svn rev #25197: trunk/src/ include/ lib/krb5/asn.1/ plugins/preauth/pkinit/

hartmans@MIT.EDU hartmans at MIT.EDU
Sun Sep 18 20:58:38 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25197
Commit By: hartmans
Log Message:
Remove the ticket from the pkinit-alg-agility KDF function, to match
agreed changes to the IETF specification.  Includes removing a parameter from
the KDF function, removing the ticket from the ASN.1 encoder, and updating
the test code.
Signed-off-by: Margaret Wasserman <mrw at painless-security.com>


Changed Files:
U   trunk/src/include/k5-int-pkinit.h
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U   trunk/src/plugins/preauth/pkinit/pkinit_crypto.h
U   trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
U   trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c
Modified: trunk/src/include/k5-int-pkinit.h
===================================================================
--- trunk/src/include/k5-int-pkinit.h	2011-09-19 00:54:11 UTC (rev 25196)
+++ trunk/src/include/k5-int-pkinit.h	2011-09-19 00:58:38 UTC (rev 25197)
@@ -188,7 +188,6 @@
     krb5_enctype      enctype;
     krb5_octet_data   as_req;
     krb5_octet_data   pk_as_rep;
-    krb5_ticket *ticket;
 } krb5_pkinit_supp_pub_info;
 
 /*

Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2011-09-19 00:54:11 UTC (rev 25196)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2011-09-19 00:58:38 UTC (rev 25197)
@@ -1466,7 +1466,6 @@
     FIELDOF_NORM(krb5_pkinit_supp_pub_info, int32, enctype, 0),
     FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, as_req.data, as_req.length, 1),
     FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, pk_as_rep.data, pk_as_rep.length, 2),
-    FIELDOF_NORM(krb5_pkinit_supp_pub_info, ticket_ptr, ticket, 3),
 };
 
 DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info, pkinit_supp_pub_info_fields, NULL);

Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto.h
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto.h	2011-09-19 00:54:11 UTC (rev 25196)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto.h	2011-09-19 00:58:38 UTC (rev 25197)
@@ -640,7 +640,6 @@
                        krb5_enctype enctype,
                        krb5_octet_data *as_req,
                        krb5_octet_data *pk_as_rep,
-                       const krb5_ticket  *ticket,
                        krb5_keyblock *key_block);
 
 extern const krb5_octet krb5_pkinit_sha1_oid[];

Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2011-09-19 00:54:11 UTC (rev 25196)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2011-09-19 00:58:38 UTC (rev 25197)
@@ -2103,8 +2103,7 @@
                        unsigned char *key,
                        unsigned int dh_key_len,
                        krb5_keyblock *key_block)
-{
-    krb5_error_code retval;
+{   krb5_error_code retval;
     unsigned char *buf = NULL;
     unsigned char md[SHA_DIGEST_LENGTH];
     unsigned char counter;
@@ -2233,7 +2232,6 @@
                        krb5_enctype enctype,
                        krb5_octet_data *as_req,
                        krb5_octet_data *pk_as_rep,
-                       const krb5_ticket *ticket,
                        krb5_keyblock *key_block)
 {
     krb5_error_code retval = 0;
@@ -2292,7 +2290,6 @@
     supp_pub_info_fields.enctype = enctype;
     supp_pub_info_fields.as_req = *as_req;
     supp_pub_info_fields.pk_as_rep = *pk_as_rep;
-    supp_pub_info_fields.ticket = (krb5_ticket *) ticket;
     if (0 != ((retval = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields,
                                                          &supp_pub_info))))
         goto cleanup;

Modified: trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c	2011-09-19 00:54:11 UTC (rev 25196)
+++ trunk/src/plugins/preauth/pkinit/pkinit_kdf_test.c	2011-09-19 00:58:38 UTC (rev 25197)
@@ -59,27 +59,12 @@
 char party_v_name [] = "krbtgt/SU.SE at SU.SE";
 int enctype_value = 18;
 krb5_octet key_hex [] =
-  {0xC7, 0x62, 0x89, 0xEC, 0x4B, 0x28, 0xA6, 0x91,
-   0xFF, 0xCE, 0x80, 0xBB, 0xB7, 0xEC, 0x82, 0x41,
-   0x52, 0x3F, 0x99, 0xB1, 0x90, 0xCF, 0x2D, 0x34,
-   0x8F, 0x54, 0xA8, 0x65, 0x81, 0x2C, 0x32, 0x73};
+  {0xe6, 0xAB, 0x38, 0xC9, 0x41, 0x3E, 0x03, 0x5B,
+   0xB0, 0x79, 0x20, 0x1E, 0xD0, 0xB6, 0xB7, 0x3D,
+   0x8D, 0x49, 0xA8, 0x14, 0xA7, 0x37, 0xC0, 0x4E,
+   0xE6, 0x64, 0x96, 0x14, 0x20, 0x6F, 0x73, 0xAD};
 const krb5_data lha_data = DATA_FROM_STRING("lha");
-const krb5_principal_data ticket_server = {
-    0, /*magic*/
-    DATA_FROM_STRING("SU.SE"),
-    (krb5_data *) &lha_data,
-    1, 1};
-const krb5_ticket test_ticket = {
-    KV5M_TICKET,
-    (krb5_principal) &ticket_server,
-    {0, /*magic*/
-     18,
-     0,
-     DATA_FROM_STRING("hejhej") },
-    NULL};
 
-
-
 int
 main (int argc,
       char  **argv)
@@ -122,11 +107,11 @@
 
     /* set-up the partyUInfo and partyVInfo principals */
     if ((0 != (retval = krb5_parse_name(context, party_u_name,
-					&u_principal)))
-	(0 != (retval = krb5_parse_name(context, party_v_name,
-					&v_principal)))) {
+                                        &u_principal)))
+        (0 != (retval = krb5_parse_name(context, party_v_name,
+                                        &v_principal)))) {
       printf("ERROR in pkinit_kdf_test: Error parsing names, retval = %d",
-	     retval);
+             retval);
       goto cleanup;
     }
 
@@ -142,20 +127,20 @@
     /* set-up the key_block */
     if (0 != (retval = krb5_init_keyblock(context, enctype, max_keylen,
                                           &key_block_ptr))) {
-	  printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d",
-		 retval);
-	  goto cleanup;
+          printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d",
+                 retval);
+          goto cleanup;
 
-	}
+        }
 
-    /* call krb5_pkinit_alg_agility_kdf() with test vector values*/
+    /* call pkinit_alg_agility_kdf() with test vector values*/
     if (0 != (retval = pkinit_alg_agility_kdf(context, &secret, &alg_id.algorithm,
-					      u_principal, v_principal,
-					      enctype, &as_req, &pk_as_rep,
-					      &test_ticket, &key_block))) {
+                                              u_principal, v_principal,
+                                              enctype, &as_req, &pk_as_rep,
+                                              &key_block))) {
         printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d",
-	       retval);
-	goto cleanup;
+               retval);
+        goto cleanup;
     }
 
     /* compare key to expected key value */
@@ -171,13 +156,13 @@
         }
 
     cleanup:
-	/* release all allocated resources, whether good or bad return */
-	if (secret.data)
-	  free(secret.data);
-	if (u_principal)
-	  free(u_principal);
-	if (v_principal)
-	  free(v_principal);
-		krb5_free_keyblock_contents(context, &key_block);
-	exit(retval);
+        /* release all allocated resources, whether good or bad return */
+        if (secret.data)
+          free(secret.data);
+        if (u_principal)
+          free(u_principal);
+        if (v_principal)
+          free(v_principal);
+                krb5_free_keyblock_contents(context, &key_block);
+        exit(retval);
 }

More information about the cvs-krb5 mailing list