_key_len)) != 0) {
@@ -797,15 +811,13 @@
/* If we have a KDF algorithm ID, call the algorithm agility KDF... */
if (kdc_reply->u.dh_Info.kdfID) {
secret.length = client_key_len;
- secret.data = client_key;
+ secret.data = (char *)client_key;
retval = pkinit_alg_agility_kdf(context, &secret,
kdc_reply->u.dh_Info.kdfID,
- request->client,
- request->server, etype,
- (krb5_octet_data *)encoded_request,
- (krb5_octet_data *)as_rep,
- key_block);
+ request->client, request->server,
+ etype, encoded_request,
+ (krb5_data *)as_rep, key_block);
if (retval) {
pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n",
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto.h
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto.h 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto.h 2011-12-21 22:52:43 UTC (rev 25600)
@@ -348,7 +348,7 @@
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
- krb5_octet_data *dh_params, /* IN
+ krb5_data *dh_params, /* IN
???? */
int minbits); /* IN
the mininum number of key bits acceptable */
@@ -636,13 +636,13 @@
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block);
extern const krb5_octet krb5_pkinit_sha1_oid[];
@@ -652,10 +652,10 @@
extern const krb5_octet krb5_pkinit_sha512_oid[];
extern const size_t krb5_pkinit_sha512_oid_len;
/**
- * An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms
+ * An ordered set of OIDs, stored as krb5_data, of KDF algorithms
* supported by this implementation. The order of this array controls
* the order in which the server will pick.
*/
-extern const krb5_octet_data const *supported_kdf_alg_ids[] ;
+extern const krb5_data const *supported_kdf_alg_ids[] ;
#endif /* _PKINIT_CRYPTO_H */
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_nss.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_nss.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -1531,7 +1531,7 @@
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_octet_data *dh_params, int minbits)
+ krb5_data *dh_params, int minbits)
{
PLArenaPool *pool;
SECItem item;
@@ -1540,7 +1540,7 @@
if (pool == NULL)
return ENOMEM;
- item.data = dh_params->data;
+ item.data = (unsigned char *)dh_params->data;
item.len = dh_params->length;
memset(&req_cryptoctx->client_dh_params, 0,
sizeof(req_cryptoctx->client_dh_params));
@@ -1757,7 +1757,8 @@
memset(id, 0, sizeof(*id));
ids[i] = id;
oid = SECOID_FindOIDByTag(oids[i]);
- if (secitem_to_buf_len(&oid->oid, &id->algorithm.data,
+ if (secitem_to_buf_len(&oid->oid,
+ (unsigned char **)&id->algorithm.data,
&id->algorithm.length) != 0) {
free(ids[i]);
free_n_algorithm_identifiers(ids, i - 1);
@@ -1841,9 +1842,11 @@
* of the pkinit module. */
if ((node->cert->keyIDGenerated ?
secitem_to_buf_len(&node->cert->derSubject,
+ (unsigned char **)
&id->subjectName.data,
&id->subjectName.length) :
secitem_to_buf_len(&node->cert->subjectKeyID,
+ (unsigned char **)
&id->subjectKeyIdentifier.data,
&id->subjectKeyIdentifier.length)) != 0) {
/* Free the earlier items. */
@@ -3313,9 +3316,9 @@
continue;
/* Add it to the list. */
memset(&id[j], 0, sizeof(id[j]));
- id[j].algorithm.data = oid->data;
+ id[j].algorithm.data = (char *)oid->data;
id[j].algorithm.length = oid->len;
- id[j].parameters.data = tmp.data;
+ id[j].parameters.data = (char *)tmp.data;
id[j].parameters.length = tmp.len;
ids[j] = &id[j];
j++;
@@ -3368,7 +3371,7 @@
for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) {
/* Decode the domain parameters. */
item.len = algId[i]->parameters.length;
- item.data = algId[i]->parameters.data;
+ item.data = (unsigned char *)algId[i]->parameters.data;
memset(¶ms, 0, sizeof(params));
if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms,
domain_parameters_template,
@@ -3418,11 +3421,11 @@
if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
issuer_and_serial_number_template) != &item)
return ENOMEM;
- id.issuerAndSerialNumber.data = item.data;
+ id.issuerAndSerialNumber.data = (char *)item.data;
id.issuerAndSerialNumber.length = item.len;
} else {
item = invalid->subjectKeyID;
- id.subjectKeyIdentifier.data = item.data;
+ id.subjectKeyIdentifier.data = (char *)item.data;
id.subjectKeyIdentifier.length = item.len;
}
ids[0] = &id;
@@ -3573,11 +3576,11 @@
CERT_DestroyCertList(clist);
return ENOMEM;
}
- id[i].issuerAndSerialNumber.data = item.data;
+ id[i].issuerAndSerialNumber.data = (char *)item.data;
id[i].issuerAndSerialNumber.length = item.len;
} else {
item = node->cert->subjectKeyID;
- id[i].subjectKeyIdentifier.data = item.data;
+ id[i].subjectKeyIdentifier.data = (char *)item.data;
id[i].subjectKeyIdentifier.length = item.len;
}
ids[i] = &id[i];
@@ -3810,22 +3813,22 @@
/* Return TRUE if the item and the "algorithm" part of the algorithm identifier
* are the same. */
static PRBool
-octet_data_and_data_and_length_equal(const krb5_octet_data *octets,
- const void *data, size_t len)
+data_and_ptr_and_length_equal(const krb5_data *data,
+ const void *ptr, size_t len)
{
- return (octets->length == len) && (memcmp(octets->data, data, len) == 0);
+ return (data->length == len) && (memcmp(data->data, ptr, len) == 0);
}
/* Encode the other info used by the agility KDF. Taken almost verbatim from
* parts of the agility KDF in pkinit_crypto_openssl.c */
static krb5_error_code
encode_agility_kdf_other_info(krb5_context context,
- krb5_octet_data *alg_oid,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_data **other_info)
{
krb5_error_code retval = 0;
@@ -3873,13 +3876,13 @@
* one that we support. */
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block)
{
krb5_data *other_info = NULL;
@@ -3894,30 +3897,27 @@
if (retval != 0)
return retval;
- if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha512_oid,
- krb5_pkinit_sha512_oid_len))
+ if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid,
+ krb5_pkinit_sha512_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA512, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
- else if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha256_oid,
- krb5_pkinit_sha256_oid_len))
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
+ else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid,
+ krb5_pkinit_sha256_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA256, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
- else if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha1_oid,
- krb5_pkinit_sha1_oid_len))
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
+ else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid,
+ krb5_pkinit_sha1_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA1, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
else
retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF;
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -2305,7 +2305,7 @@
*/
static krb5_error_code
pkinit_alg_values(krb5_context context,
- const krb5_octet_data *alg_id,
+ const krb5_data *alg_id,
size_t *hash_bytes,
const EVP_MD *(**func)(void))
{
@@ -2356,13 +2356,13 @@
*/
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block)
{
krb5_error_code retval = 0;
@@ -2703,7 +2703,7 @@
pkinit_plg_crypto_context cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_octet_data *dh_params,
+ krb5_data *dh_params,
int minbits)
{
DH *dh = NULL;
@@ -2711,7 +2711,7 @@
int dh_prime_bits;
krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
- tmp = dh_params->data;
+ tmp = (unsigned char *)dh_params->data;
dh = DH_new();
dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length);
if (dh == NULL) {
@@ -3309,7 +3309,7 @@
memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length))
goto cleanup;
- tmp = algId[i]->parameters.data;
+ tmp = (unsigned char *)algId[i]->parameters.data;
dh = DH_new();
dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length);
dh_prime_bits = BN_num_bits(dh->p);
@@ -5447,8 +5447,9 @@
xn = X509_get_subject_name(x);
len = i2d_X509_NAME(xn, NULL);
- if ((p = krb5_cas[i]->subjectName.data = malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->subjectName.data = (char *)p;
i2d_X509_NAME(xn, &p);
krb5_cas[i]->subjectName.length = len;
@@ -5465,9 +5466,9 @@
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = krb5_cas[i]->issuerAndSerialNumber.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->issuerAndSerialNumber.length = len;
#ifdef LONGHORN_BETA_COMPAT
@@ -5489,9 +5490,9 @@
if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
NULL))) {
len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
- if ((p = krb5_cas[i]->subjectKeyIdentifier.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
i2d_ASN1_OCTET_STRING(ikeyid, &p);
krb5_cas[i]->subjectKeyIdentifier.length = len;
}
@@ -5558,7 +5559,7 @@
krb5_error_code retval = ENOMEM;
krb5_algorithm_identifier **loids = NULL;
- krb5_octet_data des3oid = {0, 8, (unsigned char *)"\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
+ krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
*oids = NULL;
loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
@@ -5570,7 +5571,7 @@
free(loids);
goto cleanup;
}
- retval = pkinit_copy_krb5_octet_data(&loids[0]->algorithm, &des3oid);
+ retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
if (retval) {
free(loids[0]);
free(loids);
@@ -5652,9 +5653,9 @@
krb5_cas[i]->u.caName.length = 0;
xn = X509_get_subject_name(x);
len = i2d_X509_NAME(xn, NULL);
- if ((p = krb5_cas[i]->u.caName.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->u.caName.data = (char *)p;
i2d_X509_NAME(xn, &p);
krb5_cas[i]->u.caName.length = len;
break;
@@ -5667,9 +5668,9 @@
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = krb5_cas[i]->u.issuerAndSerial.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->u.issuerAndSerial.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->u.issuerAndSerial.length = len;
if (is != NULL) {
@@ -5789,7 +5790,7 @@
sk_xn = sk_X509_NAME_new_null();
while(krb5_trusted_certifiers[i] != NULL) {
if (krb5_trusted_certifiers[i]->subjectName.data != NULL) {
- p = krb5_trusted_certifiers[i]->subjectName.data;
+ p = (unsigned char *)krb5_trusted_certifiers[i]->subjectName.data;
xn = d2i_X509_NAME(NULL, &p,
(int)krb5_trusted_certifiers[i]->subjectName.length);
if (xn == NULL)
@@ -5803,7 +5804,8 @@
}
if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) {
- p = krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
+ p = (unsigned char *)
+ krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p,
(int)krb5_trusted_certifiers[i]->issuerAndSerialNumber.length);
if (is == NULL)
@@ -5819,7 +5821,8 @@
}
if (krb5_trusted_certifiers[i]->subjectKeyIdentifier.data != NULL) {
- p = krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
+ p = (unsigned char *)
+ krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
id = d2i_ASN1_OCTET_STRING(NULL, &p,
(int)krb5_trusted_certifiers[i]->subjectKeyIdentifier.length);
if (id == NULL)
Modified: trunk/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_kdf_constants.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_kdf_constants.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -57,14 +57,14 @@
const size_t krb5_pkinit_sha512_oid_len = 8;
#define oid_as_data(var, oid_base) \
- const krb5_octet_data var = \
- {0, sizeof oid_base, (krb5_octet *) oid_base}
+ const krb5_data var = \
+ {0, sizeof oid_base, (char *)oid_base}
oid_as_data(sha1_id, krb5_pkinit_sha1_oid);
oid_as_data(sha256_id, krb5_pkinit_sha256_oid);
oid_as_data(sha512_id, krb5_pkinit_sha512_oid);
#undef oid_as_data
-const krb5_octet_data const *supported_kdf_alg_ids[] = {
+const krb5_data const *supported_kdf_alg_ids[] = {
&sha256_id,
&sha1_id,
&sha512_id,
Modified: trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -83,10 +83,10 @@
{
/* arguments for calls to pkinit_alg_agility_kdf() */
krb5_context context = 0;
- krb5_octet_data secret;
+ krb5_data secret;
krb5_algorithm_identifier alg_id;
- krb5_octet_data as_req;
- krb5_octet_data pk_as_rep;
+ krb5_data as_req;
+ krb5_data pk_as_rep;
krb5_keyblock key_block;
/* other local variables */
@@ -127,14 +127,14 @@
memset(twenty_as, 0xaa, sizeof(twenty_as));
memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
as_req.length = sizeof(twenty_as);
- as_req.data = (unsigned char *)&twenty_as;
+ as_req.data = twenty_as;
pk_as_rep.length = sizeof(eighteen_bs);
- pk_as_rep.data = (unsigned char *)&eighteen_bs;
+ pk_as_rep.data = eighteen_bs;
/* TEST 1: SHA-1/AES */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha1_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha1_oid;
alg_id.algorithm.length = krb5_pkinit_sha1_oid_len;
enctype = enctype_aes;
@@ -175,7 +175,7 @@
/* TEST 2: SHA-256/AES */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha256_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha256_oid;
alg_id.algorithm.length = krb5_pkinit_sha256_oid_len;
enctype = enctype_aes;
@@ -216,7 +216,7 @@
/* TEST 3: SHA-512/DES3 */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha512_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid;
alg_id.algorithm.length = krb5_pkinit_sha512_oid_len;
enctype = enctype_des3;
Modified: trunk/src/plugins/preauth/pkinit/pkinit_lib.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_lib.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_lib.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -43,8 +43,7 @@
#define FAKECERT
-const krb5_octet_data
-dh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" };
+const krb5_data dh_oid = { 0, 7, "\x2A\x86\x48\xce\x3e\x02\x01" };
krb5_error_code
@@ -164,10 +163,10 @@
if ((*in)->supportedCMSTypes != NULL)
free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
if ((*in)->supportedKDFs) {
- krb5_octet_data **supportedKDFs = (*in)->supportedKDFs;
+ krb5_data **supportedKDFs = (*in)->supportedKDFs;
unsigned i;
for (i = 0; supportedKDFs[i]; i++)
- krb5_free_octet_data(NULL, supportedKDFs[i]);
+ krb5_free_data(NULL, supportedKDFs[i]);
free(supportedKDFs);
}
free(*in);
@@ -188,7 +187,7 @@
if (*in == NULL) return;
switch ((*in)->choice) {
case choice_pa_pk_as_rep_dhInfo:
- krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID);
+ krb5_free_data(NULL, (*in)->u.dh_Info.kdfID);
free((*in)->u.dh_Info.dhSignedData.data);
break;
case choice_pa_pk_as_rep_encKeyPack:
@@ -403,7 +402,7 @@
}
krb5_error_code
-pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src)
+pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src)
{
if (dst == NULL || src == NULL)
return EINVAL;
Modified: trunk/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2011-12-20 19:39:55 UTC (rev 25599)
+++ trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2011-12-21 22:52:43 UTC (rev 25600)
@@ -289,7 +289,7 @@
void *arg)
{
krb5_error_code retval = 0;
- krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
+ krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
krb5_pa_pk_as_req *reqp = NULL;
krb5_pa_pk_as_req_draft9 *reqp9 = NULL;
krb5_auth_pack *auth_pack = NULL;
@@ -350,8 +350,11 @@
retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT,
plgctx->opts->require_crl_checking,
+ (unsigned char *)
reqp->signedAuthPack.data, reqp->signedAuthPack.length,
- &authp_data.data, &authp_data.length, &krb5_authz.data,
+ (unsigned char **)&authp_data.data,
+ &authp_data.length,
+ (unsigned char **)&krb5_authz.data,
&krb5_authz.length, &is_signed);
break;
case KRB5_PADATA_PK_AS_REP_OLD:
@@ -371,8 +374,11 @@
retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9,
plgctx->opts->require_crl_checking,
+ (unsigned char *)
reqp9->signedAuthPack.data, reqp9->signedAuthPack.length,
- &authp_data.data, &authp_data.length, &krb5_authz.data,
+ (unsigned char **)&authp_data.data,
+ &authp_data.length,
+ (unsigned char **)&krb5_authz.data,
&krb5_authz.length, NULL);
break;
default:
@@ -483,7 +489,8 @@
int valid_kdcPkId = 0;
retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx,
- reqp->kdcPkId.data, reqp->kdcPkId.length, &valid_kdcPkId);
+ (unsigned char *)reqp->kdcPkId.data,
+ reqp->kdcPkId.length, &valid_kdcPkId);
if (retval)
goto cleanup;
if (!valid_kdcPkId)
@@ -616,14 +623,13 @@
}
static krb5_error_code
-pkinit_pick_kdf_alg(krb5_context context,
- krb5_octet_data **kdf_list,
- krb5_octet_data **alg_oid)
+pkinit_pick_kdf_alg(krb5_context context, krb5_data **kdf_list,
+ krb5_data **alg_oid)
{
krb5_error_code retval = 0;
- krb5_octet_data *req_oid = NULL;
- const krb5_octet_data *supp_oid = NULL;
- krb5_octet_data *tmp_oid = NULL;
+ krb5_data *req_oid = NULL;
+ const krb5_data *supp_oid = NULL;
+ krb5_data *tmp_oid = NULL;
int i, j = 0;
/* if we don't find a match, return NULL value */
@@ -635,7 +641,7 @@
for (j = 0; NULL != (req_oid = kdf_list[j]); j++) {
if ((req_oid->length == supp_oid->length) &&
(0 == memcmp(req_oid->data, supp_oid->data, req_oid->length))) {
- tmp_oid = k5alloc(sizeof(krb5_octet_data), &retval);
+ tmp_oid = k5alloc(sizeof(krb5_data), &retval);
if (retval)
goto cleanup;
tmp_oid->data = k5alloc(supp_oid->length, &retval);
@@ -652,7 +658,7 @@
}
cleanup:
if (tmp_oid)
- krb5_free_octet_data(context, tmp_oid);
+ krb5_free_data(context, tmp_oid);
return retval;
}
@@ -685,7 +691,7 @@
krb5_pa_pk_as_rep *rep = NULL;
krb5_pa_pk_as_rep_draft9 *rep9 = NULL;
krb5_data *out_data = NULL;
- krb5_octet_data secret;
+ krb5_data secret;
krb5_enctype enctype = -1;
@@ -767,14 +773,14 @@
if (reqctx->rcv_auth_pack != NULL &&
reqctx->rcv_auth_pack->clientPublicValue != NULL) {
- subjectPublicKey =
+ subjectPublicKey = (unsigned char *)
reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data;
subjectPublicKey_len =
reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length;
rep->choice = choice_pa_pk_as_rep_dhInfo;
} else if (reqctx->rcv_auth_pack9 != NULL &&
reqctx->rcv_auth_pack9->clientPublicValue != NULL) {
- subjectPublicKey =
+ subjectPublicKey = (unsigned char *)
reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data;
subjectPublicKey_len =
reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length;
@@ -805,7 +811,7 @@
*/
dhkey_info.subjectPublicKey.length = dh_pubkey_len;
- dhkey_info.subjectPublicKey.data = dh_pubkey;
+ dhkey_info.subjectPublicKey.data = (char *)dh_pubkey;
dhkey_info.nonce = request->nonce;
dhkey_info.dhKeyExpiration = 0;
@@ -825,8 +831,10 @@
case KRB5_PADATA_PK_AS_REQ:
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1,
- (unsigned char *)encoded_dhkey_info->data,
+ (unsigned char *)
+ encoded_dhkey_info->data,
encoded_dhkey_info->length,
+ (unsigned char **)
&rep->u.dh_Info.dhSignedData.data,
&rep->u.dh_Info.dhSignedData.length);
if (retval) {
@@ -838,8 +846,10 @@
case KRB5_PADATA_PK_AS_REQ_OLD:
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1,
- (unsigned char *)encoded_dhkey_info->data,
+ (unsigned char *)
+ encoded_dhkey_info->data,
encoded_dhkey_info->length,
+ (unsigned char **)
&rep9->u.dhSignedData.data,
&rep9->u.dhSignedData.length);
if (retval) {
@@ -913,9 +923,12 @@
rep->choice = choice_pa_pk_as_rep_encKeyPack;
retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
- (unsigned char *)encoded_key_pack->data,
+ (unsigned char *)
+ encoded_key_pack->data,
encoded_key_pack->length,
- &rep->u.encKeyPack.data, &rep->u.encKeyPack.length);
+ (unsigned char **)
+ &rep->u.encKeyPack.data,
+ &rep->u.encKeyPack.length);
break;
case KRB5_PADATA_PK_AS_REP_OLD:
case KRB5_PADATA_PK_AS_REQ_OLD:
@@ -943,8 +956,10 @@
rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
- (unsigned char *)encoded_key_pack->data,
+ (unsigned char *)
+ encoded_key_pack->data,
encoded_key_pack->length,
+ (unsigned char **)
&rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length);
break;
}
@@ -1018,15 +1033,13 @@
/* If mutually supported KDFs were found, use the alg agility KDF */
if (rep->u.dh_Info.kdfID) {
- secret.data = server_key;
+ secret.data = (char *)server_key;
secret.length = server_key_len;
retval = pkinit_alg_agility_kdf(context, &secret,
rep->u.dh_Info.kdfID,
request->client, request->server,
- enctype,
- (krb5_octet_data *)req_pkt,
- (krb5_octet_data *)out_data,
+ enctype, req_pkt, out_data,
encrypting_key);
if (retval) {
pkiDebug("pkinit_alg_agility_kdf failed: %s\n",
More information about the cvs-krb5
mailing list