Stop using krb5_octet_data
authorGreg Hudson <ghudson@mit.edu>
Wed, 21 Dec 2011 22:52:43 +0000 (22:52 +0000)
committerGreg Hudson <ghudson@mit.edu>
Wed, 21 Dec 2011 22:52:43 +0000 (22:52 +0000)
For consistency with the rest of the code base, make PKINIT use
krb5_data as a pointer/length container.  Leave krb5_octet_data and
krb5_free_octet_data behind for API compatibility.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970

18 files changed:
src/include/k5-int-pkinit.h
src/include/krb5/krb5.hin
src/lib/krb5/asn.1/asn1_decode.c
src/lib/krb5/asn.1/asn1_decode.h
src/lib/krb5/asn.1/asn1_k_decode.c
src/lib/krb5/asn.1/asn1_k_decode.h
src/lib/krb5/asn.1/asn1_k_decode_kdc.c
src/lib/krb5/asn.1/asn1_k_decode_macros.h
src/lib/krb5/asn.1/asn1_k_encode.c
src/plugins/preauth/pkinit/pkinit.h
src/plugins/preauth/pkinit/pkinit_clnt.c
src/plugins/preauth/pkinit/pkinit_crypto.h
src/plugins/preauth/pkinit/pkinit_crypto_nss.c
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
src/plugins/preauth/pkinit/pkinit_kdf_constants.c
src/plugins/preauth/pkinit/pkinit_kdf_test.c
src/plugins/preauth/pkinit/pkinit_lib.c
src/plugins/preauth/pkinit/pkinit_srv.c

index 2b7410d25359f2bf730a8961759a2afbc4a2e3d2..481d6b1268a3e0f11b2ad7f8e4083c5fedfd9510 100644 (file)
@@ -47,7 +47,7 @@ typedef struct _krb5_pk_authenticator {
 /* PKAuthenticator draft9 */
 typedef struct _krb5_pk_authenticator_draft9 {
     krb5_principal  kdcName;
-    krb5_octet_data kdcRealm;
+    krb5_data       kdcRealm;
     krb5_int32      cusec;  /* (0..999999) */
     krb5_timestamp  ctime;
     krb5_int32      nonce;  /* (0..4294967295) */
@@ -55,14 +55,14 @@ typedef struct _krb5_pk_authenticator_draft9 {
 
 /* AlgorithmIdentifier */
 typedef struct _krb5_algorithm_identifier {
-    krb5_octet_data algorithm;      /* OID */
-    krb5_octet_data parameters; /* Optional */
+    krb5_data algorithm;      /* OID */
+    krb5_data parameters; /* Optional */
 } krb5_algorithm_identifier;
 
 /* SubjectPublicKeyInfo */
 typedef struct _krb5_subject_pk_info {
     krb5_algorithm_identifier   algorithm;
-    krb5_octet_data             subjectPublicKey; /* BIT STRING */
+    krb5_data                   subjectPublicKey; /* BIT STRING */
 } krb5_subject_pk_info;
 
 /** AuthPack from RFC 4556*/
@@ -70,8 +70,8 @@ typedef struct _krb5_auth_pack {
     krb5_pk_authenticator       pkAuthenticator;
     krb5_subject_pk_info        *clientPublicValue; /* Optional */
     krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
-    krb5_octet_data             clientDHNonce; /* Optional */
-    krb5_octet_data             **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
+    krb5_data                   clientDHNonce; /* Optional */
+    krb5_data                   **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
 } krb5_auth_pack;
 
 /* AuthPack draft9 */
@@ -82,9 +82,9 @@ typedef struct _krb5_auth_pack_draft9 {
 
 /* ExternalPrincipalIdentifier */
 typedef struct _krb5_external_principal_identifier {
-    krb5_octet_data subjectName; /* Optional */
-    krb5_octet_data issuerAndSerialNumber; /* Optional */
-    krb5_octet_data subjectKeyIdentifier; /* Optional */
+    krb5_data subjectName; /* Optional */
+    krb5_data issuerAndSerialNumber; /* Optional */
+    krb5_data subjectKeyIdentifier; /* Optional */
 } krb5_external_principal_identifier;
 
 /* TrustedCas */
@@ -97,43 +97,43 @@ typedef struct _krb5_trusted_ca {
     } choice;
     union {
         krb5_principal  principalName;
-        krb5_octet_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
-        krb5_octet_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
+        krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */
+        krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */
     } u;
 } krb5_trusted_ca;
 
 /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
 typedef struct _krb5_pa_pk_as_req_draft9 {
-    krb5_octet_data signedAuthPack;
+    krb5_data signedAuthPack;
     krb5_trusted_ca **trustedCertifiers; /* Optional array */
-    krb5_octet_data kdcCert; /* Optional */
-    krb5_octet_data encryptionCert;
+    krb5_data kdcCert; /* Optional */
+    krb5_data encryptionCert;
 } krb5_pa_pk_as_req_draft9;
 
 /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
 typedef struct _krb5_pa_pk_as_req {
-    krb5_octet_data signedAuthPack;
+    krb5_data signedAuthPack;
     krb5_external_principal_identifier **trustedCertifiers; /* Optional array */
-    krb5_octet_data kdcPkId; /* Optional */
+    krb5_data kdcPkId; /* Optional */
 } krb5_pa_pk_as_req;
 
 /** Pkinit DHRepInfo */
 typedef struct _krb5_dh_rep_info {
-    krb5_octet_data dhSignedData;
-    krb5_octet_data serverDHNonce; /* Optional */
-    krb5_octet_data *kdfID; /* OID of selected KDF OPTIONAL */
+    krb5_data dhSignedData;
+    krb5_data serverDHNonce; /* Optional */
+    krb5_data *kdfID; /* OID of selected KDF OPTIONAL */
 } krb5_dh_rep_info;
 
 /* KDCDHKeyInfo */
 typedef struct _krb5_kdc_dh_key_info {
-    krb5_octet_data subjectPublicKey; /* BIT STRING */
+    krb5_data       subjectPublicKey; /* BIT STRING */
     krb5_int32      nonce;  /* (0..4294967295) */
     krb5_timestamp  dhKeyExpiration; /* Optional */
 } krb5_kdc_dh_key_info;
 
 /* KDCDHKeyInfo draft9*/
 typedef struct _krb5_kdc_dh_key_info_draft9 {
-    krb5_octet_data subjectPublicKey; /* BIT STRING */
+    krb5_data       subjectPublicKey; /* BIT STRING */
     krb5_int32      nonce;  /* (0..4294967295) */
 } krb5_kdc_dh_key_info_draft9;
 
@@ -157,8 +157,8 @@ typedef struct _krb5_pa_pk_as_rep_draft9 {
         choice_pa_pk_as_rep_draft9_encKeyPack = 1
     } choice;
     union {
-        krb5_octet_data dhSignedData;
-        krb5_octet_data encKeyPack;
+        krb5_data dhSignedData;
+        krb5_data encKeyPack;
     } u;
 } krb5_pa_pk_as_rep_draft9;
 
@@ -171,7 +171,7 @@ typedef struct _krb5_pa_pk_as_rep {
     } choice;
     union {
         krb5_dh_rep_info    dh_Info;
-        krb5_octet_data     encKeyPack;
+        krb5_data           encKeyPack;
     } u;
 } krb5_pa_pk_as_rep;
 
@@ -186,8 +186,8 @@ typedef struct _krb5_sp80056a_other_info {
 /* PkinitSuppPubInfo, for pkinit algorithm agility */
 typedef struct _krb5_pkinit_supp_pub_info {
     krb5_enctype      enctype;
-    krb5_octet_data   as_req;
-    krb5_octet_data   pk_as_rep;
+    krb5_data         as_req;
+    krb5_data         pk_as_rep;
 } krb5_pkinit_supp_pub_info;
 
 /*
index 92da68a7e174703c88e2c9acee2572a11c6df6aa..d5524255e4b1bc7cb6079d288f2b9d9592962a68 100644 (file)
@@ -207,6 +207,7 @@ typedef struct _krb5_data {
     char *data;
 } krb5_data;
 
+/* Originally introduced for PKINIT; now unused.  Do not use this. */
 typedef struct _krb5_octet_data {
     krb5_magic magic;
     unsigned int length;
@@ -4651,15 +4652,7 @@ krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val);
 void KRB5_CALLCONV
 krb5_free_data(krb5_context context, krb5_data *val);
 
-/**
- * Free storage associated with a @c krb5_octet_data structure and its pointer.
- *
- * @param [in] context          Context structure
- * @param [in] val              Data structure to be freed
- *
- * @return
- * None
- */
+/* Free a krb5_octet_data structure (should be unused). */
 void KRB5_CALLCONV
 krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
 
index 659fed86c141671f818ed20eca8766cf4b4c8017..53e20454950134e17d2b2294727529c78f89e59a 100644 (file)
@@ -153,11 +153,11 @@ asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val)
 }
 
 asn1_error_code
-asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val)
+asn1_decode_oid(asn1buf *buf, unsigned int *retlen, char **val)
 {
     setup();
     tag(ASN1_OBJECTIDENTIFIER);
-    retval = asn1buf_remove_octetstring(buf, length, val);
+    retval = asn1buf_remove_charstring(buf, length, val);
     if (retval) return retval;
     *retlen = length;
     cleanup();
index d495040c8ac31ec78f30ecda880d8482a2ecc123..0e14491de6e5fe0d934ffe9b8df64cf145f6feab 100644 (file)
@@ -67,7 +67,7 @@ asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val);
 asn1_error_code asn1_decode_null(asn1buf *buf);
 
 asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen,
-                                asn1_octet **val);
+                                char **val);
 asn1_error_code asn1_decode_octetstring(asn1buf *buf, unsigned int *retlen,
                                         asn1_octet **val);
 asn1_error_code asn1_decode_generalstring(asn1buf *buf, unsigned int *retlen,
index f1f4e734b6478b2effd847b4dd601ff261c5cd6f..9d052ca37fac77aeec21a1dd3c7aa21b15f4ac52 100644 (file)
@@ -1187,9 +1187,12 @@ asn1_decode_external_principal_identifier(
     val->subjectKeyIdentifier.data = NULL;
     {
         begin_structure();
-        opt_implicit_octet_string(val->subjectName.length, val->subjectName.data, 0);
-        opt_implicit_octet_string(val->issuerAndSerialNumber.length, val->issuerAndSerialNumber.data, 1);
-        opt_implicit_octet_string(val->subjectKeyIdentifier.length, val->subjectKeyIdentifier.data, 2);
+        opt_implicit_charstring(val->subjectName.length, val->subjectName.data,
+                                0);
+        opt_implicit_charstring(val->issuerAndSerialNumber.length,
+                                val->issuerAndSerialNumber.data, 1);
+        opt_implicit_charstring(val->subjectKeyIdentifier.length,
+                                val->subjectKeyIdentifier.data, 2);
         end_structure();
     }
     return 0;
@@ -1305,12 +1308,14 @@ asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val)
         } else if (tagnum == choice_trusted_cas_caName) {
             val->choice = choice_trusted_cas_caName;
             val->u.caName.data = NULL;
-            get_implicit_octet_string(val->u.caName.length, val->u.caName.data, choice_trusted_cas_caName);
+            get_implicit_charstring(val->u.caName.length, val->u.caName.data,
+                                    choice_trusted_cas_caName);
         } else if (tagnum == choice_trusted_cas_issuerAndSerial) {
             val->choice = choice_trusted_cas_issuerAndSerial;
             val->u.issuerAndSerial.data = NULL;
-            get_implicit_octet_string(val->u.issuerAndSerial.length, val->u.issuerAndSerial.data,
-                                      choice_trusted_cas_issuerAndSerial);
+            get_implicit_charstring(val->u.issuerAndSerial.length,
+                                    val->u.issuerAndSerial.data,
+                                    choice_trusted_cas_issuerAndSerial);
         } else clean_return(ASN1_BAD_ID);
         end_choice();
     }
@@ -1349,9 +1354,9 @@ asn1_decode_sequence_of_trusted_ca(asn1buf *buf, krb5_trusted_ca ***val)
 }
 
 static asn1_error_code
-asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_octet_data **valptr)
+asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_data **valptr)
 {
-    decode_ptr(krb5_octet_data *, asn1_decode_kdf_alg_id);
+    decode_ptr(krb5_data *, asn1_decode_kdf_alg_id);
 }
 
 asn1_error_code
@@ -1362,9 +1367,11 @@ asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val)
     val->serverDHNonce.data = NULL;
     val->kdfID = NULL;
     { begin_structure();
-        get_implicit_octet_string(val->dhSignedData.length, val->dhSignedData.data, 0);
+        get_implicit_charstring(val->dhSignedData.length,
+                                val->dhSignedData.data, 0);
 
-        opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1, asn1_decode_octetstring);
+        opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1,
+                     asn1_decode_charstring);
         opt_field(val->kdfID, 2, asn1_decode_kdf_alg_id_ptr, NULL);
         end_structure();
     }
@@ -1372,7 +1379,7 @@ asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val)
 error_out:
     free(val->dhSignedData.data);
     free(val->serverDHNonce.data);
-    krb5_free_octet_data(NULL, val->kdfID);
+    krb5_free_data(NULL, val->kdfID);
     val->kdfID = NULL;
     val->dhSignedData.data = NULL;
     val->serverDHNonce.data = NULL;
@@ -1451,8 +1458,8 @@ asn1_decode_algorithm_identifier(asn1buf *buf, krb5_algorithm_identifier *val)
         assert(subbuf.next >= subbuf.base);
         if (length > (size_t)(subbuf.next - subbuf.base)) {
             unsigned int size = length - (subbuf.next - subbuf.base);
-            retval = asn1buf_remove_octetstring(&subbuf, size,
-                                                &val->parameters.data);
+            retval = asn1buf_remove_charstring(&subbuf, size,
+                                               &val->parameters.data);
             if (retval) clean_return(retval);
             val->parameters.length = size;
         }
@@ -1504,8 +1511,8 @@ asn1_decode_subject_pk_info(asn1buf *buf, krb5_subject_pk_info *val)
 
         val->subjectPublicKey.length = 0;
         val->subjectPublicKey.data = NULL;
-        retval = asn1buf_remove_octetstring(&subbuf, taglen,
-                                            &val->subjectPublicKey.data);
+        retval = asn1buf_remove_charstring(&subbuf, taglen,
+                                           &val->subjectPublicKey.data);
         if (retval) clean_return(retval);
         val->subjectPublicKey.length = taglen;
         /*
@@ -1549,7 +1556,8 @@ asn1_decode_kdc_dh_key_info(asn1buf *buf, krb5_kdc_dh_key_info *val)
     setup();
     val->subjectPublicKey.data = NULL;
     { begin_structure();
-        retval = asn1buf_remove_octetstring(&subbuf, taglen, &val->subjectPublicKey.data);
+        retval = asn1buf_remove_charstring(&subbuf, taglen,
+                                           &val->subjectPublicKey.data);
         if (retval) clean_return(retval);
         val->subjectPublicKey.length = taglen;
         next_tag();
@@ -1641,8 +1649,9 @@ asn1_decode_pa_pk_as_rep(asn1buf *buf, krb5_pa_pk_as_rep *val)
         } else if (tagnum == choice_pa_pk_as_rep_encKeyPack) {
             val->choice = choice_pa_pk_as_rep_encKeyPack;
             val->u.encKeyPack.data = NULL;
-            get_implicit_octet_string(val->u.encKeyPack.length, val->u.encKeyPack.data,
-                                      choice_pa_pk_as_rep_encKeyPack);
+            get_implicit_charstring(val->u.encKeyPack.length,
+                                    val->u.encKeyPack.data,
+                                    choice_pa_pk_as_rep_encKeyPack);
         } else {
             val->choice = choice_pa_pk_as_rep_UNKNOWN;
         }
@@ -1670,12 +1679,14 @@ asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, krb5_pa_pk_as_rep_draft9 *val)
             val->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
             val->u.dhSignedData.data = NULL;
             get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data,
-                         choice_pa_pk_as_rep_draft9_dhSignedData, asn1_decode_octetstring);
+                         choice_pa_pk_as_rep_draft9_dhSignedData,
+                         asn1_decode_charstring);
         } else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) {
             val->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
             val->u.encKeyPack.data = NULL;
             get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data,
-                         choice_pa_pk_as_rep_draft9_encKeyPack, asn1_decode_octetstring);
+                         choice_pa_pk_as_rep_draft9_encKeyPack,
+                         asn1_decode_charstring);
         } else {
             val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
         }
@@ -1692,7 +1703,7 @@ error_out:
 }
 
 asn1_error_code
-asn1_decode_kdf_alg_id( asn1buf *buf, krb5_octet_data *val)
+asn1_decode_kdf_alg_id( asn1buf *buf, krb5_data *val)
 {
     setup();
     val->data = NULL;
@@ -1707,11 +1718,9 @@ error_out:
 }
 
 asn1_error_code
-asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf,
-                                   krb5_octet_data ***val)
+asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val)
 {
-    decode_array_body(krb5_octet_data, asn1_decode_kdf_alg_id_ptr,
-                      krb5_free_octet_data);
+    decode_array_body(krb5_data, asn1_decode_kdf_alg_id_ptr, krb5_free_data);
 }
 
 #endif /* DISABLE_PKINIT */
index 7ce32956c4a8643b1cc8f47bf8d7ad1225a34bb1..71eebb14ad198c6e24fd9605af7a1886f2c76bc4 100644 (file)
@@ -277,10 +277,9 @@ asn1_error_code asn1_decode_iakerb_finished(asn1buf *buf,
                                             krb5_iakerb_finished *val);
 
 asn1_error_code
-asn1_decode_kdf_alg_id(asn1buf *buf, krb5_octet_data *val);
+asn1_decode_kdf_alg_id(asn1buf *buf, krb5_data *val);
 
 asn1_error_code
-asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf,
-                                   krb5_octet_data ***val);
+asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val);
 
 #endif
index 73abbd4c4ef4f1c5e9b2750ee3a55a3f1f21d718..c340abcfdb6b22bfdb083fe4556fea895db062e6 100644 (file)
@@ -131,9 +131,9 @@ asn1_decode_pa_pk_as_req(asn1buf *buf, krb5_pa_pk_as_req *val)
     val->kdcPkId.data = NULL;
     {
         begin_structure();
-        get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0);
+        get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0);
         opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_external_principal_identifier, NULL);
-        opt_implicit_octet_string(val->kdcPkId.length, val->kdcPkId.data, 2);
+        opt_implicit_charstring(val->kdcPkId.length, val->kdcPkId.data, 2);
         end_structure();
     }
     return 0;
@@ -167,10 +167,10 @@ asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val)
     val->encryptionCert.data = NULL;
     val->trustedCertifiers = NULL;
     { begin_structure();
-        get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0);
+        get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0);
         opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL);
-        opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_octetstring);
-        opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_octetstring);
+        opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_charstring);
+        opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_charstring);
         end_structure();
     }
     return 0;
@@ -238,7 +238,7 @@ asn1_decode_auth_pack(asn1buf *buf, krb5_auth_pack *val)
                 next_tag();
             } else val->supportedCMSTypes = NULL;
         }
-        opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_octetstring);
+        opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_charstring);
         opt_field(val->supportedKDFs, 4, asn1_decode_sequence_of_kdf_alg_id, NULL);
         end_structure();
     }
@@ -259,7 +259,7 @@ error_out:
     free(val->clientDHNonce.data);
     if (val->supportedKDFs) {
         for (i = 0; val->supportedKDFs[i]; i++)
-            krb5_free_octet_data(NULL, val->supportedKDFs[i]);
+            krb5_free_data(NULL, val->supportedKDFs[i]);
         free(val->supportedKDFs);
         val->supportedKDFs = NULL;
     }
index e7c8a54ebc6bfcd668ba4095f47d8ed5f8e2b6d2..60da045ceb49e7e42073cee776a6132b4f19b32b 100644 (file)
@@ -202,20 +202,20 @@ asn1_get_eoc_tag (asn1buf *buf)
 /*
  * Deal with implicitly tagged fields
  */
-#define get_implicit_octet_string(len, var, tagexpect)                  \
+#define get_implicit_charstring(len, var, tagexpect)                    \
     if (tagnum != (tagexpect)) clean_return(ASN1_MISSING_FIELD);        \
     if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE)     \
         clean_return(ASN1_BAD_ID);                                      \
-    retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var));       \
+    retval = asn1buf_remove_charstring(&subbuf, taglen, &(var));        \
     if (retval) clean_return(retval);                                   \
     (len) = taglen;                                                     \
     next_tag()
 
-#define opt_implicit_octet_string(len, var, tagexpect)                  \
+#define opt_implicit_charstring(len, var, tagexpect)                    \
     if (tagnum == (tagexpect)) {                                        \
         if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \
             clean_return(ASN1_BAD_ID);                                  \
-        retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var));   \
+        retval = asn1buf_remove_charstring(&subbuf, taglen, &(var));    \
         if (retval) clean_return(retval);                               \
         (len) = taglen;                                                 \
         next_tag();                                                     \
index 018aae8775951eaaaecd4bd1fe183a28447283d6..351281eeb510ac2bd6a0e2b75f76648c354990d6 100644 (file)
@@ -1622,15 +1622,15 @@ asn1_error_code asn1_encode_krb5_substructure(asn1buf *buf,
 #ifndef DISABLE_PKINIT
 
 DEFFNXTYPE(algorithm_identifier, krb5_algorithm_identifier, asn1_encode_algorithm_identifier);
-DEFFNLENTYPE(object_identifier, asn1_octet *, asn1_encode_oid);
-DEFFIELDTYPE(oid_data, krb5_octet_data,
-             FIELDOF_STRING(krb5_octet_data,object_identifier, data, length, -1));
+DEFFNLENTYPE(object_identifier, char *, asn1_encode_oid);
+DEFFIELDTYPE(oid_data, krb5_data,
+             FIELDOF_STRING(krb5_data, object_identifier, data, length, -1));
 DEFPTRTYPE(oid_data_ptr, oid_data);
 
 static const struct field_info kdf_alg_id_fields[] = {
-    FIELDOF_ENCODEAS(krb5_octet_data, oid_data, 0)
+    FIELDOF_ENCODEAS(krb5_data, oid_data, 0)
 };
-DEFSEQTYPE(kdf_alg_id, krb5_octet_data, kdf_alg_id_fields, NULL);
+DEFSEQTYPE(kdf_alg_id, krb5_data, kdf_alg_id_fields, NULL);
 DEFPTRTYPE(kdf_alg_id_ptr, kdf_alg_id);
 DEFNONEMPTYNULLTERMSEQOFTYPE(supported_kdfs, kdf_alg_id_ptr);
 DEFPTRTYPE(supported_kdfs_ptr, supported_kdfs);
@@ -1664,8 +1664,8 @@ DEFSEQTYPE(sp80056a_other_info, krb5_sp80056a_other_info, sp80056a_other_info_fi
 /* For PkinitSuppPubInfo, for pkinit agility */
 static const struct field_info pkinit_supp_pub_info_fields[] = {
     FIELDOF_NORM(krb5_pkinit_supp_pub_info, int32, enctype, 0),
-    FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, as_req.data, as_req.length, 1),
-    FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, pk_as_rep.data, pk_as_rep.length, 2),
+    FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, as_req.data, as_req.length, 1),
+    FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, pk_as_rep.data, pk_as_rep.length, 2),
 };
 
 DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info, pkinit_supp_pub_info_fields, NULL);
index 48e57fe87f0e3a6348f47ba098fffd771b06b153..7970746d958db4419eb137d061fe2510b60c46c9 100644 (file)
@@ -115,7 +115,7 @@ static inline void pkiDebug (const char *fmt, ...) { }
 #define OCTETDATA_TO_KRB5DATA(octd, k5d) \
     (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
 
-extern const krb5_octet_data dh_oid;
+extern const krb5_data dh_oid;
 
 /*
  * notes about crypto contexts:
@@ -322,7 +322,7 @@ void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
 void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
 void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
 void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
-krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
+krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src);
 
 
 /*
index e574c3c8f9a2193956214fd85a2ad4e56f7efb51..cf406fd0caf8bc11033e7aff01822335679a95a2 100644 (file)
@@ -261,8 +261,7 @@ pkinit_as_req_create(krb5_context context,
         auth_pack9->pkAuthenticator.nonce = nonce;
         auth_pack9->pkAuthenticator.kdcName = server;
         auth_pack9->pkAuthenticator.kdcRealm.magic = 0;
-        auth_pack9->pkAuthenticator.kdcRealm.data =
-            (unsigned char *)server->realm.data;
+        auth_pack9->pkAuthenticator.kdcRealm.data = server->realm.data;
         auth_pack9->pkAuthenticator.kdcRealm.length = server->realm.length;
         free(cksum->contents);
         break;
@@ -279,7 +278,7 @@ pkinit_as_req_create(krb5_context context,
         auth_pack->pkAuthenticator.paChecksum = *cksum;
         auth_pack->clientDHNonce.length = 0;
         auth_pack->clientPublicValue = info;
-        auth_pack->supportedKDFs = (krb5_octet_data **) supported_kdf_alg_ids;
+        auth_pack->supportedKDFs = (krb5_data **) supported_kdf_alg_ids;
 
         /* add List of CMS algorithms */
         retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
@@ -298,7 +297,7 @@ pkinit_as_req_create(krb5_context context,
     switch(protocol) {
     case DH_PROTOCOL:
         pkiDebug("as_req: DH key transport algorithm\n");
-        retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid);
+        retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid);
         if (retval) {
             pkiDebug("failed to copy dh_oid\n");
             goto cleanup;
@@ -307,8 +306,10 @@ pkinit_as_req_create(krb5_context context,
         /* create client-side DH keys */
         if ((retval = client_create_dh(context, plgctx->cryptoctx,
                                        reqctx->cryptoctx, reqctx->idctx, reqctx->opts->dh_size,
+                                       (unsigned char **)
                                        &info->algorithm.parameters.data,
                                        &info->algorithm.parameters.length,
+                                       (unsigned char **)
                                        &info->subjectPublicKey.data,
                                        &info->subjectPublicKey.length)) != 0) {
             pkiDebug("failed to create dh parameters\n");
@@ -365,9 +366,11 @@ pkinit_as_req_create(krb5_context context,
         if (use_content_info(context, reqctx, client)) {
             retval = cms_contentinfo_create(context, plgctx->cryptoctx,
                                             reqctx->cryptoctx, reqctx->idctx,
-                                            CMS_SIGN_CLIENT, (unsigned char *)
+                                            CMS_SIGN_CLIENT,
+                                            (unsigned char *)
                                             coded_auth_pack->data,
                                             coded_auth_pack->length,
+                                            (unsigned char **)
                                             &req->signedAuthPack.data,
                                             &req->signedAuthPack.length);
         } else {
@@ -377,6 +380,7 @@ pkinit_as_req_create(krb5_context context,
                                            (unsigned char *)
                                            coded_auth_pack->data,
                                            coded_auth_pack->length,
+                                           (unsigned char **)
                                            &req->signedAuthPack.data,
                                            &req->signedAuthPack.length);
         }
@@ -394,8 +398,11 @@ pkinit_as_req_create(krb5_context context,
         }
         retval = cms_signeddata_create(context, plgctx->cryptoctx,
                                        reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1,
-                                       (unsigned char *)coded_auth_pack->data, coded_auth_pack->length,
-                                       &req9->signedAuthPack.data, &req9->signedAuthPack.length);
+                                       (unsigned char *)coded_auth_pack->data,
+                                       coded_auth_pack->length,
+                                       (unsigned char **)
+                                       &req9->signedAuthPack.data,
+                                       &req9->signedAuthPack.length);
         break;
 #ifdef DEBUG_ASN1
         print_buffer_bin((unsigned char *)req9->signedAuthPack.data,
@@ -417,7 +424,8 @@ pkinit_as_req_create(krb5_context context,
         if (retval)
             goto cleanup;
         retval = create_issuerAndSerial(context, plgctx->cryptoctx,
-                                        reqctx->cryptoctx, reqctx->idctx, &req->kdcPkId.data,
+                                        reqctx->cryptoctx, reqctx->idctx,
+                                        (unsigned char **)&req->kdcPkId.data,
                                         &req->kdcPkId.length);
         if (retval)
             goto cleanup;
@@ -435,7 +443,8 @@ pkinit_as_req_create(krb5_context context,
 
 #endif
         retval = create_issuerAndSerial(context, plgctx->cryptoctx,
-                                        reqctx->cryptoctx, reqctx->idctx, &req9->kdcCert.data,
+                                        reqctx->cryptoctx, reqctx->idctx,
+                                        (unsigned char **)&req9->kdcCert.data,
                                         &req9->kdcCert.length);
         if (retval)
             goto cleanup;
@@ -678,12 +687,12 @@ pkinit_as_rep_parse(krb5_context context,
     krb5_kdc_dh_key_info *kdc_dh = NULL;
     krb5_reply_key_pack *key_pack = NULL;
     krb5_reply_key_pack_draft9 *key_pack9 = NULL;
-    krb5_octet_data dh_data = { 0, 0, NULL };
+    krb5_data dh_data = { 0, 0, NULL };
     unsigned char *client_key = NULL, *kdc_hostname = NULL;
     unsigned int client_key_len = 0;
     krb5_checksum cksum = {0, 0, 0, NULL};
     krb5_data k5data;
-    krb5_octet_data secret;
+    krb5_data secret;
     int valid_san = 0;
     int valid_eku = 0;
     int need_eku_checking = 1;
@@ -710,9 +719,11 @@ pkinit_as_rep_parse(krb5_context context,
         if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx,
                                             reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER,
                                             reqctx->opts->require_crl_checking,
+                                            (unsigned char *)
                                             kdc_reply->u.dh_Info.dhSignedData.data,
                                             kdc_reply->u.dh_Info.dhSignedData.length,
-                                            &dh_data.data, &dh_data.length,
+                                            (unsigned char **)&dh_data.data,
+                                            &dh_data.length,
                                             NULL, NULL, NULL)) != 0) {
             pkiDebug("failed to verify pkcs7 signed data\n");
             goto cleanup;
@@ -724,9 +735,11 @@ pkinit_as_rep_parse(krb5_context context,
         if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx,
                                                reqctx->cryptoctx, reqctx->idctx, pa_type,
                                                reqctx->opts->require_crl_checking,
+                                               (unsigned char *)
                                                kdc_reply->u.encKeyPack.data,
                                                kdc_reply->u.encKeyPack.length,
-                                               &dh_data.data, &dh_data.length)) != 0) {
+                                               (unsigned char **)&dh_data.data,
+                                               &dh_data.length)) != 0) {
             pkiDebug("failed to verify pkcs7 enveloped data\n");
             goto cleanup;
         }
@@ -787,6 +800,7 @@ pkinit_as_rep_parse(krb5_context context,
         /* client after KDC reply */
         if ((retval = client_process_dh(context, plgctx->cryptoctx,
                                         reqctx->cryptoctx, reqctx->idctx,
+                                        (unsigned char *)
                                         kdc_dh->subjectPublicKey.data,
                                         kdc_dh->subjectPublicKey.length,
                                         &client_key, &client_key_len)) != 0) {
@@ -797,15 +811,13 @@ pkinit_as_rep_parse(krb5_context context,
         /* If we have a KDF algorithm ID, call the algorithm agility KDF... */
         if (kdc_reply->u.dh_Info.kdfID) {
             secret.length = client_key_len;
-            secret.data = client_key;
+            secret.data = (char *)client_key;
 
             retval = pkinit_alg_agility_kdf(context, &secret,
                                             kdc_reply->u.dh_Info.kdfID,
-                                            request->client,
-                                            request->server, etype,
-                                            (krb5_octet_data *)encoded_request,
-                                            (krb5_octet_data *)as_rep,
-                                            key_block);
+                                            request->client, request->server,
+                                            etype, encoded_request,
+                                            (krb5_data *)as_rep, key_block);
 
             if (retval) {
                 pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n",
index c1bd32d8c12da68d8b9d753a37e6cea27fa3682c..e42943d57c9d584dde031389d914a1adee94336f 100644 (file)
@@ -348,7 +348,7 @@ krb5_error_code server_check_dh
        pkinit_plg_crypto_context plg_cryptoctx,        /* IN */
        pkinit_req_crypto_context req_cryptoctx,        /* IN */
        pkinit_identity_crypto_context id_cryptoctx,    /* IN */
-       krb5_octet_data *dh_params,                     /* IN
+       krb5_data *dh_params,                           /* IN
                    ???? */
        int minbits);                                   /* IN
                    the mininum number of key bits acceptable */
@@ -636,13 +636,13 @@ krb5_error_code pkinit_identity_set_prompter
 
 krb5_error_code
 pkinit_alg_agility_kdf(krb5_context context,
-                       krb5_octet_data *secret,
-                       krb5_octet_data *alg_oid,
+                       krb5_data *secret,
+                       krb5_data *alg_oid,
                        krb5_const_principal party_u_info,
                        krb5_const_principal party_v_info,
                        krb5_enctype enctype,
-                       krb5_octet_data *as_req,
-                       krb5_octet_data *pk_as_rep,
+                       krb5_data *as_req,
+                       krb5_data *pk_as_rep,
                        krb5_keyblock *key_block);
 
 extern const krb5_octet krb5_pkinit_sha1_oid[];
@@ -652,10 +652,10 @@ extern const size_t krb5_pkinit_sha256_oid_len;
 extern const krb5_octet krb5_pkinit_sha512_oid[];
 extern const size_t  krb5_pkinit_sha512_oid_len;
 /**
- * An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms
+ * An ordered set of OIDs, stored as krb5_data, of KDF algorithms
  * supported by this implementation. The order of this array controls
  * the order in which the server will pick.
  */
-extern const krb5_octet_data const *supported_kdf_alg_ids[] ;
+extern const krb5_data const *supported_kdf_alg_ids[] ;
 
 #endif /* _PKINIT_CRYPTO_H */
index 1a83083fe3a06a11c993cdf88d39efe7d0f95c5f..3aa44bc4c888db7780b29b531c1a068154b207e2 100644 (file)
@@ -1531,7 +1531,7 @@ server_check_dh(krb5_context context,
                 pkinit_plg_crypto_context plg_cryptoctx,
                 pkinit_req_crypto_context req_cryptoctx,
                 pkinit_identity_crypto_context id_cryptoctx,
-                krb5_octet_data *dh_params, int minbits)
+                krb5_data *dh_params, int minbits)
 {
     PLArenaPool *pool;
     SECItem item;
@@ -1540,7 +1540,7 @@ server_check_dh(krb5_context context,
     if (pool == NULL)
         return ENOMEM;
 
-    item.data = dh_params->data;
+    item.data = (unsigned char *)dh_params->data;
     item.len = dh_params->length;
     memset(&req_cryptoctx->client_dh_params, 0,
            sizeof(req_cryptoctx->client_dh_params));
@@ -1757,7 +1757,8 @@ create_krb5_supportedCMSTypes(krb5_context context,
         memset(id, 0, sizeof(*id));
         ids[i] = id;
         oid = SECOID_FindOIDByTag(oids[i]);
-        if (secitem_to_buf_len(&oid->oid, &id->algorithm.data,
+        if (secitem_to_buf_len(&oid->oid,
+                               (unsigned char **)&id->algorithm.data,
                                &id->algorithm.length) != 0) {
             free(ids[i]);
             free_n_algorithm_identifiers(ids, i - 1);
@@ -1841,9 +1842,11 @@ create_krb5_trustedCertifiers(krb5_context context,
              * of the pkinit module. */
             if ((node->cert->keyIDGenerated ?
                  secitem_to_buf_len(&node->cert->derSubject,
+                                    (unsigned char **)
                                     &id->subjectName.data,
                                     &id->subjectName.length) :
                  secitem_to_buf_len(&node->cert->subjectKeyID,
+                                    (unsigned char **)
                                     &id->subjectKeyIdentifier.data,
                                     &id->subjectKeyIdentifier.length)) != 0) {
                 /* Free the earlier items. */
@@ -3313,9 +3316,9 @@ pkinit_create_td_dh_parameters(krb5_context context,
             continue;
         /* Add it to the list. */
         memset(&id[j], 0, sizeof(id[j]));
-        id[j].algorithm.data = oid->data;
+        id[j].algorithm.data = (char *)oid->data;
         id[j].algorithm.length = oid->len;
-        id[j].parameters.data = tmp.data;
+        id[j].parameters.data = (char *)tmp.data;
         id[j].parameters.length = tmp.len;
         ids[j] = &id[j];
         j++;
@@ -3368,7 +3371,7 @@ pkinit_process_td_dh_params(krb5_context context,
     for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) {
         /* Decode the domain parameters. */
         item.len = algId[i]->parameters.length;
-        item.data = algId[i]->parameters.data;
+        item.data = (unsigned char *)algId[i]->parameters.data;
         memset(&params, 0, sizeof(params));
         if (SEC_ASN1DecodeItem(req_cryptoctx->pool, &params,
                                domain_parameters_template,
@@ -3418,11 +3421,11 @@ pkinit_create_td_invalid_certificate(krb5_context context,
         if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn,
                                issuer_and_serial_number_template) != &item)
             return ENOMEM;
-        id.issuerAndSerialNumber.data = item.data;
+        id.issuerAndSerialNumber.data = (char *)item.data;
         id.issuerAndSerialNumber.length = item.len;
     } else {
         item = invalid->subjectKeyID;
-        id.subjectKeyIdentifier.data = item.data;
+        id.subjectKeyIdentifier.data = (char *)item.data;
         id.subjectKeyIdentifier.length = item.len;
     }
     ids[0] = &id;
@@ -3573,11 +3576,11 @@ pkinit_create_td_trusted_certifiers(krb5_context context,
                 CERT_DestroyCertList(clist);
                 return ENOMEM;
             }
-            id[i].issuerAndSerialNumber.data = item.data;
+            id[i].issuerAndSerialNumber.data = (char *)item.data;
             id[i].issuerAndSerialNumber.length = item.len;
         } else {
             item = node->cert->subjectKeyID;
-            id[i].subjectKeyIdentifier.data = item.data;
+            id[i].subjectKeyIdentifier.data = (char *)item.data;
             id[i].subjectKeyIdentifier.length = item.len;
         }
         ids[i] = &id[i];
@@ -3810,22 +3813,22 @@ pkinit_octetstring2key(krb5_context context,
 /* Return TRUE if the item and the "algorithm" part of the algorithm identifier
  * are the same. */
 static PRBool
-octet_data_and_data_and_length_equal(const krb5_octet_data *octets,
-                                     const void *data, size_t len)
+data_and_ptr_and_length_equal(const krb5_data *data,
+                              const void *ptr, size_t len)
 {
-    return (octets->length == len) && (memcmp(octets->data, data, len) == 0);
+    return (data->length == len) && (memcmp(data->data, ptr, len) == 0);
 }
 
 /* Encode the other info used by the agility KDF.  Taken almost verbatim from
  * parts of the agility KDF in pkinit_crypto_openssl.c */
 static krb5_error_code
 encode_agility_kdf_other_info(krb5_context context,
-                              krb5_octet_data *alg_oid,
+                              krb5_data *alg_oid,
                               krb5_const_principal party_u_info,
                               krb5_const_principal party_v_info,
                               krb5_enctype enctype,
-                              krb5_octet_data *as_req,
-                              krb5_octet_data *pk_as_rep,
+                              krb5_data *as_req,
+                              krb5_data *pk_as_rep,
                               krb5_data **other_info)
 {
     krb5_error_code retval = 0;
@@ -3873,13 +3876,13 @@ cleanup:
  * one that we support. */
 krb5_error_code
 pkinit_alg_agility_kdf(krb5_context context,
-                       krb5_octet_data *secret,
-                       krb5_octet_data *alg_oid,
+                       krb5_data *secret,
+                       krb5_data *alg_oid,
                        krb5_const_principal party_u_info,
                        krb5_const_principal party_v_info,
                        krb5_enctype enctype,
-                       krb5_octet_data *as_req,
-                       krb5_octet_data *pk_as_rep,
+                       krb5_data *as_req,
+                       krb5_data *pk_as_rep,
                        krb5_keyblock *key_block)
 {
     krb5_data *other_info = NULL;
@@ -3894,30 +3897,27 @@ pkinit_alg_agility_kdf(krb5_context context,
     if (retval != 0)
         return retval;
 
-    if (octet_data_and_data_and_length_equal(alg_oid,
-                                             krb5_pkinit_sha512_oid,
-                                             krb5_pkinit_sha512_oid_len))
+    if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid,
+                                      krb5_pkinit_sha512_oid_len))
         retval = pkinit_octetstring_hkdf(context,
                                          SEC_OID_SHA512, 1, 4, enctype,
-                                         secret->data, secret->length,
-                                         other_info->data, other_info->length,
-                                         key_block);
-    else if (octet_data_and_data_and_length_equal(alg_oid,
-                                                  krb5_pkinit_sha256_oid,
-                                                  krb5_pkinit_sha256_oid_len))
+                                         (unsigned char *)secret->data,
+                                         secret->length, other_info->data,
+                                         other_info->length, key_block);
+    else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid,
+                                           krb5_pkinit_sha256_oid_len))
         retval = pkinit_octetstring_hkdf(context,
                                          SEC_OID_SHA256, 1, 4, enctype,
-                                         secret->data, secret->length,
-                                         other_info->data, other_info->length,
-                                         key_block);
-    else if (octet_data_and_data_and_length_equal(alg_oid,
-                                                  krb5_pkinit_sha1_oid,
-                                                  krb5_pkinit_sha1_oid_len))
+                                         (unsigned char *)secret->data,
+                                         secret->length, other_info->data,
+                                         other_info->length, key_block);
+    else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid,
+                                           krb5_pkinit_sha1_oid_len))
         retval = pkinit_octetstring_hkdf(context,
                                          SEC_OID_SHA1, 1, 4, enctype,
-                                         secret->data, secret->length,
-                                         other_info->data, other_info->length,
-                                         key_block);
+                                         (unsigned char *)secret->data,
+                                         secret->length, other_info->data,
+                                         other_info->length, key_block);
     else
         retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF;
 
index 571e309eecfd0cb8af1530d763e86b35c1fd405d..2fb506821f26d3921c3770b521d1a685a676adb6 100644 (file)
@@ -2305,7 +2305,7 @@ cleanup:
  */
 static krb5_error_code
 pkinit_alg_values(krb5_context context,
-                  const krb5_octet_data *alg_id,
+                  const krb5_data *alg_id,
                   size_t *hash_bytes,
                   const EVP_MD *(**func)(void))
 {
@@ -2356,13 +2356,13 @@ pkinit_alg_values(krb5_context context,
  */
 krb5_error_code
 pkinit_alg_agility_kdf(krb5_context context,
-                       krb5_octet_data *secret,
-                       krb5_octet_data *alg_oid,
+                       krb5_data *secret,
+                       krb5_data *alg_oid,
                        krb5_const_principal party_u_info,
                        krb5_const_principal party_v_info,
                        krb5_enctype enctype,
-                       krb5_octet_data *as_req,
-                       krb5_octet_data *pk_as_rep,
+                       krb5_data *as_req,
+                       krb5_data *pk_as_rep,
                        krb5_keyblock *key_block)
 {
     krb5_error_code retval = 0;
@@ -2703,7 +2703,7 @@ server_check_dh(krb5_context context,
                 pkinit_plg_crypto_context cryptoctx,
                 pkinit_req_crypto_context req_cryptoctx,
                 pkinit_identity_crypto_context id_cryptoctx,
-                krb5_octet_data *dh_params,
+                krb5_data *dh_params,
                 int minbits)
 {
     DH *dh = NULL;
@@ -2711,7 +2711,7 @@ server_check_dh(krb5_context context,
     int dh_prime_bits;
     krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
 
-    tmp = dh_params->data;
+    tmp = (unsigned char *)dh_params->data;
     dh = DH_new();
     dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length);
     if (dh == NULL) {
@@ -3309,7 +3309,7 @@ pkinit_process_td_dh_params(krb5_context context,
             memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length))
             goto cleanup;
 
-        tmp = algId[i]->parameters.data;
+        tmp = (unsigned char *)algId[i]->parameters.data;
         dh = DH_new();
         dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length);
         dh_prime_bits = BN_num_bits(dh->p);
@@ -5447,8 +5447,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
 
         xn = X509_get_subject_name(x);
         len = i2d_X509_NAME(xn, NULL);
-        if ((p = krb5_cas[i]->subjectName.data = malloc((size_t) len)) == NULL)
+        if ((p = malloc((size_t) len)) == NULL)
             goto cleanup;
+        krb5_cas[i]->subjectName.data = (char *)p;
         i2d_X509_NAME(xn, &p);
         krb5_cas[i]->subjectName.length = len;
 
@@ -5465,9 +5466,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
             M_ASN1_INTEGER_free(is->serial);
             is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
             len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
-            if ((p = krb5_cas[i]->issuerAndSerialNumber.data =
-                 malloc((size_t) len)) == NULL)
+            if ((p = malloc((size_t) len)) == NULL)
                 goto cleanup;
+            krb5_cas[i]->issuerAndSerialNumber.data = (char *)p;
             i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
             krb5_cas[i]->issuerAndSerialNumber.length = len;
 #ifdef LONGHORN_BETA_COMPAT
@@ -5489,9 +5490,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk,
                 if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL,
                                                NULL))) {
                     len = i2d_ASN1_OCTET_STRING(ikeyid, NULL);
-                    if ((p = krb5_cas[i]->subjectKeyIdentifier.data =
-                         malloc((size_t) len)) == NULL)
+                    if ((p = malloc((size_t) len)) == NULL)
                         goto cleanup;
+                    krb5_cas[i]->subjectKeyIdentifier.data = (char *)p;
                     i2d_ASN1_OCTET_STRING(ikeyid, &p);
                     krb5_cas[i]->subjectKeyIdentifier.length = len;
                 }
@@ -5558,7 +5559,7 @@ create_krb5_supportedCMSTypes(krb5_context context,
 
     krb5_error_code retval = ENOMEM;
     krb5_algorithm_identifier **loids = NULL;
-    krb5_octet_data des3oid = {0, 8, (unsigned char *)"\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
+    krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" };
 
     *oids = NULL;
     loids = malloc(2 * sizeof(krb5_algorithm_identifier *));
@@ -5570,7 +5571,7 @@ create_krb5_supportedCMSTypes(krb5_context context,
         free(loids);
         goto cleanup;
     }
-    retval = pkinit_copy_krb5_octet_data(&loids[0]->algorithm, &des3oid);
+    retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid);
     if (retval) {
         free(loids[0]);
         free(loids);
@@ -5652,9 +5653,9 @@ create_krb5_trustedCas(krb5_context context,
             krb5_cas[i]->u.caName.length = 0;
             xn = X509_get_subject_name(x);
             len = i2d_X509_NAME(xn, NULL);
-            if ((p = krb5_cas[i]->u.caName.data =
-                 malloc((size_t) len)) == NULL)
+            if ((p = malloc((size_t) len)) == NULL)
                 goto cleanup;
+            krb5_cas[i]->u.caName.data = (char *)p;
             i2d_X509_NAME(xn, &p);
             krb5_cas[i]->u.caName.length = len;
             break;
@@ -5667,9 +5668,9 @@ create_krb5_trustedCas(krb5_context context,
             M_ASN1_INTEGER_free(is->serial);
             is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x));
             len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL);
-            if ((p = krb5_cas[i]->u.issuerAndSerial.data =
-                 malloc((size_t) len)) == NULL)
+            if ((p = malloc((size_t) len)) == NULL)
                 goto cleanup;
+            krb5_cas[i]->u.issuerAndSerial.data = (char *)p;
             i2d_PKCS7_ISSUER_AND_SERIAL(is, &p);
             krb5_cas[i]->u.issuerAndSerial.length = len;
             if (is != NULL) {
@@ -5789,7 +5790,7 @@ pkinit_process_td_trusted_certifiers(
     sk_xn = sk_X509_NAME_new_null();
     while(krb5_trusted_certifiers[i] != NULL) {
         if (krb5_trusted_certifiers[i]->subjectName.data != NULL) {
-            p = krb5_trusted_certifiers[i]->subjectName.data;
+            p = (unsigned char *)krb5_trusted_certifiers[i]->subjectName.data;
             xn = d2i_X509_NAME(NULL, &p,
                                (int)krb5_trusted_certifiers[i]->subjectName.length);
             if (xn == NULL)
@@ -5803,7 +5804,8 @@ pkinit_process_td_trusted_certifiers(
         }
 
         if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) {
-            p = krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
+            p = (unsigned char *)
+                krb5_trusted_certifiers[i]->issuerAndSerialNumber.data;
             is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p,
                                              (int)krb5_trusted_certifiers[i]->issuerAndSerialNumber.length);
             if (is == NULL)
@@ -5819,7 +5821,8 @@ pkinit_process_td_trusted_certifiers(
         }
 
         if (krb5_trusted_certifiers[i]->subjectKeyIdentifier.data != NULL) {
-            p = krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
+            p = (unsigned char *)
+                krb5_trusted_certifiers[i]->subjectKeyIdentifier.data;
             id = d2i_ASN1_OCTET_STRING(NULL, &p,
                                        (int)krb5_trusted_certifiers[i]->subjectKeyIdentifier.length);
             if (id == NULL)
index 7234004334da1bfb654978a4b436d08cb2f51f0c..55e67cd3a3b20f62ee311e169be5a468a65ef598 100644 (file)
@@ -57,14 +57,14 @@ const krb5_octet krb5_pkinit_sha512_oid [8] =
 const size_t krb5_pkinit_sha512_oid_len = 8;
 
 #define oid_as_data(var, oid_base)                      \
-    const krb5_octet_data var =                         \
-    {0, sizeof oid_base, (krb5_octet *) oid_base}
+    const krb5_data var =                               \
+    {0, sizeof oid_base, (char *)oid_base}
 oid_as_data(sha1_id, krb5_pkinit_sha1_oid);
 oid_as_data(sha256_id, krb5_pkinit_sha256_oid);
 oid_as_data(sha512_id, krb5_pkinit_sha512_oid);
 #undef oid_as_data
 
-const krb5_octet_data const *supported_kdf_alg_ids[] = {
+const krb5_data const *supported_kdf_alg_ids[] = {
     &sha256_id,
     &sha1_id,
     &sha512_id,
index 02b2bb9d777f26a2e16434d79d7a48629187da84..710e1ff393374974a5de7ba1467008e0df638ac6 100644 (file)
@@ -83,10 +83,10 @@ main(int argc, char **argv)
 {
     /* arguments for calls to pkinit_alg_agility_kdf() */
     krb5_context context = 0;
-    krb5_octet_data secret;
+    krb5_data secret;
     krb5_algorithm_identifier alg_id;
-    krb5_octet_data as_req;
-    krb5_octet_data pk_as_rep;
+    krb5_data as_req;
+    krb5_data pk_as_rep;
     krb5_keyblock key_block;
 
     /* other local variables */
@@ -127,14 +127,14 @@ main(int argc, char **argv)
     memset(twenty_as, 0xaa, sizeof(twenty_as));
     memset(eighteen_bs, 0xbb, sizeof(eighteen_bs));
     as_req.length = sizeof(twenty_as);
-    as_req.data = (unsigned char *)&twenty_as;
+    as_req.data = twenty_as;
 
     pk_as_rep.length = sizeof(eighteen_bs);
-    pk_as_rep.data = (unsigned char *)&eighteen_bs;
+    pk_as_rep.data = eighteen_bs;
 
     /* TEST 1:  SHA-1/AES */
     /* set up algorithm id */
-    alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha1_oid;
+    alg_id.algorithm.data = (char *)krb5_pkinit_sha1_oid;
     alg_id.algorithm.length = krb5_pkinit_sha1_oid_len;
 
     enctype = enctype_aes;
@@ -175,7 +175,7 @@ main(int argc, char **argv)
 
     /* TEST 2: SHA-256/AES */
     /* set up algorithm id */
-    alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha256_oid;
+    alg_id.algorithm.data = (char *)krb5_pkinit_sha256_oid;
     alg_id.algorithm.length = krb5_pkinit_sha256_oid_len;
 
     enctype = enctype_aes;
@@ -216,7 +216,7 @@ main(int argc, char **argv)
 
     /* TEST 3: SHA-512/DES3 */
     /* set up algorithm id */
-    alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha512_oid;
+    alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid;
     alg_id.algorithm.length = krb5_pkinit_sha512_oid_len;
 
     enctype = enctype_des3;
index 6b1018004794f7e5e5ea0d29e00b799dec60cb8a..34416142e68daf78d3f501c2ffde35d83b2503d3 100644 (file)
@@ -43,8 +43,7 @@
 
 #define FAKECERT
 
-const krb5_octet_data
-dh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" };
+const krb5_data dh_oid = { 0, 7, "\x2A\x86\x48\xce\x3e\x02\x01" };
 
 
 krb5_error_code
@@ -164,10 +163,10 @@ free_krb5_auth_pack(krb5_auth_pack **in)
     if ((*in)->supportedCMSTypes != NULL)
         free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
     if ((*in)->supportedKDFs) {
-        krb5_octet_data **supportedKDFs = (*in)->supportedKDFs;
+        krb5_data **supportedKDFs = (*in)->supportedKDFs;
         unsigned i;
         for (i = 0; supportedKDFs[i]; i++)
-            krb5_free_octet_data(NULL, supportedKDFs[i]);
+            krb5_free_data(NULL, supportedKDFs[i]);
         free(supportedKDFs);
     }
     free(*in);
@@ -188,7 +187,7 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
     if (*in == NULL) return;
     switch ((*in)->choice) {
     case choice_pa_pk_as_rep_dhInfo:
-        krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID);
+        krb5_free_data(NULL, (*in)->u.dh_Info.kdfID);
         free((*in)->u.dh_Info.dhSignedData.data);
         break;
     case choice_pa_pk_as_rep_encKeyPack:
@@ -403,7 +402,7 @@ init_krb5_subject_pk_info(krb5_subject_pk_info **in)
 }
 
 krb5_error_code
-pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src)
+pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src)
 {
     if (dst == NULL || src == NULL)
         return EINVAL;
index 3322310bf5ad9b5d9801e668de3abbf8cfd1f1ce..8050565d15176321e377cacd0d8cca4bba494078 100644 (file)
@@ -289,7 +289,7 @@ pkinit_server_verify_padata(krb5_context context,
                             void *arg)
 {
     krb5_error_code retval = 0;
-    krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
+    krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL};
     krb5_pa_pk_as_req *reqp = NULL;
     krb5_pa_pk_as_req_draft9 *reqp9 = NULL;
     krb5_auth_pack *auth_pack = NULL;
@@ -350,8 +350,11 @@ pkinit_server_verify_padata(krb5_context context,
         retval = cms_signeddata_verify(context, plgctx->cryptoctx,
                                        reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT,
                                        plgctx->opts->require_crl_checking,
+                                       (unsigned char *)
                                        reqp->signedAuthPack.data, reqp->signedAuthPack.length,
-                                       &authp_data.data, &authp_data.length, &krb5_authz.data,
+                                       (unsigned char **)&authp_data.data,
+                                       &authp_data.length,
+                                       (unsigned char **)&krb5_authz.data,
                                        &krb5_authz.length, &is_signed);
         break;
     case KRB5_PADATA_PK_AS_REP_OLD:
@@ -371,8 +374,11 @@ pkinit_server_verify_padata(krb5_context context,
         retval = cms_signeddata_verify(context, plgctx->cryptoctx,
                                        reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9,
                                        plgctx->opts->require_crl_checking,
+                                       (unsigned char *)
                                        reqp9->signedAuthPack.data, reqp9->signedAuthPack.length,
-                                       &authp_data.data, &authp_data.length, &krb5_authz.data,
+                                       (unsigned char **)&authp_data.data,
+                                       &authp_data.length,
+                                       (unsigned char **)&krb5_authz.data,
                                        &krb5_authz.length, NULL);
         break;
     default:
@@ -483,7 +489,8 @@ pkinit_server_verify_padata(krb5_context context,
             int valid_kdcPkId = 0;
             retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx,
                                            reqctx->cryptoctx, plgctx->idctx,
-                                           reqp->kdcPkId.data, reqp->kdcPkId.length, &valid_kdcPkId);
+                                           (unsigned char *)reqp->kdcPkId.data,
+                                           reqp->kdcPkId.length, &valid_kdcPkId);
             if (retval)
                 goto cleanup;
             if (!valid_kdcPkId)
@@ -616,14 +623,13 @@ cleanup:
 }
 
 static krb5_error_code
-pkinit_pick_kdf_alg(krb5_context context,
-                    krb5_octet_data **kdf_list,
-                    krb5_octet_data **alg_oid)
+pkinit_pick_kdf_alg(krb5_context context, krb5_data **kdf_list,
+                    krb5_data **alg_oid)
 {
     krb5_error_code retval = 0;
-    krb5_octet_data *req_oid = NULL;
-    const krb5_octet_data *supp_oid = NULL;
-    krb5_octet_data *tmp_oid = NULL;
+    krb5_data *req_oid = NULL;
+    const krb5_data *supp_oid = NULL;
+    krb5_data *tmp_oid = NULL;
     int i, j = 0;
 
     /* if we don't find a match, return NULL value */
@@ -635,7 +641,7 @@ pkinit_pick_kdf_alg(krb5_context context,
         for (j = 0; NULL != (req_oid = kdf_list[j]); j++) {
             if ((req_oid->length == supp_oid->length) &&
                 (0 == memcmp(req_oid->data, supp_oid->data, req_oid->length))) {
-                tmp_oid = k5alloc(sizeof(krb5_octet_data), &retval);
+                tmp_oid = k5alloc(sizeof(krb5_data), &retval);
                 if (retval)
                     goto cleanup;
                 tmp_oid->data = k5alloc(supp_oid->length, &retval);
@@ -652,7 +658,7 @@ pkinit_pick_kdf_alg(krb5_context context,
     }
 cleanup:
     if (tmp_oid)
-        krb5_free_octet_data(context, tmp_oid);
+        krb5_free_data(context, tmp_oid);
     return retval;
 }
 
@@ -685,7 +691,7 @@ pkinit_server_return_padata(krb5_context context,
     krb5_pa_pk_as_rep *rep = NULL;
     krb5_pa_pk_as_rep_draft9 *rep9 = NULL;
     krb5_data *out_data = NULL;
-    krb5_octet_data secret;
+    krb5_data secret;
 
     krb5_enctype enctype = -1;
 
@@ -767,14 +773,14 @@ pkinit_server_return_padata(krb5_context context,
 
     if (reqctx->rcv_auth_pack != NULL &&
         reqctx->rcv_auth_pack->clientPublicValue != NULL) {
-        subjectPublicKey =
+        subjectPublicKey = (unsigned char *)
             reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data;
         subjectPublicKey_len =
             reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length;
         rep->choice = choice_pa_pk_as_rep_dhInfo;
     } else if (reqctx->rcv_auth_pack9 != NULL &&
                reqctx->rcv_auth_pack9->clientPublicValue != NULL) {
-        subjectPublicKey =
+        subjectPublicKey = (unsigned char *)
             reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data;
         subjectPublicKey_len =
             reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length;
@@ -805,7 +811,7 @@ pkinit_server_return_padata(krb5_context context,
          */
 
         dhkey_info.subjectPublicKey.length = dh_pubkey_len;
-        dhkey_info.subjectPublicKey.data = dh_pubkey;
+        dhkey_info.subjectPublicKey.data = (char *)dh_pubkey;
         dhkey_info.nonce = request->nonce;
         dhkey_info.dhKeyExpiration = 0;
 
@@ -825,8 +831,10 @@ pkinit_server_return_padata(krb5_context context,
         case KRB5_PADATA_PK_AS_REQ:
             retval = cms_signeddata_create(context, plgctx->cryptoctx,
                                            reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1,
-                                           (unsigned char *)encoded_dhkey_info->data,
+                                           (unsigned char *)
+                                           encoded_dhkey_info->data,
                                            encoded_dhkey_info->length,
+                                           (unsigned char **)
                                            &rep->u.dh_Info.dhSignedData.data,
                                            &rep->u.dh_Info.dhSignedData.length);
             if (retval) {
@@ -838,8 +846,10 @@ pkinit_server_return_padata(krb5_context context,
         case KRB5_PADATA_PK_AS_REQ_OLD:
             retval = cms_signeddata_create(context, plgctx->cryptoctx,
                                            reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1,
-                                           (unsigned char *)encoded_dhkey_info->data,
+                                           (unsigned char *)
+                                           encoded_dhkey_info->data,
                                            encoded_dhkey_info->length,
+                                           (unsigned char **)
                                            &rep9->u.dhSignedData.data,
                                            &rep9->u.dhSignedData.length);
             if (retval) {
@@ -913,9 +923,12 @@ pkinit_server_return_padata(krb5_context context,
             rep->choice = choice_pa_pk_as_rep_encKeyPack;
             retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
                                               reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
-                                              (unsigned char *)encoded_key_pack->data,
+                                              (unsigned char *)
+                                              encoded_key_pack->data,
                                               encoded_key_pack->length,
-                                              &rep->u.encKeyPack.data, &rep->u.encKeyPack.length);
+                                              (unsigned char **)
+                                              &rep->u.encKeyPack.data,
+                                              &rep->u.encKeyPack.length);
             break;
         case KRB5_PADATA_PK_AS_REP_OLD:
         case KRB5_PADATA_PK_AS_REQ_OLD:
@@ -943,8 +956,10 @@ pkinit_server_return_padata(krb5_context context,
             rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
             retval = cms_envelopeddata_create(context, plgctx->cryptoctx,
                                               reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1,
-                                              (unsigned char *)encoded_key_pack->data,
+                                              (unsigned char *)
+                                              encoded_key_pack->data,
                                               encoded_key_pack->length,
+                                              (unsigned char **)
                                               &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length);
             break;
         }
@@ -1018,15 +1033,13 @@ pkinit_server_return_padata(krb5_context context,
 
         /* If mutually supported KDFs were found, use the alg agility KDF */
         if (rep->u.dh_Info.kdfID) {
-            secret.data = server_key;
+            secret.data = (char *)server_key;
             secret.length = server_key_len;
 
             retval = pkinit_alg_agility_kdf(context, &secret,
                                             rep->u.dh_Info.kdfID,
                                             request->client, request->server,
-                                            enctype,
-                                            (krb5_octet_data *)req_pkt,
-                                            (krb5_octet_data *)out_data,
+                                            enctype, req_pkt, out_data,
                                             encrypting_key);
             if (retval) {
                 pkiDebug("pkinit_alg_agility_kdf failed: %s\n",