diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-02-11 23:25:12 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-02-11 23:25:12 +0000 |
| commit | beb36f85c88fab20e95c4a0d8f109c3d0ab942f5 (patch) | |
| tree | 87bf5d167d9ab3fb9fcabaf4bdf5e0a0c71d4adc /src/include | |
| parent | f0af05cf4d4fbfea0b418e94ab5f60031db57a66 (diff) | |
| download | krb5-beb36f85c88fab20e95c4a0d8f109c3d0ab942f5.tar.gz krb5-beb36f85c88fab20e95c4a0d8f109c3d0ab942f5.tar.xz krb5-beb36f85c88fab20e95c4a0d8f109c3d0ab942f5.zip | |
Minimize draft9 PKINIT code by removing dead code
The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.
For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode. So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-int-pkinit.h | 23 | ||||
| -rw-r--r-- | src/include/k5-int.h | 6 |
2 files changed, 3 insertions, 26 deletions
diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 7fbbc53ee..7b2f595cb 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -86,27 +86,12 @@ typedef struct _krb5_external_principal_identifier { krb5_data subjectKeyIdentifier; /* Optional */ } krb5_external_principal_identifier; -/* TrustedCas */ -typedef struct _krb5_trusted_ca { - enum krb5_trusted_ca_selection { - choice_trusted_cas_UNKNOWN = -1, - choice_trusted_cas_principalName = 0, - choice_trusted_cas_caName = 1, - choice_trusted_cas_issuerAndSerial = 2 - } choice; - union krb5_trusted_ca_choices { - krb5_principal principalName; - krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */ - krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */ - } u; -} krb5_trusted_ca; - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ +/* This has four fields, but we only care about the first and third for + * encoding, and the only about the first for decoding. */ typedef struct _krb5_pa_pk_as_req_draft9 { krb5_data signedAuthPack; - krb5_trusted_ca **trustedCertifiers; /* Optional array */ krb5_data kdcCert; /* Optional */ - krb5_data encryptionCert; } krb5_pa_pk_as_req_draft9; /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ @@ -259,10 +244,6 @@ krb5_error_code decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **); krb5_error_code -decode_krb5_pa_pk_as_rep_draft9(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - -krb5_error_code decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **); krb5_error_code diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7a196c69b..00cb5b113 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1956,7 +1956,7 @@ void krb5int_free_srv_dns_data(struct srv_dns_entry *); /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 20 +#define KRB5INT_ACCESS_STRUCT_VERSION 21 typedef struct _krb5int_access { krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, @@ -2047,10 +2047,6 @@ typedef struct _krb5int_access { (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **); krb5_error_code - (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - - krb5_error_code (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **); krb5_error_code |