From beb36f85c88fab20e95c4a0d8f109c3d0ab942f5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 11 Feb 2012 23:25:12 +0000 Subject: Minimize draft9 PKINIT code by removing dead code The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int-pkinit.h | 23 ++--------------------- src/include/k5-int.h | 6 +----- 2 files changed, 3 insertions(+), 26 deletions(-) (limited to 'src/include') diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 7fbbc53ee..7b2f595cb 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -86,27 +86,12 @@ typedef struct _krb5_external_principal_identifier { krb5_data subjectKeyIdentifier; /* Optional */ } krb5_external_principal_identifier; -/* TrustedCas */ -typedef struct _krb5_trusted_ca { - enum krb5_trusted_ca_selection { - choice_trusted_cas_UNKNOWN = -1, - choice_trusted_cas_principalName = 0, - choice_trusted_cas_caName = 1, - choice_trusted_cas_issuerAndSerial = 2 - } choice; - union krb5_trusted_ca_choices { - krb5_principal principalName; - krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */ - krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */ - } u; -} krb5_trusted_ca; - /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ +/* This has four fields, but we only care about the first and third for + * encoding, and the only about the first for decoding. */ typedef struct _krb5_pa_pk_as_req_draft9 { krb5_data signedAuthPack; - krb5_trusted_ca **trustedCertifiers; /* Optional array */ krb5_data kdcCert; /* Optional */ - krb5_data encryptionCert; } krb5_pa_pk_as_req_draft9; /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ @@ -258,10 +243,6 @@ decode_krb5_pa_pk_as_req_draft9(const krb5_data *, krb5_error_code decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **); -krb5_error_code -decode_krb5_pa_pk_as_rep_draft9(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - krb5_error_code decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **); diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 7a196c69b..00cb5b113 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1956,7 +1956,7 @@ void krb5int_free_srv_dns_data(struct srv_dns_entry *); /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 20 +#define KRB5INT_ACCESS_STRUCT_VERSION 21 typedef struct _krb5int_access { krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, @@ -2046,10 +2046,6 @@ typedef struct _krb5int_access { krb5_error_code (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **); - krb5_error_code - (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *, - krb5_pa_pk_as_rep_draft9 **); - krb5_error_code (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **); -- cgit