summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2011-12-21 22:52:43 +0000
committerGreg Hudson <ghudson@mit.edu>2011-12-21 22:52:43 +0000
commit02fff47a6ff9f322431d8c2d50fa463973ec19fd (patch)
tree2d0026af2c9906f6362936e6eee4e29b0fbc5af3 /src/plugins
parent7203dc8cc0ef42d512ad864ce76c6587b447f463 (diff)
downloadkrb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.tar.gz
krb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.tar.xz
krb5-02fff47a6ff9f322431d8c2d50fa463973ec19fd.zip
Stop using krb5_octet_data
For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/preauth/pkinit/pkinit.h4
-rw-r--r--src/plugins/preauth/pkinit/pkinit_clnt.c50
-rw-r--r--src/plugins/preauth/pkinit/pkinit_crypto.h14
-rw-r--r--src/plugins/preauth/pkinit/pkinit_crypto_nss.c76
-rw-r--r--src/plugins/preauth/pkinit/pkinit_crypto_openssl.c47
-rw-r--r--src/plugins/preauth/pkinit/pkinit_kdf_constants.c6
-rw-r--r--src/plugins/preauth/pkinit/pkinit_kdf_test.c16
-rw-r--r--src/plugins/preauth/pkinit/pkinit_lib.c11
-rw-r--r--src/plugins/preauth/pkinit/pkinit_srv.c63
9 files changed, 157 insertions, 130 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 48e57fe87..7970746d9 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -115,7 +115,7 @@ static inline void pkiDebug (const char *fmt, ...) { }
#define OCTETDATA_TO_KRB5DATA(octd, k5d) \
(k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
-extern const krb5_octet_data dh_oid;
+extern const krb5_data dh_oid;
/*
* notes about crypto contexts:
@@ -322,7 +322,7 @@ void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
-krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
+krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src);
/*
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index e574c3c8f..cf406fd0c 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -261,8 +261,7 @@ pkinit_as_req_create(krb5_context context,
auth_pack9->pkAuthenticator.nonce = nonce;
auth_pack9->pkAuthenticator.kdcName = server;
auth_pack9->pkAuthenticator.kdcRealm.magic = 0;
- auth_pack9->pkAuthenticator.kdcRealm.data =
- (unsigned char *)server->realm.data;
+ auth_pack9->pkAuthenticator.kdcRealm.data = server->realm.data;
auth_pack9->pkAuthenticator.kdcRealm.length = server->realm.length;
free(cksum->contents);
break;
@@ -279,7 +278,7 @@ pkinit_as_req_create(krb5_context context,
auth_pack->pkAuthenticator.paChecksum = *cksum;
auth_pack->clientDHNonce.length = 0;
auth_pack->clientPublicValue = info;
- auth_pack->supportedKDFs = (krb5_octet_data **) supported_kdf_alg_ids;
+ auth_pack->supportedKDFs = (krb5_data **) supported_kdf_alg_ids;
/* add List of CMS algorithms */
retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
@@ -298,7 +297,7 @@ pkinit_as_req_create(krb5_context context,
switch(protocol) {
case DH_PROTOCOL:
pkiDebug("as_req: DH key transport algorithm\n");
- retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid);
+ retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid);
if (retval) {
pkiDebug("failed to copy dh_oid\n");
goto cleanup;
@@ -307,8 +306,10 @@ pkinit_as_req_create(krb5_context context,
/* create client-side DH keys */
if ((retval = client_create_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, reqctx->opts->dh_size,
+ (unsigned char **)
&info->algorithm.parameters.data,
&info->algorithm.parameters.length,
+ (unsigned char **)
&info->subjectPublicKey.data,
&info->subjectPublicKey.length)) != 0) {
pkiDebug("failed to create dh parameters\n");
@@ -365,9 +366,11 @@ pkinit_as_req_create(krb5_context context,
if (use_content_info(context, reqctx, client)) {
retval = cms_contentinfo_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
- CMS_SIGN_CLIENT, (unsigned char *)
+ CMS_SIGN_CLIENT,
+ (unsigned char *)
coded_auth_pack->data,
coded_auth_pack->length,
+ (unsigned char **)
&req->signedAuthPack.data,
&req->signedAuthPack.length);
} else {
@@ -377,6 +380,7 @@ pkinit_as_req_create(krb5_context context,
(unsigned char *)
coded_auth_pack->data,
coded_auth_pack->length,
+ (unsigned char **)
&req->signedAuthPack.data,
&req->signedAuthPack.length);
}
@@ -394,8 +398,11 @@ pkinit_as_req_create(krb5_context context,
}
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1,
- (unsigned char *)coded_auth_pack->data, coded_auth_pack->length,
- &req9->signedAuthPack.data, &req9->signedAuthPack.length);
+ (unsigned char *)coded_auth_pack->data,
+ coded_auth_pack->length,
+ (unsigned char **)
+ &req9->signedAuthPack.data,
+ &req9->signedAuthPack.length);
break;
#ifdef DEBUG_ASN1
print_buffer_bin((unsigned char *)req9->signedAuthPack.data,
@@ -417,7 +424,8 @@ pkinit_as_req_create(krb5_context context,
if (retval)
goto cleanup;
retval = create_issuerAndSerial(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, &req->kdcPkId.data,
+ reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char **)&req->kdcPkId.data,
&req->kdcPkId.length);
if (retval)
goto cleanup;
@@ -435,7 +443,8 @@ pkinit_as_req_create(krb5_context context,
#endif
retval = create_issuerAndSerial(context, plgctx->cryptoctx,
- reqctx->cryptoctx, reqctx->idctx, &req9->kdcCert.data,
+ reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char **)&req9->kdcCert.data,
&req9->kdcCert.length);
if (retval)
goto cleanup;
@@ -678,12 +687,12 @@ pkinit_as_rep_parse(krb5_context context,
krb5_kdc_dh_key_info *kdc_dh = NULL;
krb5_reply_key_pack *key_pack = NULL;
krb5_reply_key_pack_draft9 *key_pack9 = NULL;
- krb5_octet_data dh_data = { 0, 0, NULL };
+ krb5_data dh_data = { 0, 0, NULL };
unsigned char *client_key = NULL, *kdc_hostname = NULL;
unsigned int client_key_len = 0;
krb5_checksum cksum = {0, 0, 0, NULL};
krb5_data k5data;
- krb5_octet_data secret;
+ krb5_data secret;
int valid_san = 0;
int valid_eku = 0;
int need_eku_checking = 1;
@@ -710,9 +719,11 @@ pkinit_as_rep_parse(krb5_context context,
if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER,
reqctx->opts->require_crl_checking,
+ (unsigned char *)
kdc_reply->u.dh_Info.dhSignedData.data,
kdc_reply->u.dh_Info.dhSignedData.length,
- &dh_data.data, &dh_data.length,
+ (unsigned char **)&dh_data.data,
+ &dh_data.length,
NULL, NULL, NULL)) != 0) {
pkiDebug("failed to verify pkcs7 signed data\n");
goto cleanup;
@@ -724,9 +735,11 @@ pkinit_as_rep_parse(krb5_context context,
if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx, pa_type,
reqctx->opts->require_crl_checking,
+ (unsigned char *)
kdc_reply->u.encKeyPack.data,
kdc_reply->u.encKeyPack.length,
- &dh_data.data, &dh_data.length)) != 0) {
+ (unsigned char **)&dh_data.data,
+ &dh_data.length)) != 0) {
pkiDebug("failed to verify pkcs7 enveloped data\n");
goto cleanup;
}
@@ -787,6 +800,7 @@ pkinit_as_rep_parse(krb5_context context,
/* client after KDC reply */
if ((retval = client_process_dh(context, plgctx->cryptoctx,
reqctx->cryptoctx, reqctx->idctx,
+ (unsigned char *)
kdc_dh->subjectPublicKey.data,
kdc_dh->subjectPublicKey.length,
&client_key, &client_key_len)) != 0) {
@@ -797,15 +811,13 @@ pkinit_as_rep_parse(krb5_context context,
/* If we have a KDF algorithm ID, call the algorithm agility KDF... */
if (kdc_reply->u.dh_Info.kdfID) {
secret.length = client_key_len;
- secret.data = client_key;
+ secret.data = (char *)client_key;
retval = pkinit_alg_agility_kdf(context, &secret,
kdc_reply->u.dh_Info.kdfID,
- request->client,
- request->server, etype,
- (krb5_octet_data *)encoded_request,
- (krb5_octet_data *)as_rep,
- key_block);
+ request->client, request->server,
+ etype, encoded_request,
+ (krb5_data *)as_rep, key_block);
if (retval) {
pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n",
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index c1bd32d8c..e42943d57 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -348,7 +348,7 @@ krb5_error_code server_check_dh
pkinit_plg_crypto_context plg_cryptoctx, /* IN */
pkinit_req_crypto_context req_cryptoctx, /* IN */
pkinit_identity_crypto_context id_cryptoctx, /* IN */
- krb5_octet_data *dh_params, /* IN
+ krb5_data *dh_params, /* IN
???? */
int minbits); /* IN
the mininum number of key bits acceptable */
@@ -636,13 +636,13 @@ krb5_error_code pkinit_identity_set_prompter
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block);
extern const krb5_octet krb5_pkinit_sha1_oid[];
@@ -652,10 +652,10 @@ extern const size_t krb5_pkinit_sha256_oid_len;
extern const krb5_octet krb5_pkinit_sha512_oid[];
extern const size_t krb5_pkinit_sha512_oid_len;
/**
- * An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms
+ * An ordered set of OIDs, stored as krb5_data, of KDF algorithms
* supported by this implementation. The order of this array controls
* the order in which the server will pick.
*/
-extern const krb5_octet_data const *supported_kdf_alg_ids[] ;
+extern const krb5_data const *supported_kdf_alg_ids[] ;
#endif /* _PKINIT_CRYPTO_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 1a83083fe..3aa44bc4c 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -1531,7 +1531,7 @@ server_check_dh(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_octet_data *dh_params, int minbits)
+ krb5_data *dh_params, int minbits)
{
PLArenaPool *pool;
SECItem item;
@@ -1540,7 +1540,7 @@ server_check_dh(krb5_context context,
if (pool == NULL)
return ENOMEM;
- item.data = dh_params->data;
+ item.data = (unsigned char *)dh_params->data;
item.len = dh_params->length;
memset(&req_cryptoctx->client_dh_params, 0,
sizeof(req_cryptoctx->client_dh_params));
@@ -1757,7 +1757,8 @@ create_krb5_supportedCMSTypes(krb5_context context,
memset(id, 0, sizeof(*id));
ids[i] = id;
oid = SECOID_FindOIDByTag(oids[i]);
- if (secitem_to_buf_len(&oid->oid, &id->algorithm.data,
+ if (secitem_to_buf_len(&oid->oid,
+ (unsigned char **)&id->algorithm.data,
&id->algorithm.length) != 0) {
free(ids[i]);
free_n_algorithm_identifiers(ids, i - 1);
@@ -1841,9 +1842,11 @@ create_krb5_trustedCertifiers(krb5_context context,
* of the pkinit module. */
if ((node->cert->keyIDGenerated ?
secitem_to_buf_len(&node->cert->derSubject,
+ (unsigned char **)
&id->subjectName.data,
&id->subjectName.length) :
secitem_to_buf_len(&node->cert->subjectKeyID,
+ (unsigned char **)
&id->subjectKeyIdentifier.data,
&id->subjectKeyIdentifier.length)) != 0) {
/* Free the earlier items. */
@@ -3313,9 +3316,9 @@ pkinit_create_td_dh_parameters(krb5_context context,
continue;
/* Add it to the list. */
memset(&id[j], 0, sizeof(id[j]));
- id[j].algorithm.data = oid->data;
+ id[j].algorithm.data = (char *)oid->data;
id[j].algorithm.length = oid->len;
- id[j].parameters.data = tmp.data;
+ id[j].parameters.data = (char *)tmp.data;
id[j].parameters.length = tmp.len;
ids[j] = &id[j];
j++;
@@ -3368,7 +3371,7 @@ pkinit_process_td_dh_params(krb5_context context,
for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) {
/* Decode the domain parameters. */
item.len = algId[i]->parameters.length;
- item.data = algId[i]->parameters.data;
+ item.data = (unsigned char *)algId[i]->parameters.data;
memset(&params, 0, sizeof(params));
if (SEC_ASN1DecodeItem(req_cryptoctx->pool, &params,
domain_parameters_template,
@@ -3418,11 +3421,11 @@ pkinit_create_td_invalid_certificate(krb5_context context,
if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
issuer_and_serial_number_template) != &item)
return ENOMEM;
- id.issuerAndSerialNumber.data = item.data;
+ id.issuerAndSerialNumber.data = (char *)item.data;
id.issuerAndSerialNumber.length = item.len;
} else {
item = invalid->subjectKeyID;
- id.subjectKeyIdentifier.data = item.data;
+ id.subjectKeyIdentifier.data = (char *)item.data;
id.subjectKeyIdentifier.length = item.len;
}
ids[0] = &id;
@@ -3573,11 +3576,11 @@ pkinit_create_td_trusted_certifiers(krb5_context context,
CERT_DestroyCertList(clist);
return ENOMEM;
}
- id[i].issuerAndSerialNumber.data = item.data;
+ id[i].issuerAndSerialNumber.data = (char *)item.data;
id[i].issuerAndSerialNumber.length = item.len;
} else {
item = node->cert->subjectKeyID;
- id[i].subjectKeyIdentifier.data = item.data;
+ id[i].subjectKeyIdentifier.data = (char *)item.data;
id[i].subjectKeyIdentifier.length = item.len;
}
ids[i] = &id[i];
@@ -3810,22 +3813,22 @@ pkinit_octetstring2key(krb5_context context,
/* Return TRUE if the item and the "algorithm" part of the algorithm identifier
* are the same. */
static PRBool
-octet_data_and_data_and_length_equal(const krb5_octet_data *octets,
- const void *data, size_t len)
+data_and_ptr_and_length_equal(const krb5_data *data,
+ const void *ptr, size_t len)
{
- return (octets->length == len) && (memcmp(octets->data, data, len) == 0);
+ return (data->length == len) && (memcmp(data->data, ptr, len) == 0);
}
/* Encode the other info used by the agility KDF. Taken almost verbatim from
* parts of the agility KDF in pkinit_crypto_openssl.c */
static krb5_error_code
encode_agility_kdf_other_info(krb5_context context,
- krb5_octet_data *alg_oid,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_data **other_info)
{
krb5_error_code retval = 0;
@@ -3873,13 +3876,13 @@ cleanup:
* one that we support. */
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block)
{
krb5_data *other_info = NULL;
@@ -3894,30 +3897,27 @@ pkinit_alg_agility_kdf(krb5_context context,
if (retval != 0)
return retval;
- if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha512_oid,
- krb5_pkinit_sha512_oid_len))
+ if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid,
+ krb5_pkinit_sha512_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA512, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
- else if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha256_oid,
- krb5_pkinit_sha256_oid_len))
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
+ else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid,
+ krb5_pkinit_sha256_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA256, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
- else if (octet_data_and_data_and_length_equal(alg_oid,
- krb5_pkinit_sha1_oid,
- krb5_pkinit_sha1_oid_len))
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
+ else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid,
+ krb5_pkinit_sha1_oid_len))
retval = pkinit_octetstring_hkdf(context,
SEC_OID_SHA1, 1, 4, enctype,
- secret->data, secret->length,
- other_info->data, other_info->length,
- key_block);
+ (unsigned char *)secret->data,
+ secret->length, other_info->data,
+ other_info->length, key_block);
else
retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF;
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 571e309ee..2fb506821 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2305,7 +2305,7 @@ cleanup:
*/
static krb5_error_code
pkinit_alg_values(krb5_context context,
- const krb5_octet_data *alg_id,
+ const krb5_data *alg_id,
size_t *hash_bytes,
const EVP_MD *(**func)(void))
{
@@ -2356,13 +2356,13 @@ pkinit_alg_values(krb5_context context,
*/
krb5_error_code
pkinit_alg_agility_kdf(krb5_context context,
- krb5_octet_data *secret,
- krb5_octet_data *alg_oid,
+ krb5_data *secret,
+ krb5_data *alg_oid,
krb5_const_principal party_u_info,
krb5_const_principal party_v_info,
krb5_enctype enctype,
- krb5_octet_data *as_req,
- krb5_octet_data *pk_as_rep,
+ krb5_data *as_req,
+ krb5_data *pk_as_rep,
krb5_keyblock *key_block)
{
krb5_error_code retval = 0;
@@ -2703,7 +2703,7 @@ server_check_dh(krb5_context context,
pkinit_plg_crypto_context cryptoctx,
pkinit_req_crypto_context req_cryptoctx,
pkinit_identity_crypto_context id_cryptoctx,
- krb5_octet_data *dh_params,
+ krb5_data *dh_params,
int minbits)
{
DH *dh = NULL;
@@ -2711,7 +2711,7 @@ server_check_dh(krb5_context context,
int dh_prime_bits;
krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
- tmp = dh_params->data;
+ tmp = (unsigned char *)dh_params->data;
dh = DH_new();
dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length);
if (dh == NULL) {
@@ -3309,7 +3309,7 @@ pkinit_process_td_dh_params(krb5_context context,
memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length))
goto cleanup;
- tmp = algId[i]->parameters.data;
+ tmp = (unsigned char *)algId[i]->parameters.data;
dh = DH_new();
dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length);
dh_prime_bits = BN_num_bits(dh->p);
@@ -5447,8 +5447,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
xn = X509_get_subject_name(x);
len = i2d_X509_NAME(xn, NULL);
- if ((p = krb5_cas[i]->subjectName.data = malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->subjectName.data = (char *)p;
i2d_X509_NAME(xn, &p);
krb5_cas[i]->subjectName.length = len;
@@ -5465,9 +5466,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = krb5_cas[i]->issuerAndSerialNumber.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->issuerAndSerialNumber.length = len;
#ifdef LONGHORN_BETA_COMPAT
@@ -5489,9 +5490,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
NULL))) {
len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
- if ((p = krb5_cas[i]->subjectKeyIdentifier.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
i2d_ASN1_OCTET_STRING(ikeyid, &p);
krb5_cas[i]->subjectKeyIdentifier.length = len;
}
@@ -5558,7 +5559,7 @@ create_krb5_supportedCMSTypes(krb5_context context,
krb5_error_code retval = ENOMEM;
krb5_algorithm_identifier **loids = NULL;
- krb5_octet_data des3oid = {0, 8, (unsigned char *)"\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
+ krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
*oids = NULL;
loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
@@ -5570,7 +5571,7 @@ create_krb5_supportedCMSTypes(krb5_context context,
free(loids);
goto cleanup;
}
- retval = pkinit_copy_krb5_octet_data(&loids[0]->algorithm, &des3oid);
+ retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
if (retval) {
free(loids[0]);
free(loids);
@@ -5652,9 +5653,9 @@ create_krb5_trustedCas(krb5_context context,
krb5_cas[i]->u.caName.length = 0;
xn = X509_get_subject_name(x);
len = i2d_X509_NAME(xn, NULL);
- if ((p = krb5_cas[i]->u.caName.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->u.caName.data = (char *)p;
i2d_X509_NAME(xn, &p);
krb5_cas[i]->u.caName.length = len;
break;
@@ -5667,9 +5668,9 @@ create_krb5_trustedCas(krb5_context context,
M_ASN1_INTEGER_free(is->serial);
is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
- if ((p = krb5_cas[i]->u.issuerAndSerial.data =
- malloc((size_t) len)) == NULL)
+ if ((p = malloc((size_t) len)) == NULL)
goto cleanup;
+ krb5_cas[i]->u.issuerAndSerial.data = (char *)p;
i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
krb5_cas[i]->u.issuerAndSerial.length = len;
if (is != NULL) {
@@ -5789,7 +5790,7 @@ pkinit_process_td_trusted_certifiers(
sk_xn = sk_X509_NAME_new_null();
while(krb5_trusted_certifiers[i] != NULL) {
if (krb5_trusted_certifiers[i]->subjectName.data != NULL) {
- p = krb5_trusted_certifiers[i]->subjectName.data;
+ p = (unsigned char *)krb5_trusted_certifiers[i]->subjectName.data;
xn = d2i_X509_NAME(NULL, &p,
(int)krb5_trusted_certifiers[i]->subjectName.length);
if (xn == NULL)
@@ -5803,7 +5804,8 @@ pkinit_process_td_trusted_certifiers(
}
if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) {
- p = krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
+ p = (unsigned char *)
+ krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p,
(int)krb5_trusted_certifiers[i]->issuerAndSerialNumber.length);
if (is == NULL)
@@ -5819,7 +5821,8 @@ pkinit_process_td_trusted_certifiers(
}
if (krb5_trusted_certifiers[i]->subjectKeyIdentifier.data != NULL) {
- p = krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
+ p = (unsigned char *)
+ krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
id = d2i_ASN1_OCTET_STRING(NULL, &p,
(int)krb5_trusted_certifiers[i]->subjectKeyIdentifier.length);
if (id == NULL)
diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
index 723400433..55e67cd3a 100644
--- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
+++ b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c
@@ -57,14 +57,14 @@ const krb5_octet krb5_pkinit_sha512_oid [8] =
const size_t krb5_pkinit_sha512_oid_len = 8;
#define oid_as_data(var, oid_base) \
- const krb5_octet_data var = \
- {0, sizeof oid_base, (krb5_octet *) oid_base}
+ const krb5_data var = \
+ {0, sizeof oid_base, (char *)oid_base}
oid_as_data(sha1_id, krb5_pkinit_sha1_oid);
oid_as_data(sha256_id, krb5_pkinit_sha256_oid);
oid_as_data(sha512_id, krb5_pkinit_sha512_oid);
#undef oid_as_data
-const krb5_octet_data const *supported_kdf_alg_ids[] = {
+const krb5_data const *supported_kdf_alg_ids[] = {
&sha256_id,
&sha1_id,
&sha512_id,
diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c
index 02b2bb9d7..710e1ff39 100644
--- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c
+++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c
@@ -83,10 +83,10 @@ main(int argc, char **argv)
{
/* arguments for calls to pkinit_alg_agility_kdf() */
krb5_context context = 0;
- krb5_octet_data secret;
+ krb5_data secret;
krb5_algorithm_identifier alg_id;
- krb5_octet_data as_req;
- krb5_octet_data pk_as_rep;
+ krb5_data as_req;
+ krb5_data pk_as_rep;
krb5_keyblock key_block;
/* other local variables */
@@ -127,14 +127,14 @@ main(int argc, char **argv)
memset(twenty_as, 0xaa, sizeof(twenty_as));
memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
as_req.length = sizeof(twenty_as);
- as_req.data = (unsigned char *)&twenty_as;
+ as_req.data = twenty_as;
pk_as_rep.length = sizeof(eighteen_bs);
- pk_as_rep.data = (unsigned char *)&eighteen_bs;
+ pk_as_rep.data = eighteen_bs;
/* TEST 1: SHA-1/AES */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha1_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha1_oid;
alg_id.algorithm.length = krb5_pkinit_sha1_oid_len;
enctype = enctype_aes;
@@ -175,7 +175,7 @@ main(int argc, char **argv)
/* TEST 2: SHA-256/AES */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha256_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha256_oid;
alg_id.algorithm.length = krb5_pkinit_sha256_oid_len;
enctype = enctype_aes;
@@ -216,7 +216,7 @@ main(int argc, char **argv)
/* TEST 3: SHA-512/DES3 */
/* set up algorithm id */
- alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha512_oid;
+ alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid;
alg_id.algorithm.length = krb5_pkinit_sha512_oid_len;
enctype = enctype_des3;
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index 6b1018004..34416142e 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -43,8 +43,7 @@
#define FAKECERT
-const krb5_octet_data
-dh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" };
+const krb5_data dh_oid = { 0, 7, "\x2A\x86\x48\xce\x3e\x02\x01" };
krb5_error_code
@@ -164,10 +163,10 @@ free_krb5_auth_pack(krb5_auth_pack **in)
if ((*in)->supportedCMSTypes != NULL)
free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
if ((*in)->supportedKDFs) {
- krb5_octet_data **supportedKDFs = (*in)->supportedKDFs;
+ krb5_data **supportedKDFs = (*in)->supportedKDFs;
unsigned i;
for (i = 0; supportedKDFs[i]; i++)
- krb5_free_octet_data(NULL, supportedKDFs[i]);
+ krb5_free_data(NULL, supportedKDFs[i]);
free(supportedKDFs);
}
free(*in);
@@ -188,7 +187,7 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
if (*in == NULL) return;
switch ((*in)->choice) {
case choice_pa_pk_as_rep_dhInfo:
- krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID);
+ krb5_free_data(NULL, (*in)->u.dh_Info.kdfID);
free((*in)->u.dh_Info.dhSignedData.data);
break;
case choice_pa_pk_as_rep_encKeyPack:
@@ -403,7 +402,7 @@ init_krb5_subject_pk_info(krb5_subject_pk_info **in)
}
krb5_error_code
-pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src)
+pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src)
{
if (dst == NULL || src == NULL)
return EINVAL;
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 3322310bf..8050565d1 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -289,7 +289,7 @@ pkinit_server_verify_padata(krb5_context context,
void *arg)
{
krb5_error_code retval = 0;
- krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
+ krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
krb5_pa_pk_as_req *reqp = NULL;
krb5_pa_pk_as_req_draft9 *reqp9 = NULL;
krb5_auth_pack *auth_pack = NULL;
@@ -350,8 +350,11 @@ pkinit_server_verify_padata(krb5_context context,
retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT,
plgctx->opts->require_crl_checking,
+ (unsigned char *)
reqp->signedAuthPack.data, reqp->signedAuthPack.length,
- &authp_data.data, &authp_data.length, &krb5_authz.data,
+ (unsigned char **)&authp_data.data,
+ &authp_data.length,
+ (unsigned char **)&krb5_authz.data,
&krb5_authz.length, &is_signed);
break;
case KRB5_PADATA_PK_AS_REP_OLD:
@@ -371,8 +374,11 @@ pkinit_server_verify_padata(krb5_context context,
retval = cms_signeddata_verify(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9,
plgctx->opts->require_crl_checking,
+ (unsigned char *)
reqp9->signedAuthPack.data, reqp9->signedAuthPack.length,
- &authp_data.data, &authp_data.length, &krb5_authz.data,
+ (unsigned char **)&authp_data.data,
+ &authp_data.length,
+ (unsigned char **)&krb5_authz.data,
&krb5_authz.length, NULL);
break;
default:
@@ -483,7 +489,8 @@ pkinit_server_verify_padata(krb5_context context,
int valid_kdcPkId = 0;
retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx,
- reqp->kdcPkId.data, reqp->kdcPkId.length, &valid_kdcPkId);
+ (unsigned char *)reqp->kdcPkId.data,
+ reqp->kdcPkId.length, &valid_kdcPkId);
if (retval)
goto cleanup;
if (!valid_kdcPkId)
@@ -616,14 +623,13 @@ cleanup:
}
static krb5_error_code
-pkinit_pick_kdf_alg(krb5_context context,
- krb5_octet_data **kdf_list,
- krb5_octet_data **alg_oid)
+pkinit_pick_kdf_alg(krb5_context context, krb5_data **kdf_list,
+ krb5_data **alg_oid)
{
krb5_error_code retval = 0;
- krb5_octet_data *req_oid = NULL;
- const krb5_octet_data *supp_oid = NULL;
- krb5_octet_data *tmp_oid = NULL;
+ krb5_data *req_oid = NULL;
+ const krb5_data *supp_oid = NULL;
+ krb5_data *tmp_oid = NULL;
int i, j = 0;
/* if we don't find a match, return NULL value */
@@ -635,7 +641,7 @@ pkinit_pick_kdf_alg(krb5_context context,
for (j = 0; NULL != (req_oid = kdf_list[j]); j++) {
if ((req_oid->length == supp_oid->length) &&
(0 == memcmp(req_oid->data, supp_oid->data, req_oid->length))) {
- tmp_oid = k5alloc(sizeof(krb5_octet_data), &retval);
+ tmp_oid = k5alloc(sizeof(krb5_data), &retval);
if (retval)
goto cleanup;
tmp_oid->data = k5alloc(supp_oid->length, &retval);
@@ -652,7 +658,7 @@ pkinit_pick_kdf_alg(krb5_context context,
}
cleanup:
if (tmp_oid)
- krb5_free_octet_data(context, tmp_oid);
+ krb5_free_data(context, tmp_oid);
return retval;
}
@@ -685,7 +691,7 @@ pkinit_server_return_padata(krb5_context context,
krb5_pa_pk_as_rep *rep = NULL;
krb5_pa_pk_as_rep_draft9 *rep9 = NULL;
krb5_data *out_data = NULL;
- krb5_octet_data secret;
+ krb5_data secret;
krb5_enctype enctype = -1;
@@ -767,14 +773,14 @@ pkinit_server_return_padata(krb5_context context,
if (reqctx->rcv_auth_pack != NULL &&
reqctx->rcv_auth_pack->clientPublicValue != NULL) {
- subjectPublicKey =
+ subjectPublicKey = (unsigned char *)
reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data;
subjectPublicKey_len =
reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length;
rep->choice = choice_pa_pk_as_rep_dhInfo;
} else if (reqctx->rcv_auth_pack9 != NULL &&
reqctx->rcv_auth_pack9->clientPublicValue != NULL) {
- subjectPublicKey =
+ subjectPublicKey = (unsigned char *)
reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data;
subjectPublicKey_len =
reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length;
@@ -805,7 +811,7 @@ pkinit_server_return_padata(krb5_context context,
*/
dhkey_info.subjectPublicKey.length = dh_pubkey_len;
- dhkey_info.subjectPublicKey.data = dh_pubkey;
+ dhkey_info.subjectPublicKey.data = (char *)dh_pubkey;
dhkey_info.nonce = request->nonce;
dhkey_info.dhKeyExpiration = 0;
@@ -825,8 +831,10 @@ pkinit_server_return_padata(krb5_context context,
case KRB5_PADATA_PK_AS_REQ:
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1,
- (unsigned char *)encoded_dhkey_info->data,
+ (unsigned char *)
+ encoded_dhkey_info->data,
encoded_dhkey_info->length,
+ (unsigned char **)
&rep->u.dh_Info.dhSignedData.data,
&rep->u.dh_Info.dhSignedData.length);
if (retval) {
@@ -838,8 +846,10 @@ pkinit_server_return_padata(krb5_context context,
case KRB5_PADATA_PK_AS_REQ_OLD:
retval = cms_signeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1,
- (unsigned char *)encoded_dhkey_info->data,
+ (unsigned char *)
+ encoded_dhkey_info->data,
encoded_dhkey_info->length,
+ (unsigned char **)
&rep9->u.dhSignedData.data,
&rep9->u.dhSignedData.length);
if (retval) {
@@ -913,9 +923,12 @@ pkinit_server_return_padata(krb5_context context,
rep->choice = choice_pa_pk_as_rep_encKeyPack;
retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
- (unsigned char *)encoded_key_pack->data,
+ (unsigned char *)
+ encoded_key_pack->data,
encoded_key_pack->length,
- &rep->u.encKeyPack.data, &rep->u.encKeyPack.length);
+ (unsigned char **)
+ &rep->u.encKeyPack.data,
+ &rep->u.encKeyPack.length);
break;
case KRB5_PADATA_PK_AS_REP_OLD:
case KRB5_PADATA_PK_AS_REQ_OLD:
@@ -943,8 +956,10 @@ pkinit_server_return_padata(krb5_context context,
rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
- (unsigned char *)encoded_key_pack->data,
+ (unsigned char *)
+ encoded_key_pack->data,
encoded_key_pack->length,
+ (unsigned char **)
&rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length);
break;
}
@@ -1018,15 +1033,13 @@ pkinit_server_return_padata(krb5_context context,
/* If mutually supported KDFs were found, use the alg agility KDF */
if (rep->u.dh_Info.kdfID) {
- secret.data = server_key;
+ secret.data = (char *)server_key;
secret.length = server_key_len;
retval = pkinit_alg_agility_kdf(context, &secret,
rep->u.dh_Info.kdfID,
request->client, request->server,
- enctype,
- (krb5_octet_data *)req_pkt,
- (krb5_octet_data *)out_data,
+ enctype, req_pkt, out_data,
encrypting_key);
if (retval) {
pkiDebug("pkinit_alg_agility_kdf failed: %s\n",
generated by cgit (git 2.34.1) at 2024-10-05 05:57:19 +0000