diff options
author | Greg Hudson <ghudson@mit.edu> | 2011-12-21 22:52:43 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2011-12-21 22:52:43 +0000 |
commit | 02fff47a6ff9f322431d8c2d50fa463973ec19fd (patch) | |
tree | 2d0026af2c9906f6362936e6eee4e29b0fbc5af3 /src/plugins | |
parent | 7203dc8cc0ef42d512ad864ce76c6587b447f463 (diff) | |
download | krb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.tar.gz krb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.tar.xz krb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.zip |
Stop using krb5_octet_data
For consistency with the rest of the code base, make PKINIT use
krb5_data as a pointer/length container. Leave krb5_octet_data and
krb5_free_octet_data behind for API compatibility.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit.h | 4 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 50 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto.h | 14 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 76 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 47 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_kdf_constants.c | 6 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_kdf_test.c | 16 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_lib.c | 11 | ||||
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 63 |
9 files changed, 157 insertions, 130 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 48e57fe87..7970746d9 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -115,7 +115,7 @@ static inline void pkiDebug (const char *fmt, ...) { } #define OCTETDATA_TO_KRB5DATA(octd, k5d) \ (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data; -extern const krb5_octet_data dh_oid; +extern const krb5_data dh_oid; /* * notes about crypto contexts: @@ -322,7 +322,7 @@ void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in); void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in); void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in); void free_krb5_subject_pk_info(krb5_subject_pk_info **in); -krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src); +krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src); /* diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index e574c3c8f..cf406fd0c 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -261,8 +261,7 @@ pkinit_as_req_create(krb5_context context, auth_pack9->pkAuthenticator.nonce = nonce; auth_pack9->pkAuthenticator.kdcName = server; auth_pack9->pkAuthenticator.kdcRealm.magic = 0; - auth_pack9->pkAuthenticator.kdcRealm.data = - (unsigned char *)server->realm.data; + auth_pack9->pkAuthenticator.kdcRealm.data = server->realm.data; auth_pack9->pkAuthenticator.kdcRealm.length = server->realm.length; free(cksum->contents); break; @@ -279,7 +278,7 @@ pkinit_as_req_create(krb5_context context, auth_pack->pkAuthenticator.paChecksum = *cksum; auth_pack->clientDHNonce.length = 0; auth_pack->clientPublicValue = info; - auth_pack->supportedKDFs = (krb5_octet_data **) supported_kdf_alg_ids; + auth_pack->supportedKDFs = (krb5_data **) supported_kdf_alg_ids; /* add List of CMS algorithms */ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, @@ -298,7 +297,7 @@ pkinit_as_req_create(krb5_context context, switch(protocol) { case DH_PROTOCOL: pkiDebug("as_req: DH key transport algorithm\n"); - retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid); + retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid); if (retval) { pkiDebug("failed to copy dh_oid\n"); goto cleanup; @@ -307,8 +306,10 @@ pkinit_as_req_create(krb5_context context, /* create client-side DH keys */ if ((retval = client_create_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, reqctx->opts->dh_size, + (unsigned char **) &info->algorithm.parameters.data, &info->algorithm.parameters.length, + (unsigned char **) &info->subjectPublicKey.data, &info->subjectPublicKey.length)) != 0) { pkiDebug("failed to create dh parameters\n"); @@ -365,9 +366,11 @@ pkinit_as_req_create(krb5_context context, if (use_content_info(context, reqctx, client)) { retval = cms_contentinfo_create(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, - CMS_SIGN_CLIENT, (unsigned char *) + CMS_SIGN_CLIENT, + (unsigned char *) coded_auth_pack->data, coded_auth_pack->length, + (unsigned char **) &req->signedAuthPack.data, &req->signedAuthPack.length); } else { @@ -377,6 +380,7 @@ pkinit_as_req_create(krb5_context context, (unsigned char *) coded_auth_pack->data, coded_auth_pack->length, + (unsigned char **) &req->signedAuthPack.data, &req->signedAuthPack.length); } @@ -394,8 +398,11 @@ pkinit_as_req_create(krb5_context context, } retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req9->signedAuthPack.data, &req9->signedAuthPack.length); + (unsigned char *)coded_auth_pack->data, + coded_auth_pack->length, + (unsigned char **) + &req9->signedAuthPack.data, + &req9->signedAuthPack.length); break; #ifdef DEBUG_ASN1 print_buffer_bin((unsigned char *)req9->signedAuthPack.data, @@ -417,7 +424,8 @@ pkinit_as_req_create(krb5_context context, if (retval) goto cleanup; retval = create_issuerAndSerial(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, &req->kdcPkId.data, + reqctx->cryptoctx, reqctx->idctx, + (unsigned char **)&req->kdcPkId.data, &req->kdcPkId.length); if (retval) goto cleanup; @@ -435,7 +443,8 @@ pkinit_as_req_create(krb5_context context, #endif retval = create_issuerAndSerial(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, &req9->kdcCert.data, + reqctx->cryptoctx, reqctx->idctx, + (unsigned char **)&req9->kdcCert.data, &req9->kdcCert.length); if (retval) goto cleanup; @@ -678,12 +687,12 @@ pkinit_as_rep_parse(krb5_context context, krb5_kdc_dh_key_info *kdc_dh = NULL; krb5_reply_key_pack *key_pack = NULL; krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_octet_data dh_data = { 0, 0, NULL }; + krb5_data dh_data = { 0, 0, NULL }; unsigned char *client_key = NULL, *kdc_hostname = NULL; unsigned int client_key_len = 0; krb5_checksum cksum = {0, 0, 0, NULL}; krb5_data k5data; - krb5_octet_data secret; + krb5_data secret; int valid_san = 0; int valid_eku = 0; int need_eku_checking = 1; @@ -710,9 +719,11 @@ pkinit_as_rep_parse(krb5_context context, if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER, reqctx->opts->require_crl_checking, + (unsigned char *) kdc_reply->u.dh_Info.dhSignedData.data, kdc_reply->u.dh_Info.dhSignedData.length, - &dh_data.data, &dh_data.length, + (unsigned char **)&dh_data.data, + &dh_data.length, NULL, NULL, NULL)) != 0) { pkiDebug("failed to verify pkcs7 signed data\n"); goto cleanup; @@ -724,9 +735,11 @@ pkinit_as_rep_parse(krb5_context context, if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, pa_type, reqctx->opts->require_crl_checking, + (unsigned char *) kdc_reply->u.encKeyPack.data, kdc_reply->u.encKeyPack.length, - &dh_data.data, &dh_data.length)) != 0) { + (unsigned char **)&dh_data.data, + &dh_data.length)) != 0) { pkiDebug("failed to verify pkcs7 enveloped data\n"); goto cleanup; } @@ -787,6 +800,7 @@ pkinit_as_rep_parse(krb5_context context, /* client after KDC reply */ if ((retval = client_process_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, + (unsigned char *) kdc_dh->subjectPublicKey.data, kdc_dh->subjectPublicKey.length, &client_key, &client_key_len)) != 0) { @@ -797,15 +811,13 @@ pkinit_as_rep_parse(krb5_context context, /* If we have a KDF algorithm ID, call the algorithm agility KDF... */ if (kdc_reply->u.dh_Info.kdfID) { secret.length = client_key_len; - secret.data = client_key; + secret.data = (char *)client_key; retval = pkinit_alg_agility_kdf(context, &secret, kdc_reply->u.dh_Info.kdfID, - request->client, - request->server, etype, - (krb5_octet_data *)encoded_request, - (krb5_octet_data *)as_rep, - key_block); + request->client, request->server, + etype, encoded_request, + (krb5_data *)as_rep, key_block); if (retval) { pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n", diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index c1bd32d8c..e42943d57 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -348,7 +348,7 @@ krb5_error_code server_check_dh pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_octet_data *dh_params, /* IN + krb5_data *dh_params, /* IN ???? */ int minbits); /* IN the mininum number of key bits acceptable */ @@ -636,13 +636,13 @@ krb5_error_code pkinit_identity_set_prompter krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block); extern const krb5_octet krb5_pkinit_sha1_oid[]; @@ -652,10 +652,10 @@ extern const size_t krb5_pkinit_sha256_oid_len; extern const krb5_octet krb5_pkinit_sha512_oid[]; extern const size_t krb5_pkinit_sha512_oid_len; /** - * An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms + * An ordered set of OIDs, stored as krb5_data, of KDF algorithms * supported by this implementation. The order of this array controls * the order in which the server will pick. */ -extern const krb5_octet_data const *supported_kdf_alg_ids[] ; +extern const krb5_data const *supported_kdf_alg_ids[] ; #endif /* _PKINIT_CRYPTO_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 1a83083fe..3aa44bc4c 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1531,7 +1531,7 @@ server_check_dh(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_octet_data *dh_params, int minbits) + krb5_data *dh_params, int minbits) { PLArenaPool *pool; SECItem item; @@ -1540,7 +1540,7 @@ server_check_dh(krb5_context context, if (pool == NULL) return ENOMEM; - item.data = dh_params->data; + item.data = (unsigned char *)dh_params->data; item.len = dh_params->length; memset(&req_cryptoctx->client_dh_params, 0, sizeof(req_cryptoctx->client_dh_params)); @@ -1757,7 +1757,8 @@ create_krb5_supportedCMSTypes(krb5_context context, memset(id, 0, sizeof(*id)); ids[i] = id; oid = SECOID_FindOIDByTag(oids[i]); - if (secitem_to_buf_len(&oid->oid, &id->algorithm.data, + if (secitem_to_buf_len(&oid->oid, + (unsigned char **)&id->algorithm.data, &id->algorithm.length) != 0) { free(ids[i]); free_n_algorithm_identifiers(ids, i - 1); @@ -1841,9 +1842,11 @@ create_krb5_trustedCertifiers(krb5_context context, * of the pkinit module. */ if ((node->cert->keyIDGenerated ? secitem_to_buf_len(&node->cert->derSubject, + (unsigned char **) &id->subjectName.data, &id->subjectName.length) : secitem_to_buf_len(&node->cert->subjectKeyID, + (unsigned char **) &id->subjectKeyIdentifier.data, &id->subjectKeyIdentifier.length)) != 0) { /* Free the earlier items. */ @@ -3313,9 +3316,9 @@ pkinit_create_td_dh_parameters(krb5_context context, continue; /* Add it to the list. */ memset(&id[j], 0, sizeof(id[j])); - id[j].algorithm.data = oid->data; + id[j].algorithm.data = (char *)oid->data; id[j].algorithm.length = oid->len; - id[j].parameters.data = tmp.data; + id[j].parameters.data = (char *)tmp.data; id[j].parameters.length = tmp.len; ids[j] = &id[j]; j++; @@ -3368,7 +3371,7 @@ pkinit_process_td_dh_params(krb5_context context, for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) { /* Decode the domain parameters. */ item.len = algId[i]->parameters.length; - item.data = algId[i]->parameters.data; + item.data = (unsigned char *)algId[i]->parameters.data; memset(¶ms, 0, sizeof(params)); if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms, domain_parameters_template, @@ -3418,11 +3421,11 @@ pkinit_create_td_invalid_certificate(krb5_context context, if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn, issuer_and_serial_number_template) != &item) return ENOMEM; - id.issuerAndSerialNumber.data = item.data; + id.issuerAndSerialNumber.data = (char *)item.data; id.issuerAndSerialNumber.length = item.len; } else { item = invalid->subjectKeyID; - id.subjectKeyIdentifier.data = item.data; + id.subjectKeyIdentifier.data = (char *)item.data; id.subjectKeyIdentifier.length = item.len; } ids[0] = &id; @@ -3573,11 +3576,11 @@ pkinit_create_td_trusted_certifiers(krb5_context context, CERT_DestroyCertList(clist); return ENOMEM; } - id[i].issuerAndSerialNumber.data = item.data; + id[i].issuerAndSerialNumber.data = (char *)item.data; id[i].issuerAndSerialNumber.length = item.len; } else { item = node->cert->subjectKeyID; - id[i].subjectKeyIdentifier.data = item.data; + id[i].subjectKeyIdentifier.data = (char *)item.data; id[i].subjectKeyIdentifier.length = item.len; } ids[i] = &id[i]; @@ -3810,22 +3813,22 @@ pkinit_octetstring2key(krb5_context context, /* Return TRUE if the item and the "algorithm" part of the algorithm identifier * are the same. */ static PRBool -octet_data_and_data_and_length_equal(const krb5_octet_data *octets, - const void *data, size_t len) +data_and_ptr_and_length_equal(const krb5_data *data, + const void *ptr, size_t len) { - return (octets->length == len) && (memcmp(octets->data, data, len) == 0); + return (data->length == len) && (memcmp(data->data, ptr, len) == 0); } /* Encode the other info used by the agility KDF. Taken almost verbatim from * parts of the agility KDF in pkinit_crypto_openssl.c */ static krb5_error_code encode_agility_kdf_other_info(krb5_context context, - krb5_octet_data *alg_oid, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_data **other_info) { krb5_error_code retval = 0; @@ -3873,13 +3876,13 @@ cleanup: * one that we support. */ krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block) { krb5_data *other_info = NULL; @@ -3894,30 +3897,27 @@ pkinit_alg_agility_kdf(krb5_context context, if (retval != 0) return retval; - if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha512_oid, - krb5_pkinit_sha512_oid_len)) + if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid, + krb5_pkinit_sha512_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA512, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); - else if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha256_oid, - krb5_pkinit_sha256_oid_len)) + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); + else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid, + krb5_pkinit_sha256_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA256, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); - else if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha1_oid, - krb5_pkinit_sha1_oid_len)) + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); + else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid, + krb5_pkinit_sha1_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA1, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); else retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF; diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 571e309ee..2fb506821 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2305,7 +2305,7 @@ cleanup: */ static krb5_error_code pkinit_alg_values(krb5_context context, - const krb5_octet_data *alg_id, + const krb5_data *alg_id, size_t *hash_bytes, const EVP_MD *(**func)(void)) { @@ -2356,13 +2356,13 @@ pkinit_alg_values(krb5_context context, */ krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block) { krb5_error_code retval = 0; @@ -2703,7 +2703,7 @@ server_check_dh(krb5_context context, pkinit_plg_crypto_context cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_octet_data *dh_params, + krb5_data *dh_params, int minbits) { DH *dh = NULL; @@ -2711,7 +2711,7 @@ server_check_dh(krb5_context context, int dh_prime_bits; krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - tmp = dh_params->data; + tmp = (unsigned char *)dh_params->data; dh = DH_new(); dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length); if (dh == NULL) { @@ -3309,7 +3309,7 @@ pkinit_process_td_dh_params(krb5_context context, memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length)) goto cleanup; - tmp = algId[i]->parameters.data; + tmp = (unsigned char *)algId[i]->parameters.data; dh = DH_new(); dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length); dh_prime_bits = BN_num_bits(dh->p); @@ -5447,8 +5447,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, xn = X509_get_subject_name(x); len = i2d_X509_NAME(xn, NULL); - if ((p = krb5_cas[i]->subjectName.data = malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->subjectName.data = (char *)p; i2d_X509_NAME(xn, &p); krb5_cas[i]->subjectName.length = len; @@ -5465,9 +5466,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, M_ASN1_INTEGER_free(is->serial); is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = krb5_cas[i]->issuerAndSerialNumber.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->issuerAndSerialNumber.data = (char *)p; i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); krb5_cas[i]->issuerAndSerialNumber.length = len; #ifdef LONGHORN_BETA_COMPAT @@ -5489,9 +5490,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL))) { len = i2d_ASN1_OCTET_STRING(ikeyid, NULL); - if ((p = krb5_cas[i]->subjectKeyIdentifier.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->subjectKeyIdentifier.data = (char *)p; i2d_ASN1_OCTET_STRING(ikeyid, &p); krb5_cas[i]->subjectKeyIdentifier.length = len; } @@ -5558,7 +5559,7 @@ create_krb5_supportedCMSTypes(krb5_context context, krb5_error_code retval = ENOMEM; krb5_algorithm_identifier **loids = NULL; - krb5_octet_data des3oid = {0, 8, (unsigned char *)"\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; + krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; *oids = NULL; loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); @@ -5570,7 +5571,7 @@ create_krb5_supportedCMSTypes(krb5_context context, free(loids); goto cleanup; } - retval = pkinit_copy_krb5_octet_data(&loids[0]->algorithm, &des3oid); + retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); if (retval) { free(loids[0]); free(loids); @@ -5652,9 +5653,9 @@ create_krb5_trustedCas(krb5_context context, krb5_cas[i]->u.caName.length = 0; xn = X509_get_subject_name(x); len = i2d_X509_NAME(xn, NULL); - if ((p = krb5_cas[i]->u.caName.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->u.caName.data = (char *)p; i2d_X509_NAME(xn, &p); krb5_cas[i]->u.caName.length = len; break; @@ -5667,9 +5668,9 @@ create_krb5_trustedCas(krb5_context context, M_ASN1_INTEGER_free(is->serial); is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = krb5_cas[i]->u.issuerAndSerial.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->u.issuerAndSerial.data = (char *)p; i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); krb5_cas[i]->u.issuerAndSerial.length = len; if (is != NULL) { @@ -5789,7 +5790,7 @@ pkinit_process_td_trusted_certifiers( sk_xn = sk_X509_NAME_new_null(); while(krb5_trusted_certifiers[i] != NULL) { if (krb5_trusted_certifiers[i]->subjectName.data != NULL) { - p = krb5_trusted_certifiers[i]->subjectName.data; + p = (unsigned char *)krb5_trusted_certifiers[i]->subjectName.data; xn = d2i_X509_NAME(NULL, &p, (int)krb5_trusted_certifiers[i]->subjectName.length); if (xn == NULL) @@ -5803,7 +5804,8 @@ pkinit_process_td_trusted_certifiers( } if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) { - p = krb5_trusted_certifiers[i]->issuerAndSerialNumber.data; + p = (unsigned char *) + krb5_trusted_certifiers[i]->issuerAndSerialNumber.data; is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)krb5_trusted_certifiers[i]->issuerAndSerialNumber.length); if (is == NULL) @@ -5819,7 +5821,8 @@ pkinit_process_td_trusted_certifiers( } if (krb5_trusted_certifiers[i]->subjectKeyIdentifier.data != NULL) { - p = krb5_trusted_certifiers[i]->subjectKeyIdentifier.data; + p = (unsigned char *) + krb5_trusted_certifiers[i]->subjectKeyIdentifier.data; id = d2i_ASN1_OCTET_STRING(NULL, &p, (int)krb5_trusted_certifiers[i]->subjectKeyIdentifier.length); if (id == NULL) diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c index 723400433..55e67cd3a 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c @@ -57,14 +57,14 @@ const krb5_octet krb5_pkinit_sha512_oid [8] = const size_t krb5_pkinit_sha512_oid_len = 8; #define oid_as_data(var, oid_base) \ - const krb5_octet_data var = \ - {0, sizeof oid_base, (krb5_octet *) oid_base} + const krb5_data var = \ + {0, sizeof oid_base, (char *)oid_base} oid_as_data(sha1_id, krb5_pkinit_sha1_oid); oid_as_data(sha256_id, krb5_pkinit_sha256_oid); oid_as_data(sha512_id, krb5_pkinit_sha512_oid); #undef oid_as_data -const krb5_octet_data const *supported_kdf_alg_ids[] = { +const krb5_data const *supported_kdf_alg_ids[] = { &sha256_id, &sha1_id, &sha512_id, diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c index 02b2bb9d7..710e1ff39 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c @@ -83,10 +83,10 @@ main(int argc, char **argv) { /* arguments for calls to pkinit_alg_agility_kdf() */ krb5_context context = 0; - krb5_octet_data secret; + krb5_data secret; krb5_algorithm_identifier alg_id; - krb5_octet_data as_req; - krb5_octet_data pk_as_rep; + krb5_data as_req; + krb5_data pk_as_rep; krb5_keyblock key_block; /* other local variables */ @@ -127,14 +127,14 @@ main(int argc, char **argv) memset(twenty_as, 0xaa, sizeof(twenty_as)); memset(eighteen_bs, 0xbb, sizeof(eighteen_bs)); as_req.length = sizeof(twenty_as); - as_req.data = (unsigned char *)&twenty_as; + as_req.data = twenty_as; pk_as_rep.length = sizeof(eighteen_bs); - pk_as_rep.data = (unsigned char *)&eighteen_bs; + pk_as_rep.data = eighteen_bs; /* TEST 1: SHA-1/AES */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha1_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha1_oid; alg_id.algorithm.length = krb5_pkinit_sha1_oid_len; enctype = enctype_aes; @@ -175,7 +175,7 @@ main(int argc, char **argv) /* TEST 2: SHA-256/AES */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha256_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha256_oid; alg_id.algorithm.length = krb5_pkinit_sha256_oid_len; enctype = enctype_aes; @@ -216,7 +216,7 @@ main(int argc, char **argv) /* TEST 3: SHA-512/DES3 */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha512_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid; alg_id.algorithm.length = krb5_pkinit_sha512_oid_len; enctype = enctype_des3; diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index 6b1018004..34416142e 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -43,8 +43,7 @@ #define FAKECERT -const krb5_octet_data -dh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" }; +const krb5_data dh_oid = { 0, 7, "\x2A\x86\x48\xce\x3e\x02\x01" }; krb5_error_code @@ -164,10 +163,10 @@ free_krb5_auth_pack(krb5_auth_pack **in) if ((*in)->supportedCMSTypes != NULL) free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes)); if ((*in)->supportedKDFs) { - krb5_octet_data **supportedKDFs = (*in)->supportedKDFs; + krb5_data **supportedKDFs = (*in)->supportedKDFs; unsigned i; for (i = 0; supportedKDFs[i]; i++) - krb5_free_octet_data(NULL, supportedKDFs[i]); + krb5_free_data(NULL, supportedKDFs[i]); free(supportedKDFs); } free(*in); @@ -188,7 +187,7 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) if (*in == NULL) return; switch ((*in)->choice) { case choice_pa_pk_as_rep_dhInfo: - krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID); + krb5_free_data(NULL, (*in)->u.dh_Info.kdfID); free((*in)->u.dh_Info.dhSignedData.data); break; case choice_pa_pk_as_rep_encKeyPack: @@ -403,7 +402,7 @@ init_krb5_subject_pk_info(krb5_subject_pk_info **in) } krb5_error_code -pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src) +pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src) { if (dst == NULL || src == NULL) return EINVAL; diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 3322310bf..8050565d1 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -289,7 +289,7 @@ pkinit_server_verify_padata(krb5_context context, void *arg) { krb5_error_code retval = 0; - krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; + krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; krb5_pa_pk_as_req *reqp = NULL; krb5_pa_pk_as_req_draft9 *reqp9 = NULL; krb5_auth_pack *auth_pack = NULL; @@ -350,8 +350,11 @@ pkinit_server_verify_padata(krb5_context context, retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT, plgctx->opts->require_crl_checking, + (unsigned char *) reqp->signedAuthPack.data, reqp->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + (unsigned char **)&authp_data.data, + &authp_data.length, + (unsigned char **)&krb5_authz.data, &krb5_authz.length, &is_signed); break; case KRB5_PADATA_PK_AS_REP_OLD: @@ -371,8 +374,11 @@ pkinit_server_verify_padata(krb5_context context, retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, plgctx->opts->require_crl_checking, + (unsigned char *) reqp9->signedAuthPack.data, reqp9->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + (unsigned char **)&authp_data.data, + &authp_data.length, + (unsigned char **)&krb5_authz.data, &krb5_authz.length, NULL); break; default: @@ -483,7 +489,8 @@ pkinit_server_verify_padata(krb5_context context, int valid_kdcPkId = 0; retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, - reqp->kdcPkId.data, reqp->kdcPkId.length, &valid_kdcPkId); + (unsigned char *)reqp->kdcPkId.data, + reqp->kdcPkId.length, &valid_kdcPkId); if (retval) goto cleanup; if (!valid_kdcPkId) @@ -616,14 +623,13 @@ cleanup: } static krb5_error_code -pkinit_pick_kdf_alg(krb5_context context, - krb5_octet_data **kdf_list, - krb5_octet_data **alg_oid) +pkinit_pick_kdf_alg(krb5_context context, krb5_data **kdf_list, + krb5_data **alg_oid) { krb5_error_code retval = 0; - krb5_octet_data *req_oid = NULL; - const krb5_octet_data *supp_oid = NULL; - krb5_octet_data *tmp_oid = NULL; + krb5_data *req_oid = NULL; + const krb5_data *supp_oid = NULL; + krb5_data *tmp_oid = NULL; int i, j = 0; /* if we don't find a match, return NULL value */ @@ -635,7 +641,7 @@ pkinit_pick_kdf_alg(krb5_context context, for (j = 0; NULL != (req_oid = kdf_list[j]); j++) { if ((req_oid->length == supp_oid->length) && (0 == memcmp(req_oid->data, supp_oid->data, req_oid->length))) { - tmp_oid = k5alloc(sizeof(krb5_octet_data), &retval); + tmp_oid = k5alloc(sizeof(krb5_data), &retval); if (retval) goto cleanup; tmp_oid->data = k5alloc(supp_oid->length, &retval); @@ -652,7 +658,7 @@ pkinit_pick_kdf_alg(krb5_context context, } cleanup: if (tmp_oid) - krb5_free_octet_data(context, tmp_oid); + krb5_free_data(context, tmp_oid); return retval; } @@ -685,7 +691,7 @@ pkinit_server_return_padata(krb5_context context, krb5_pa_pk_as_rep *rep = NULL; krb5_pa_pk_as_rep_draft9 *rep9 = NULL; krb5_data *out_data = NULL; - krb5_octet_data secret; + krb5_data secret; krb5_enctype enctype = -1; @@ -767,14 +773,14 @@ pkinit_server_return_padata(krb5_context context, if (reqctx->rcv_auth_pack != NULL && reqctx->rcv_auth_pack->clientPublicValue != NULL) { - subjectPublicKey = + subjectPublicKey = (unsigned char *) reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data; subjectPublicKey_len = reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; rep->choice = choice_pa_pk_as_rep_dhInfo; } else if (reqctx->rcv_auth_pack9 != NULL && reqctx->rcv_auth_pack9->clientPublicValue != NULL) { - subjectPublicKey = + subjectPublicKey = (unsigned char *) reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data; subjectPublicKey_len = reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length; @@ -805,7 +811,7 @@ pkinit_server_return_padata(krb5_context context, */ dhkey_info.subjectPublicKey.length = dh_pubkey_len; - dhkey_info.subjectPublicKey.data = dh_pubkey; + dhkey_info.subjectPublicKey.data = (char *)dh_pubkey; dhkey_info.nonce = request->nonce; dhkey_info.dhKeyExpiration = 0; @@ -825,8 +831,10 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REQ: retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1, - (unsigned char *)encoded_dhkey_info->data, + (unsigned char *) + encoded_dhkey_info->data, encoded_dhkey_info->length, + (unsigned char **) &rep->u.dh_Info.dhSignedData.data, &rep->u.dh_Info.dhSignedData.length); if (retval) { @@ -838,8 +846,10 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REQ_OLD: retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1, - (unsigned char *)encoded_dhkey_info->data, + (unsigned char *) + encoded_dhkey_info->data, encoded_dhkey_info->length, + (unsigned char **) &rep9->u.dhSignedData.data, &rep9->u.dhSignedData.length); if (retval) { @@ -913,9 +923,12 @@ pkinit_server_return_padata(krb5_context context, rep->choice = choice_pa_pk_as_rep_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, - (unsigned char *)encoded_key_pack->data, + (unsigned char *) + encoded_key_pack->data, encoded_key_pack->length, - &rep->u.encKeyPack.data, &rep->u.encKeyPack.length); + (unsigned char **) + &rep->u.encKeyPack.data, + &rep->u.encKeyPack.length); break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: @@ -943,8 +956,10 @@ pkinit_server_return_padata(krb5_context context, rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, - (unsigned char *)encoded_key_pack->data, + (unsigned char *) + encoded_key_pack->data, encoded_key_pack->length, + (unsigned char **) &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length); break; } @@ -1018,15 +1033,13 @@ pkinit_server_return_padata(krb5_context context, /* If mutually supported KDFs were found, use the alg agility KDF */ if (rep->u.dh_Info.kdfID) { - secret.data = server_key; + secret.data = (char *)server_key; secret.length = server_key_len; retval = pkinit_alg_agility_kdf(context, &secret, rep->u.dh_Info.kdfID, request->client, request->server, - enctype, - (krb5_octet_data *)req_pkt, - (krb5_octet_data *)out_data, + enctype, req_pkt, out_data, encrypting_key); if (retval) { pkiDebug("pkinit_alg_agility_kdf failed: %s\n", |