From 02fff47a6ff9f322431d8c2d50fa463973ec19fd Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 21 Dec 2011 22:52:43 +0000 Subject: [PATCH] Stop using krb5_octet_data For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int-pkinit.h | 52 ++++++------- src/include/krb5/krb5.hin | 11 +-- src/lib/krb5/asn.1/asn1_decode.c | 4 +- src/lib/krb5/asn.1/asn1_decode.h | 2 +- src/lib/krb5/asn.1/asn1_k_decode.c | 59 ++++++++------ src/lib/krb5/asn.1/asn1_k_decode.h | 5 +- src/lib/krb5/asn.1/asn1_k_decode_kdc.c | 14 ++-- src/lib/krb5/asn.1/asn1_k_decode_macros.h | 8 +- src/lib/krb5/asn.1/asn1_k_encode.c | 14 ++-- src/plugins/preauth/pkinit/pkinit.h | 4 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 50 +++++++----- src/plugins/preauth/pkinit/pkinit_crypto.h | 14 ++-- .../preauth/pkinit/pkinit_crypto_nss.c | 76 +++++++++---------- .../preauth/pkinit/pkinit_crypto_openssl.c | 47 ++++++------ .../preauth/pkinit/pkinit_kdf_constants.c | 6 +- src/plugins/preauth/pkinit/pkinit_kdf_test.c | 16 ++-- src/plugins/preauth/pkinit/pkinit_lib.c | 11 ++- src/plugins/preauth/pkinit/pkinit_srv.c | 63 +++++++++------ 18 files changed, 242 insertions(+), 214 deletions(-) diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 2b7410d25..481d6b126 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -47,7 +47,7 @@ typedef struct _krb5_pk_authenticator { /* PKAuthenticator draft9 */ typedef struct _krb5_pk_authenticator_draft9 { krb5_principal kdcName; - krb5_octet_data kdcRealm; + krb5_data kdcRealm; krb5_int32 cusec; /* (0..999999) */ krb5_timestamp ctime; krb5_int32 nonce; /* (0..4294967295) */ @@ -55,14 +55,14 @@ typedef struct _krb5_pk_authenticator_draft9 { /* AlgorithmIdentifier */ typedef struct _krb5_algorithm_identifier { - krb5_octet_data algorithm; /* OID */ - krb5_octet_data parameters; /* Optional */ + krb5_data algorithm; /* OID */ + krb5_data parameters; /* Optional */ } krb5_algorithm_identifier; /* SubjectPublicKeyInfo */ typedef struct _krb5_subject_pk_info { krb5_algorithm_identifier algorithm; - krb5_octet_data subjectPublicKey; /* BIT STRING */ + krb5_data subjectPublicKey; /* BIT STRING */ } krb5_subject_pk_info; /** AuthPack from RFC 4556*/ @@ -70,8 +70,8 @@ typedef struct _krb5_auth_pack { krb5_pk_authenticator pkAuthenticator; krb5_subject_pk_info *clientPublicValue; /* Optional */ krb5_algorithm_identifier **supportedCMSTypes; /* Optional */ - krb5_octet_data clientDHNonce; /* Optional */ - krb5_octet_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */ + krb5_data clientDHNonce; /* Optional */ + krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */ } krb5_auth_pack; /* AuthPack draft9 */ @@ -82,9 +82,9 @@ typedef struct _krb5_auth_pack_draft9 { /* ExternalPrincipalIdentifier */ typedef struct _krb5_external_principal_identifier { - krb5_octet_data subjectName; /* Optional */ - krb5_octet_data issuerAndSerialNumber; /* Optional */ - krb5_octet_data subjectKeyIdentifier; /* Optional */ + krb5_data subjectName; /* Optional */ + krb5_data issuerAndSerialNumber; /* Optional */ + krb5_data subjectKeyIdentifier; /* Optional */ } krb5_external_principal_identifier; /* TrustedCas */ @@ -97,43 +97,43 @@ typedef struct _krb5_trusted_ca { } choice; union { krb5_principal principalName; - krb5_octet_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */ - krb5_octet_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */ + krb5_data caName; /* fully-qualified X.500 "Name" as defined by X.509 (der-encoded) */ + krb5_data issuerAndSerial; /* Optional -- IssuerAndSerialNumber (der-encoded) */ } u; } krb5_trusted_ca; /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ typedef struct _krb5_pa_pk_as_req_draft9 { - krb5_octet_data signedAuthPack; + krb5_data signedAuthPack; krb5_trusted_ca **trustedCertifiers; /* Optional array */ - krb5_octet_data kdcCert; /* Optional */ - krb5_octet_data encryptionCert; + krb5_data kdcCert; /* Optional */ + krb5_data encryptionCert; } krb5_pa_pk_as_req_draft9; /* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */ typedef struct _krb5_pa_pk_as_req { - krb5_octet_data signedAuthPack; + krb5_data signedAuthPack; krb5_external_principal_identifier **trustedCertifiers; /* Optional array */ - krb5_octet_data kdcPkId; /* Optional */ + krb5_data kdcPkId; /* Optional */ } krb5_pa_pk_as_req; /** Pkinit DHRepInfo */ typedef struct _krb5_dh_rep_info { - krb5_octet_data dhSignedData; - krb5_octet_data serverDHNonce; /* Optional */ - krb5_octet_data *kdfID; /* OID of selected KDF OPTIONAL */ + krb5_data dhSignedData; + krb5_data serverDHNonce; /* Optional */ + krb5_data *kdfID; /* OID of selected KDF OPTIONAL */ } krb5_dh_rep_info; /* KDCDHKeyInfo */ typedef struct _krb5_kdc_dh_key_info { - krb5_octet_data subjectPublicKey; /* BIT STRING */ + krb5_data subjectPublicKey; /* BIT STRING */ krb5_int32 nonce; /* (0..4294967295) */ krb5_timestamp dhKeyExpiration; /* Optional */ } krb5_kdc_dh_key_info; /* KDCDHKeyInfo draft9*/ typedef struct _krb5_kdc_dh_key_info_draft9 { - krb5_octet_data subjectPublicKey; /* BIT STRING */ + krb5_data subjectPublicKey; /* BIT STRING */ krb5_int32 nonce; /* (0..4294967295) */ } krb5_kdc_dh_key_info_draft9; @@ -157,8 +157,8 @@ typedef struct _krb5_pa_pk_as_rep_draft9 { choice_pa_pk_as_rep_draft9_encKeyPack = 1 } choice; union { - krb5_octet_data dhSignedData; - krb5_octet_data encKeyPack; + krb5_data dhSignedData; + krb5_data encKeyPack; } u; } krb5_pa_pk_as_rep_draft9; @@ -171,7 +171,7 @@ typedef struct _krb5_pa_pk_as_rep { } choice; union { krb5_dh_rep_info dh_Info; - krb5_octet_data encKeyPack; + krb5_data encKeyPack; } u; } krb5_pa_pk_as_rep; @@ -186,8 +186,8 @@ typedef struct _krb5_sp80056a_other_info { /* PkinitSuppPubInfo, for pkinit algorithm agility */ typedef struct _krb5_pkinit_supp_pub_info { krb5_enctype enctype; - krb5_octet_data as_req; - krb5_octet_data pk_as_rep; + krb5_data as_req; + krb5_data pk_as_rep; } krb5_pkinit_supp_pub_info; /* diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 92da68a7e..d5524255e 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -207,6 +207,7 @@ typedef struct _krb5_data { char *data; } krb5_data; +/* Originally introduced for PKINIT; now unused. Do not use this. */ typedef struct _krb5_octet_data { krb5_magic magic; unsigned int length; @@ -4651,15 +4652,7 @@ krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val); void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val); -/** - * Free storage associated with a @c krb5_octet_data structure and its pointer. - * - * @param [in] context Context structure - * @param [in] val Data structure to be freed - * - * @return - * None - */ +/* Free a krb5_octet_data structure (should be unused). */ void KRB5_CALLCONV krb5_free_octet_data(krb5_context context, krb5_octet_data *val); diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index 659fed86c..53e204549 100644 --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -153,11 +153,11 @@ asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val) } asn1_error_code -asn1_decode_oid(asn1buf *buf, unsigned int *retlen, asn1_octet **val) +asn1_decode_oid(asn1buf *buf, unsigned int *retlen, char **val) { setup(); tag(ASN1_OBJECTIDENTIFIER); - retval = asn1buf_remove_octetstring(buf, length, val); + retval = asn1buf_remove_charstring(buf, length, val); if (retval) return retval; *retlen = length; cleanup(); diff --git a/src/lib/krb5/asn.1/asn1_decode.h b/src/lib/krb5/asn.1/asn1_decode.h index d495040c8..0e14491de 100644 --- a/src/lib/krb5/asn.1/asn1_decode.h +++ b/src/lib/krb5/asn.1/asn1_decode.h @@ -67,7 +67,7 @@ asn1_error_code asn1_decode_maybe_unsigned(asn1buf *buf, unsigned long *val); asn1_error_code asn1_decode_null(asn1buf *buf); asn1_error_code asn1_decode_oid(asn1buf *buf, unsigned int *retlen, - asn1_octet **val); + char **val); asn1_error_code asn1_decode_octetstring(asn1buf *buf, unsigned int *retlen, asn1_octet **val); asn1_error_code asn1_decode_generalstring(asn1buf *buf, unsigned int *retlen, diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index f1f4e734b..9d052ca37 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1187,9 +1187,12 @@ asn1_decode_external_principal_identifier( val->subjectKeyIdentifier.data = NULL; { begin_structure(); - opt_implicit_octet_string(val->subjectName.length, val->subjectName.data, 0); - opt_implicit_octet_string(val->issuerAndSerialNumber.length, val->issuerAndSerialNumber.data, 1); - opt_implicit_octet_string(val->subjectKeyIdentifier.length, val->subjectKeyIdentifier.data, 2); + opt_implicit_charstring(val->subjectName.length, val->subjectName.data, + 0); + opt_implicit_charstring(val->issuerAndSerialNumber.length, + val->issuerAndSerialNumber.data, 1); + opt_implicit_charstring(val->subjectKeyIdentifier.length, + val->subjectKeyIdentifier.data, 2); end_structure(); } return 0; @@ -1305,12 +1308,14 @@ asn1_decode_trusted_ca(asn1buf *buf, krb5_trusted_ca *val) } else if (tagnum == choice_trusted_cas_caName) { val->choice = choice_trusted_cas_caName; val->u.caName.data = NULL; - get_implicit_octet_string(val->u.caName.length, val->u.caName.data, choice_trusted_cas_caName); + get_implicit_charstring(val->u.caName.length, val->u.caName.data, + choice_trusted_cas_caName); } else if (tagnum == choice_trusted_cas_issuerAndSerial) { val->choice = choice_trusted_cas_issuerAndSerial; val->u.issuerAndSerial.data = NULL; - get_implicit_octet_string(val->u.issuerAndSerial.length, val->u.issuerAndSerial.data, - choice_trusted_cas_issuerAndSerial); + get_implicit_charstring(val->u.issuerAndSerial.length, + val->u.issuerAndSerial.data, + choice_trusted_cas_issuerAndSerial); } else clean_return(ASN1_BAD_ID); end_choice(); } @@ -1349,9 +1354,9 @@ asn1_decode_sequence_of_trusted_ca(asn1buf *buf, krb5_trusted_ca ***val) } static asn1_error_code -asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_octet_data **valptr) +asn1_decode_kdf_alg_id_ptr(asn1buf *buf, krb5_data **valptr) { - decode_ptr(krb5_octet_data *, asn1_decode_kdf_alg_id); + decode_ptr(krb5_data *, asn1_decode_kdf_alg_id); } asn1_error_code @@ -1362,9 +1367,11 @@ asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val) val->serverDHNonce.data = NULL; val->kdfID = NULL; { begin_structure(); - get_implicit_octet_string(val->dhSignedData.length, val->dhSignedData.data, 0); + get_implicit_charstring(val->dhSignedData.length, + val->dhSignedData.data, 0); - opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1, asn1_decode_octetstring); + opt_lenfield(val->serverDHNonce.length, val->serverDHNonce.data, 1, + asn1_decode_charstring); opt_field(val->kdfID, 2, asn1_decode_kdf_alg_id_ptr, NULL); end_structure(); } @@ -1372,7 +1379,7 @@ asn1_decode_dh_rep_info(asn1buf *buf, krb5_dh_rep_info *val) error_out: free(val->dhSignedData.data); free(val->serverDHNonce.data); - krb5_free_octet_data(NULL, val->kdfID); + krb5_free_data(NULL, val->kdfID); val->kdfID = NULL; val->dhSignedData.data = NULL; val->serverDHNonce.data = NULL; @@ -1451,8 +1458,8 @@ asn1_decode_algorithm_identifier(asn1buf *buf, krb5_algorithm_identifier *val) assert(subbuf.next >= subbuf.base); if (length > (size_t)(subbuf.next - subbuf.base)) { unsigned int size = length - (subbuf.next - subbuf.base); - retval = asn1buf_remove_octetstring(&subbuf, size, - &val->parameters.data); + retval = asn1buf_remove_charstring(&subbuf, size, + &val->parameters.data); if (retval) clean_return(retval); val->parameters.length = size; } @@ -1504,8 +1511,8 @@ asn1_decode_subject_pk_info(asn1buf *buf, krb5_subject_pk_info *val) val->subjectPublicKey.length = 0; val->subjectPublicKey.data = NULL; - retval = asn1buf_remove_octetstring(&subbuf, taglen, - &val->subjectPublicKey.data); + retval = asn1buf_remove_charstring(&subbuf, taglen, + &val->subjectPublicKey.data); if (retval) clean_return(retval); val->subjectPublicKey.length = taglen; /* @@ -1549,7 +1556,8 @@ asn1_decode_kdc_dh_key_info(asn1buf *buf, krb5_kdc_dh_key_info *val) setup(); val->subjectPublicKey.data = NULL; { begin_structure(); - retval = asn1buf_remove_octetstring(&subbuf, taglen, &val->subjectPublicKey.data); + retval = asn1buf_remove_charstring(&subbuf, taglen, + &val->subjectPublicKey.data); if (retval) clean_return(retval); val->subjectPublicKey.length = taglen; next_tag(); @@ -1641,8 +1649,9 @@ asn1_decode_pa_pk_as_rep(asn1buf *buf, krb5_pa_pk_as_rep *val) } else if (tagnum == choice_pa_pk_as_rep_encKeyPack) { val->choice = choice_pa_pk_as_rep_encKeyPack; val->u.encKeyPack.data = NULL; - get_implicit_octet_string(val->u.encKeyPack.length, val->u.encKeyPack.data, - choice_pa_pk_as_rep_encKeyPack); + get_implicit_charstring(val->u.encKeyPack.length, + val->u.encKeyPack.data, + choice_pa_pk_as_rep_encKeyPack); } else { val->choice = choice_pa_pk_as_rep_UNKNOWN; } @@ -1670,12 +1679,14 @@ asn1_decode_pa_pk_as_rep_draft9(asn1buf *buf, krb5_pa_pk_as_rep_draft9 *val) val->choice = choice_pa_pk_as_rep_draft9_dhSignedData; val->u.dhSignedData.data = NULL; get_lenfield(val->u.dhSignedData.length, val->u.dhSignedData.data, - choice_pa_pk_as_rep_draft9_dhSignedData, asn1_decode_octetstring); + choice_pa_pk_as_rep_draft9_dhSignedData, + asn1_decode_charstring); } else if (tagnum == choice_pa_pk_as_rep_draft9_encKeyPack) { val->choice = choice_pa_pk_as_rep_draft9_encKeyPack; val->u.encKeyPack.data = NULL; get_lenfield(val->u.encKeyPack.length, val->u.encKeyPack.data, - choice_pa_pk_as_rep_draft9_encKeyPack, asn1_decode_octetstring); + choice_pa_pk_as_rep_draft9_encKeyPack, + asn1_decode_charstring); } else { val->choice = choice_pa_pk_as_rep_draft9_UNKNOWN; } @@ -1692,7 +1703,7 @@ error_out: } asn1_error_code -asn1_decode_kdf_alg_id( asn1buf *buf, krb5_octet_data *val) +asn1_decode_kdf_alg_id( asn1buf *buf, krb5_data *val) { setup(); val->data = NULL; @@ -1707,11 +1718,9 @@ error_out: } asn1_error_code -asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, - krb5_octet_data ***val) +asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val) { - decode_array_body(krb5_octet_data, asn1_decode_kdf_alg_id_ptr, - krb5_free_octet_data); + decode_array_body(krb5_data, asn1_decode_kdf_alg_id_ptr, krb5_free_data); } #endif /* DISABLE_PKINIT */ diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index 7ce32956c..71eebb14a 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -277,10 +277,9 @@ asn1_error_code asn1_decode_iakerb_finished(asn1buf *buf, krb5_iakerb_finished *val); asn1_error_code -asn1_decode_kdf_alg_id(asn1buf *buf, krb5_octet_data *val); +asn1_decode_kdf_alg_id(asn1buf *buf, krb5_data *val); asn1_error_code -asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, - krb5_octet_data ***val); +asn1_decode_sequence_of_kdf_alg_id(asn1buf *buf, krb5_data ***val); #endif diff --git a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c index 73abbd4c4..c340abcfd 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode_kdc.c +++ b/src/lib/krb5/asn.1/asn1_k_decode_kdc.c @@ -131,9 +131,9 @@ asn1_decode_pa_pk_as_req(asn1buf *buf, krb5_pa_pk_as_req *val) val->kdcPkId.data = NULL; { begin_structure(); - get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0); + get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0); opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_external_principal_identifier, NULL); - opt_implicit_octet_string(val->kdcPkId.length, val->kdcPkId.data, 2); + opt_implicit_charstring(val->kdcPkId.length, val->kdcPkId.data, 2); end_structure(); } return 0; @@ -167,10 +167,10 @@ asn1_decode_pa_pk_as_req_draft9(asn1buf *buf, krb5_pa_pk_as_req_draft9 *val) val->encryptionCert.data = NULL; val->trustedCertifiers = NULL; { begin_structure(); - get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0); + get_implicit_charstring(val->signedAuthPack.length, val->signedAuthPack.data, 0); opt_field(val->trustedCertifiers, 1, asn1_decode_sequence_of_trusted_ca, NULL); - opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_octetstring); - opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_octetstring); + opt_lenfield(val->kdcCert.length, val->kdcCert.data, 2, asn1_decode_charstring); + opt_lenfield(val->encryptionCert.length, val->encryptionCert.data, 2, asn1_decode_charstring); end_structure(); } return 0; @@ -238,7 +238,7 @@ asn1_decode_auth_pack(asn1buf *buf, krb5_auth_pack *val) next_tag(); } else val->supportedCMSTypes = NULL; } - opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_octetstring); + opt_lenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_decode_charstring); opt_field(val->supportedKDFs, 4, asn1_decode_sequence_of_kdf_alg_id, NULL); end_structure(); } @@ -259,7 +259,7 @@ error_out: free(val->clientDHNonce.data); if (val->supportedKDFs) { for (i = 0; val->supportedKDFs[i]; i++) - krb5_free_octet_data(NULL, val->supportedKDFs[i]); + krb5_free_data(NULL, val->supportedKDFs[i]); free(val->supportedKDFs); val->supportedKDFs = NULL; } diff --git a/src/lib/krb5/asn.1/asn1_k_decode_macros.h b/src/lib/krb5/asn.1/asn1_k_decode_macros.h index e7c8a54eb..60da045ce 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode_macros.h +++ b/src/lib/krb5/asn.1/asn1_k_decode_macros.h @@ -202,20 +202,20 @@ asn1_get_eoc_tag (asn1buf *buf) /* * Deal with implicitly tagged fields */ -#define get_implicit_octet_string(len, var, tagexpect) \ +#define get_implicit_charstring(len, var, tagexpect) \ if (tagnum != (tagexpect)) clean_return(ASN1_MISSING_FIELD); \ if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \ clean_return(ASN1_BAD_ID); \ - retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \ + retval = asn1buf_remove_charstring(&subbuf, taglen, &(var)); \ if (retval) clean_return(retval); \ (len) = taglen; \ next_tag() -#define opt_implicit_octet_string(len, var, tagexpect) \ +#define opt_implicit_charstring(len, var, tagexpect) \ if (tagnum == (tagexpect)) { \ if (asn1class != CONTEXT_SPECIFIC || construction != PRIMITIVE) \ clean_return(ASN1_BAD_ID); \ - retval = asn1buf_remove_octetstring(&subbuf, taglen, &(var)); \ + retval = asn1buf_remove_charstring(&subbuf, taglen, &(var)); \ if (retval) clean_return(retval); \ (len) = taglen; \ next_tag(); \ diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 018aae877..351281eeb 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -1622,15 +1622,15 @@ asn1_error_code asn1_encode_krb5_substructure(asn1buf *buf, #ifndef DISABLE_PKINIT DEFFNXTYPE(algorithm_identifier, krb5_algorithm_identifier, asn1_encode_algorithm_identifier); -DEFFNLENTYPE(object_identifier, asn1_octet *, asn1_encode_oid); -DEFFIELDTYPE(oid_data, krb5_octet_data, - FIELDOF_STRING(krb5_octet_data,object_identifier, data, length, -1)); +DEFFNLENTYPE(object_identifier, char *, asn1_encode_oid); +DEFFIELDTYPE(oid_data, krb5_data, + FIELDOF_STRING(krb5_data, object_identifier, data, length, -1)); DEFPTRTYPE(oid_data_ptr, oid_data); static const struct field_info kdf_alg_id_fields[] = { - FIELDOF_ENCODEAS(krb5_octet_data, oid_data, 0) + FIELDOF_ENCODEAS(krb5_data, oid_data, 0) }; -DEFSEQTYPE(kdf_alg_id, krb5_octet_data, kdf_alg_id_fields, NULL); +DEFSEQTYPE(kdf_alg_id, krb5_data, kdf_alg_id_fields, NULL); DEFPTRTYPE(kdf_alg_id_ptr, kdf_alg_id); DEFNONEMPTYNULLTERMSEQOFTYPE(supported_kdfs, kdf_alg_id_ptr); DEFPTRTYPE(supported_kdfs_ptr, supported_kdfs); @@ -1664,8 +1664,8 @@ DEFSEQTYPE(sp80056a_other_info, krb5_sp80056a_other_info, sp80056a_other_info_fi /* For PkinitSuppPubInfo, for pkinit agility */ static const struct field_info pkinit_supp_pub_info_fields[] = { FIELDOF_NORM(krb5_pkinit_supp_pub_info, int32, enctype, 0), - FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, as_req.data, as_req.length, 1), - FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, pk_as_rep.data, pk_as_rep.length, 2), + FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, as_req.data, as_req.length, 1), + FIELDOF_STRING(krb5_pkinit_supp_pub_info, charstring, pk_as_rep.data, pk_as_rep.length, 2), }; DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info, pkinit_supp_pub_info_fields, NULL); diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 48e57fe87..7970746d9 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -115,7 +115,7 @@ static inline void pkiDebug (const char *fmt, ...) { } #define OCTETDATA_TO_KRB5DATA(octd, k5d) \ (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data; -extern const krb5_octet_data dh_oid; +extern const krb5_data dh_oid; /* * notes about crypto contexts: @@ -322,7 +322,7 @@ void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in); void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in); void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in); void free_krb5_subject_pk_info(krb5_subject_pk_info **in); -krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src); +krb5_error_code pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src); /* diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index e574c3c8f..cf406fd0c 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -261,8 +261,7 @@ pkinit_as_req_create(krb5_context context, auth_pack9->pkAuthenticator.nonce = nonce; auth_pack9->pkAuthenticator.kdcName = server; auth_pack9->pkAuthenticator.kdcRealm.magic = 0; - auth_pack9->pkAuthenticator.kdcRealm.data = - (unsigned char *)server->realm.data; + auth_pack9->pkAuthenticator.kdcRealm.data = server->realm.data; auth_pack9->pkAuthenticator.kdcRealm.length = server->realm.length; free(cksum->contents); break; @@ -279,7 +278,7 @@ pkinit_as_req_create(krb5_context context, auth_pack->pkAuthenticator.paChecksum = *cksum; auth_pack->clientDHNonce.length = 0; auth_pack->clientPublicValue = info; - auth_pack->supportedKDFs = (krb5_octet_data **) supported_kdf_alg_ids; + auth_pack->supportedKDFs = (krb5_data **) supported_kdf_alg_ids; /* add List of CMS algorithms */ retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, @@ -298,7 +297,7 @@ pkinit_as_req_create(krb5_context context, switch(protocol) { case DH_PROTOCOL: pkiDebug("as_req: DH key transport algorithm\n"); - retval = pkinit_copy_krb5_octet_data(&info->algorithm.algorithm, &dh_oid); + retval = pkinit_copy_krb5_data(&info->algorithm.algorithm, &dh_oid); if (retval) { pkiDebug("failed to copy dh_oid\n"); goto cleanup; @@ -307,8 +306,10 @@ pkinit_as_req_create(krb5_context context, /* create client-side DH keys */ if ((retval = client_create_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, reqctx->opts->dh_size, + (unsigned char **) &info->algorithm.parameters.data, &info->algorithm.parameters.length, + (unsigned char **) &info->subjectPublicKey.data, &info->subjectPublicKey.length)) != 0) { pkiDebug("failed to create dh parameters\n"); @@ -365,9 +366,11 @@ pkinit_as_req_create(krb5_context context, if (use_content_info(context, reqctx, client)) { retval = cms_contentinfo_create(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, - CMS_SIGN_CLIENT, (unsigned char *) + CMS_SIGN_CLIENT, + (unsigned char *) coded_auth_pack->data, coded_auth_pack->length, + (unsigned char **) &req->signedAuthPack.data, &req->signedAuthPack.length); } else { @@ -377,6 +380,7 @@ pkinit_as_req_create(krb5_context context, (unsigned char *) coded_auth_pack->data, coded_auth_pack->length, + (unsigned char **) &req->signedAuthPack.data, &req->signedAuthPack.length); } @@ -394,8 +398,11 @@ pkinit_as_req_create(krb5_context context, } retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_DRAFT9, 1, - (unsigned char *)coded_auth_pack->data, coded_auth_pack->length, - &req9->signedAuthPack.data, &req9->signedAuthPack.length); + (unsigned char *)coded_auth_pack->data, + coded_auth_pack->length, + (unsigned char **) + &req9->signedAuthPack.data, + &req9->signedAuthPack.length); break; #ifdef DEBUG_ASN1 print_buffer_bin((unsigned char *)req9->signedAuthPack.data, @@ -417,7 +424,8 @@ pkinit_as_req_create(krb5_context context, if (retval) goto cleanup; retval = create_issuerAndSerial(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, &req->kdcPkId.data, + reqctx->cryptoctx, reqctx->idctx, + (unsigned char **)&req->kdcPkId.data, &req->kdcPkId.length); if (retval) goto cleanup; @@ -435,7 +443,8 @@ pkinit_as_req_create(krb5_context context, #endif retval = create_issuerAndSerial(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx, &req9->kdcCert.data, + reqctx->cryptoctx, reqctx->idctx, + (unsigned char **)&req9->kdcCert.data, &req9->kdcCert.length); if (retval) goto cleanup; @@ -678,12 +687,12 @@ pkinit_as_rep_parse(krb5_context context, krb5_kdc_dh_key_info *kdc_dh = NULL; krb5_reply_key_pack *key_pack = NULL; krb5_reply_key_pack_draft9 *key_pack9 = NULL; - krb5_octet_data dh_data = { 0, 0, NULL }; + krb5_data dh_data = { 0, 0, NULL }; unsigned char *client_key = NULL, *kdc_hostname = NULL; unsigned int client_key_len = 0; krb5_checksum cksum = {0, 0, 0, NULL}; krb5_data k5data; - krb5_octet_data secret; + krb5_data secret; int valid_san = 0; int valid_eku = 0; int need_eku_checking = 1; @@ -710,9 +719,11 @@ pkinit_as_rep_parse(krb5_context context, if ((retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, CMS_SIGN_SERVER, reqctx->opts->require_crl_checking, + (unsigned char *) kdc_reply->u.dh_Info.dhSignedData.data, kdc_reply->u.dh_Info.dhSignedData.length, - &dh_data.data, &dh_data.length, + (unsigned char **)&dh_data.data, + &dh_data.length, NULL, NULL, NULL)) != 0) { pkiDebug("failed to verify pkcs7 signed data\n"); goto cleanup; @@ -724,9 +735,11 @@ pkinit_as_rep_parse(krb5_context context, if ((retval = cms_envelopeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, pa_type, reqctx->opts->require_crl_checking, + (unsigned char *) kdc_reply->u.encKeyPack.data, kdc_reply->u.encKeyPack.length, - &dh_data.data, &dh_data.length)) != 0) { + (unsigned char **)&dh_data.data, + &dh_data.length)) != 0) { pkiDebug("failed to verify pkcs7 enveloped data\n"); goto cleanup; } @@ -787,6 +800,7 @@ pkinit_as_rep_parse(krb5_context context, /* client after KDC reply */ if ((retval = client_process_dh(context, plgctx->cryptoctx, reqctx->cryptoctx, reqctx->idctx, + (unsigned char *) kdc_dh->subjectPublicKey.data, kdc_dh->subjectPublicKey.length, &client_key, &client_key_len)) != 0) { @@ -797,15 +811,13 @@ pkinit_as_rep_parse(krb5_context context, /* If we have a KDF algorithm ID, call the algorithm agility KDF... */ if (kdc_reply->u.dh_Info.kdfID) { secret.length = client_key_len; - secret.data = client_key; + secret.data = (char *)client_key; retval = pkinit_alg_agility_kdf(context, &secret, kdc_reply->u.dh_Info.kdfID, - request->client, - request->server, etype, - (krb5_octet_data *)encoded_request, - (krb5_octet_data *)as_rep, - key_block); + request->client, request->server, + etype, encoded_request, + (krb5_data *)as_rep, key_block); if (retval) { pkiDebug("failed to create key pkinit_alg_agility_kdf %s\n", diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index c1bd32d8c..e42943d57 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -348,7 +348,7 @@ krb5_error_code server_check_dh pkinit_plg_crypto_context plg_cryptoctx, /* IN */ pkinit_req_crypto_context req_cryptoctx, /* IN */ pkinit_identity_crypto_context id_cryptoctx, /* IN */ - krb5_octet_data *dh_params, /* IN + krb5_data *dh_params, /* IN ???? */ int minbits); /* IN the mininum number of key bits acceptable */ @@ -636,13 +636,13 @@ krb5_error_code pkinit_identity_set_prompter krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block); extern const krb5_octet krb5_pkinit_sha1_oid[]; @@ -652,10 +652,10 @@ extern const size_t krb5_pkinit_sha256_oid_len; extern const krb5_octet krb5_pkinit_sha512_oid[]; extern const size_t krb5_pkinit_sha512_oid_len; /** - * An ordered set of OIDs, stored as krb5_octet_data of KDF algorithms + * An ordered set of OIDs, stored as krb5_data, of KDF algorithms * supported by this implementation. The order of this array controls * the order in which the server will pick. */ -extern const krb5_octet_data const *supported_kdf_alg_ids[] ; +extern const krb5_data const *supported_kdf_alg_ids[] ; #endif /* _PKINIT_CRYPTO_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 1a83083fe..3aa44bc4c 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -1531,7 +1531,7 @@ server_check_dh(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_octet_data *dh_params, int minbits) + krb5_data *dh_params, int minbits) { PLArenaPool *pool; SECItem item; @@ -1540,7 +1540,7 @@ server_check_dh(krb5_context context, if (pool == NULL) return ENOMEM; - item.data = dh_params->data; + item.data = (unsigned char *)dh_params->data; item.len = dh_params->length; memset(&req_cryptoctx->client_dh_params, 0, sizeof(req_cryptoctx->client_dh_params)); @@ -1757,7 +1757,8 @@ create_krb5_supportedCMSTypes(krb5_context context, memset(id, 0, sizeof(*id)); ids[i] = id; oid = SECOID_FindOIDByTag(oids[i]); - if (secitem_to_buf_len(&oid->oid, &id->algorithm.data, + if (secitem_to_buf_len(&oid->oid, + (unsigned char **)&id->algorithm.data, &id->algorithm.length) != 0) { free(ids[i]); free_n_algorithm_identifiers(ids, i - 1); @@ -1841,9 +1842,11 @@ create_krb5_trustedCertifiers(krb5_context context, * of the pkinit module. */ if ((node->cert->keyIDGenerated ? secitem_to_buf_len(&node->cert->derSubject, + (unsigned char **) &id->subjectName.data, &id->subjectName.length) : secitem_to_buf_len(&node->cert->subjectKeyID, + (unsigned char **) &id->subjectKeyIdentifier.data, &id->subjectKeyIdentifier.length)) != 0) { /* Free the earlier items. */ @@ -3313,9 +3316,9 @@ pkinit_create_td_dh_parameters(krb5_context context, continue; /* Add it to the list. */ memset(&id[j], 0, sizeof(id[j])); - id[j].algorithm.data = oid->data; + id[j].algorithm.data = (char *)oid->data; id[j].algorithm.length = oid->len; - id[j].parameters.data = tmp.data; + id[j].parameters.data = (char *)tmp.data; id[j].parameters.length = tmp.len; ids[j] = &id[j]; j++; @@ -3368,7 +3371,7 @@ pkinit_process_td_dh_params(krb5_context context, for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) { /* Decode the domain parameters. */ item.len = algId[i]->parameters.length; - item.data = algId[i]->parameters.data; + item.data = (unsigned char *)algId[i]->parameters.data; memset(¶ms, 0, sizeof(params)); if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms, domain_parameters_template, @@ -3418,11 +3421,11 @@ pkinit_create_td_invalid_certificate(krb5_context context, if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn, issuer_and_serial_number_template) != &item) return ENOMEM; - id.issuerAndSerialNumber.data = item.data; + id.issuerAndSerialNumber.data = (char *)item.data; id.issuerAndSerialNumber.length = item.len; } else { item = invalid->subjectKeyID; - id.subjectKeyIdentifier.data = item.data; + id.subjectKeyIdentifier.data = (char *)item.data; id.subjectKeyIdentifier.length = item.len; } ids[0] = &id; @@ -3573,11 +3576,11 @@ pkinit_create_td_trusted_certifiers(krb5_context context, CERT_DestroyCertList(clist); return ENOMEM; } - id[i].issuerAndSerialNumber.data = item.data; + id[i].issuerAndSerialNumber.data = (char *)item.data; id[i].issuerAndSerialNumber.length = item.len; } else { item = node->cert->subjectKeyID; - id[i].subjectKeyIdentifier.data = item.data; + id[i].subjectKeyIdentifier.data = (char *)item.data; id[i].subjectKeyIdentifier.length = item.len; } ids[i] = &id[i]; @@ -3810,22 +3813,22 @@ pkinit_octetstring2key(krb5_context context, /* Return TRUE if the item and the "algorithm" part of the algorithm identifier * are the same. */ static PRBool -octet_data_and_data_and_length_equal(const krb5_octet_data *octets, - const void *data, size_t len) +data_and_ptr_and_length_equal(const krb5_data *data, + const void *ptr, size_t len) { - return (octets->length == len) && (memcmp(octets->data, data, len) == 0); + return (data->length == len) && (memcmp(data->data, ptr, len) == 0); } /* Encode the other info used by the agility KDF. Taken almost verbatim from * parts of the agility KDF in pkinit_crypto_openssl.c */ static krb5_error_code encode_agility_kdf_other_info(krb5_context context, - krb5_octet_data *alg_oid, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_data **other_info) { krb5_error_code retval = 0; @@ -3873,13 +3876,13 @@ cleanup: * one that we support. */ krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block) { krb5_data *other_info = NULL; @@ -3894,30 +3897,27 @@ pkinit_alg_agility_kdf(krb5_context context, if (retval != 0) return retval; - if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha512_oid, - krb5_pkinit_sha512_oid_len)) + if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid, + krb5_pkinit_sha512_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA512, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); - else if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha256_oid, - krb5_pkinit_sha256_oid_len)) + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); + else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid, + krb5_pkinit_sha256_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA256, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); - else if (octet_data_and_data_and_length_equal(alg_oid, - krb5_pkinit_sha1_oid, - krb5_pkinit_sha1_oid_len)) + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); + else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid, + krb5_pkinit_sha1_oid_len)) retval = pkinit_octetstring_hkdf(context, SEC_OID_SHA1, 1, 4, enctype, - secret->data, secret->length, - other_info->data, other_info->length, - key_block); + (unsigned char *)secret->data, + secret->length, other_info->data, + other_info->length, key_block); else retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF; diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 571e309ee..2fb506821 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2305,7 +2305,7 @@ cleanup: */ static krb5_error_code pkinit_alg_values(krb5_context context, - const krb5_octet_data *alg_id, + const krb5_data *alg_id, size_t *hash_bytes, const EVP_MD *(**func)(void)) { @@ -2356,13 +2356,13 @@ pkinit_alg_values(krb5_context context, */ krb5_error_code pkinit_alg_agility_kdf(krb5_context context, - krb5_octet_data *secret, - krb5_octet_data *alg_oid, + krb5_data *secret, + krb5_data *alg_oid, krb5_const_principal party_u_info, krb5_const_principal party_v_info, krb5_enctype enctype, - krb5_octet_data *as_req, - krb5_octet_data *pk_as_rep, + krb5_data *as_req, + krb5_data *pk_as_rep, krb5_keyblock *key_block) { krb5_error_code retval = 0; @@ -2703,7 +2703,7 @@ server_check_dh(krb5_context context, pkinit_plg_crypto_context cryptoctx, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_crypto_context id_cryptoctx, - krb5_octet_data *dh_params, + krb5_data *dh_params, int minbits) { DH *dh = NULL; @@ -2711,7 +2711,7 @@ server_check_dh(krb5_context context, int dh_prime_bits; krb5_error_code retval = KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - tmp = dh_params->data; + tmp = (unsigned char *)dh_params->data; dh = DH_new(); dh = pkinit_decode_dh_params(&dh, &tmp, dh_params->length); if (dh == NULL) { @@ -3309,7 +3309,7 @@ pkinit_process_td_dh_params(krb5_context context, memcmp(algId[i]->algorithm.data, dh_oid.data, dh_oid.length)) goto cleanup; - tmp = algId[i]->parameters.data; + tmp = (unsigned char *)algId[i]->parameters.data; dh = DH_new(); dh = pkinit_decode_dh_params(&dh, &tmp, algId[i]->parameters.length); dh_prime_bits = BN_num_bits(dh->p); @@ -5447,8 +5447,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, xn = X509_get_subject_name(x); len = i2d_X509_NAME(xn, NULL); - if ((p = krb5_cas[i]->subjectName.data = malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->subjectName.data = (char *)p; i2d_X509_NAME(xn, &p); krb5_cas[i]->subjectName.length = len; @@ -5465,9 +5466,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, M_ASN1_INTEGER_free(is->serial); is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = krb5_cas[i]->issuerAndSerialNumber.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->issuerAndSerialNumber.data = (char *)p; i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); krb5_cas[i]->issuerAndSerialNumber.length = len; #ifdef LONGHORN_BETA_COMPAT @@ -5489,9 +5490,9 @@ create_identifiers_from_stack(STACK_OF(X509) *sk, if ((ikeyid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL))) { len = i2d_ASN1_OCTET_STRING(ikeyid, NULL); - if ((p = krb5_cas[i]->subjectKeyIdentifier.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->subjectKeyIdentifier.data = (char *)p; i2d_ASN1_OCTET_STRING(ikeyid, &p); krb5_cas[i]->subjectKeyIdentifier.length = len; } @@ -5558,7 +5559,7 @@ create_krb5_supportedCMSTypes(krb5_context context, krb5_error_code retval = ENOMEM; krb5_algorithm_identifier **loids = NULL; - krb5_octet_data des3oid = {0, 8, (unsigned char *)"\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; + krb5_data des3oid = {0, 8, "\x2A\x86\x48\x86\xF7\x0D\x03\x07" }; *oids = NULL; loids = malloc(2 * sizeof(krb5_algorithm_identifier *)); @@ -5570,7 +5571,7 @@ create_krb5_supportedCMSTypes(krb5_context context, free(loids); goto cleanup; } - retval = pkinit_copy_krb5_octet_data(&loids[0]->algorithm, &des3oid); + retval = pkinit_copy_krb5_data(&loids[0]->algorithm, &des3oid); if (retval) { free(loids[0]); free(loids); @@ -5652,9 +5653,9 @@ create_krb5_trustedCas(krb5_context context, krb5_cas[i]->u.caName.length = 0; xn = X509_get_subject_name(x); len = i2d_X509_NAME(xn, NULL); - if ((p = krb5_cas[i]->u.caName.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->u.caName.data = (char *)p; i2d_X509_NAME(xn, &p); krb5_cas[i]->u.caName.length = len; break; @@ -5667,9 +5668,9 @@ create_krb5_trustedCas(krb5_context context, M_ASN1_INTEGER_free(is->serial); is->serial = M_ASN1_INTEGER_dup(X509_get_serialNumber(x)); len = i2d_PKCS7_ISSUER_AND_SERIAL(is, NULL); - if ((p = krb5_cas[i]->u.issuerAndSerial.data = - malloc((size_t) len)) == NULL) + if ((p = malloc((size_t) len)) == NULL) goto cleanup; + krb5_cas[i]->u.issuerAndSerial.data = (char *)p; i2d_PKCS7_ISSUER_AND_SERIAL(is, &p); krb5_cas[i]->u.issuerAndSerial.length = len; if (is != NULL) { @@ -5789,7 +5790,7 @@ pkinit_process_td_trusted_certifiers( sk_xn = sk_X509_NAME_new_null(); while(krb5_trusted_certifiers[i] != NULL) { if (krb5_trusted_certifiers[i]->subjectName.data != NULL) { - p = krb5_trusted_certifiers[i]->subjectName.data; + p = (unsigned char *)krb5_trusted_certifiers[i]->subjectName.data; xn = d2i_X509_NAME(NULL, &p, (int)krb5_trusted_certifiers[i]->subjectName.length); if (xn == NULL) @@ -5803,7 +5804,8 @@ pkinit_process_td_trusted_certifiers( } if (krb5_trusted_certifiers[i]->issuerAndSerialNumber.data != NULL) { - p = krb5_trusted_certifiers[i]->issuerAndSerialNumber.data; + p = (unsigned char *) + krb5_trusted_certifiers[i]->issuerAndSerialNumber.data; is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)krb5_trusted_certifiers[i]->issuerAndSerialNumber.length); if (is == NULL) @@ -5819,7 +5821,8 @@ pkinit_process_td_trusted_certifiers( } if (krb5_trusted_certifiers[i]->subjectKeyIdentifier.data != NULL) { - p = krb5_trusted_certifiers[i]->subjectKeyIdentifier.data; + p = (unsigned char *) + krb5_trusted_certifiers[i]->subjectKeyIdentifier.data; id = d2i_ASN1_OCTET_STRING(NULL, &p, (int)krb5_trusted_certifiers[i]->subjectKeyIdentifier.length); if (id == NULL) diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c index 723400433..55e67cd3a 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_constants.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_constants.c @@ -57,14 +57,14 @@ const krb5_octet krb5_pkinit_sha512_oid [8] = const size_t krb5_pkinit_sha512_oid_len = 8; #define oid_as_data(var, oid_base) \ - const krb5_octet_data var = \ - {0, sizeof oid_base, (krb5_octet *) oid_base} + const krb5_data var = \ + {0, sizeof oid_base, (char *)oid_base} oid_as_data(sha1_id, krb5_pkinit_sha1_oid); oid_as_data(sha256_id, krb5_pkinit_sha256_oid); oid_as_data(sha512_id, krb5_pkinit_sha512_oid); #undef oid_as_data -const krb5_octet_data const *supported_kdf_alg_ids[] = { +const krb5_data const *supported_kdf_alg_ids[] = { &sha256_id, &sha1_id, &sha512_id, diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c index 02b2bb9d7..710e1ff39 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c @@ -83,10 +83,10 @@ main(int argc, char **argv) { /* arguments for calls to pkinit_alg_agility_kdf() */ krb5_context context = 0; - krb5_octet_data secret; + krb5_data secret; krb5_algorithm_identifier alg_id; - krb5_octet_data as_req; - krb5_octet_data pk_as_rep; + krb5_data as_req; + krb5_data pk_as_rep; krb5_keyblock key_block; /* other local variables */ @@ -127,14 +127,14 @@ main(int argc, char **argv) memset(twenty_as, 0xaa, sizeof(twenty_as)); memset(eighteen_bs, 0xbb, sizeof(eighteen_bs)); as_req.length = sizeof(twenty_as); - as_req.data = (unsigned char *)&twenty_as; + as_req.data = twenty_as; pk_as_rep.length = sizeof(eighteen_bs); - pk_as_rep.data = (unsigned char *)&eighteen_bs; + pk_as_rep.data = eighteen_bs; /* TEST 1: SHA-1/AES */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha1_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha1_oid; alg_id.algorithm.length = krb5_pkinit_sha1_oid_len; enctype = enctype_aes; @@ -175,7 +175,7 @@ main(int argc, char **argv) /* TEST 2: SHA-256/AES */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha256_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha256_oid; alg_id.algorithm.length = krb5_pkinit_sha256_oid_len; enctype = enctype_aes; @@ -216,7 +216,7 @@ main(int argc, char **argv) /* TEST 3: SHA-512/DES3 */ /* set up algorithm id */ - alg_id.algorithm.data = (unsigned char *)&krb5_pkinit_sha512_oid; + alg_id.algorithm.data = (char *)krb5_pkinit_sha512_oid; alg_id.algorithm.length = krb5_pkinit_sha512_oid_len; enctype = enctype_des3; diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index 6b1018004..34416142e 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -43,8 +43,7 @@ #define FAKECERT -const krb5_octet_data -dh_oid = { 0, 7, (unsigned char *)"\x2A\x86\x48\xce\x3e\x02\x01" }; +const krb5_data dh_oid = { 0, 7, "\x2A\x86\x48\xce\x3e\x02\x01" }; krb5_error_code @@ -164,10 +163,10 @@ free_krb5_auth_pack(krb5_auth_pack **in) if ((*in)->supportedCMSTypes != NULL) free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes)); if ((*in)->supportedKDFs) { - krb5_octet_data **supportedKDFs = (*in)->supportedKDFs; + krb5_data **supportedKDFs = (*in)->supportedKDFs; unsigned i; for (i = 0; supportedKDFs[i]; i++) - krb5_free_octet_data(NULL, supportedKDFs[i]); + krb5_free_data(NULL, supportedKDFs[i]); free(supportedKDFs); } free(*in); @@ -188,7 +187,7 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in) if (*in == NULL) return; switch ((*in)->choice) { case choice_pa_pk_as_rep_dhInfo: - krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID); + krb5_free_data(NULL, (*in)->u.dh_Info.kdfID); free((*in)->u.dh_Info.dhSignedData.data); break; case choice_pa_pk_as_rep_encKeyPack: @@ -403,7 +402,7 @@ init_krb5_subject_pk_info(krb5_subject_pk_info **in) } krb5_error_code -pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src) +pkinit_copy_krb5_data(krb5_data *dst, const krb5_data *src) { if (dst == NULL || src == NULL) return EINVAL; diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 3322310bf..8050565d1 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -289,7 +289,7 @@ pkinit_server_verify_padata(krb5_context context, void *arg) { krb5_error_code retval = 0; - krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; + krb5_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; krb5_pa_pk_as_req *reqp = NULL; krb5_pa_pk_as_req_draft9 *reqp9 = NULL; krb5_auth_pack *auth_pack = NULL; @@ -350,8 +350,11 @@ pkinit_server_verify_padata(krb5_context context, retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_CLIENT, plgctx->opts->require_crl_checking, + (unsigned char *) reqp->signedAuthPack.data, reqp->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + (unsigned char **)&authp_data.data, + &authp_data.length, + (unsigned char **)&krb5_authz.data, &krb5_authz.length, &is_signed); break; case KRB5_PADATA_PK_AS_REP_OLD: @@ -371,8 +374,11 @@ pkinit_server_verify_padata(krb5_context context, retval = cms_signeddata_verify(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, plgctx->opts->require_crl_checking, + (unsigned char *) reqp9->signedAuthPack.data, reqp9->signedAuthPack.length, - &authp_data.data, &authp_data.length, &krb5_authz.data, + (unsigned char **)&authp_data.data, + &authp_data.length, + (unsigned char **)&krb5_authz.data, &krb5_authz.length, NULL); break; default: @@ -483,7 +489,8 @@ pkinit_server_verify_padata(krb5_context context, int valid_kdcPkId = 0; retval = pkinit_check_kdc_pkid(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, - reqp->kdcPkId.data, reqp->kdcPkId.length, &valid_kdcPkId); + (unsigned char *)reqp->kdcPkId.data, + reqp->kdcPkId.length, &valid_kdcPkId); if (retval) goto cleanup; if (!valid_kdcPkId) @@ -616,14 +623,13 @@ cleanup: } static krb5_error_code -pkinit_pick_kdf_alg(krb5_context context, - krb5_octet_data **kdf_list, - krb5_octet_data **alg_oid) +pkinit_pick_kdf_alg(krb5_context context, krb5_data **kdf_list, + krb5_data **alg_oid) { krb5_error_code retval = 0; - krb5_octet_data *req_oid = NULL; - const krb5_octet_data *supp_oid = NULL; - krb5_octet_data *tmp_oid = NULL; + krb5_data *req_oid = NULL; + const krb5_data *supp_oid = NULL; + krb5_data *tmp_oid = NULL; int i, j = 0; /* if we don't find a match, return NULL value */ @@ -635,7 +641,7 @@ pkinit_pick_kdf_alg(krb5_context context, for (j = 0; NULL != (req_oid = kdf_list[j]); j++) { if ((req_oid->length == supp_oid->length) && (0 == memcmp(req_oid->data, supp_oid->data, req_oid->length))) { - tmp_oid = k5alloc(sizeof(krb5_octet_data), &retval); + tmp_oid = k5alloc(sizeof(krb5_data), &retval); if (retval) goto cleanup; tmp_oid->data = k5alloc(supp_oid->length, &retval); @@ -652,7 +658,7 @@ pkinit_pick_kdf_alg(krb5_context context, } cleanup: if (tmp_oid) - krb5_free_octet_data(context, tmp_oid); + krb5_free_data(context, tmp_oid); return retval; } @@ -685,7 +691,7 @@ pkinit_server_return_padata(krb5_context context, krb5_pa_pk_as_rep *rep = NULL; krb5_pa_pk_as_rep_draft9 *rep9 = NULL; krb5_data *out_data = NULL; - krb5_octet_data secret; + krb5_data secret; krb5_enctype enctype = -1; @@ -767,14 +773,14 @@ pkinit_server_return_padata(krb5_context context, if (reqctx->rcv_auth_pack != NULL && reqctx->rcv_auth_pack->clientPublicValue != NULL) { - subjectPublicKey = + subjectPublicKey = (unsigned char *) reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.data; subjectPublicKey_len = reqctx->rcv_auth_pack->clientPublicValue->subjectPublicKey.length; rep->choice = choice_pa_pk_as_rep_dhInfo; } else if (reqctx->rcv_auth_pack9 != NULL && reqctx->rcv_auth_pack9->clientPublicValue != NULL) { - subjectPublicKey = + subjectPublicKey = (unsigned char *) reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.data; subjectPublicKey_len = reqctx->rcv_auth_pack9->clientPublicValue->subjectPublicKey.length; @@ -805,7 +811,7 @@ pkinit_server_return_padata(krb5_context context, */ dhkey_info.subjectPublicKey.length = dh_pubkey_len; - dhkey_info.subjectPublicKey.data = dh_pubkey; + dhkey_info.subjectPublicKey.data = (char *)dh_pubkey; dhkey_info.nonce = request->nonce; dhkey_info.dhKeyExpiration = 0; @@ -825,8 +831,10 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REQ: retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_SERVER, 1, - (unsigned char *)encoded_dhkey_info->data, + (unsigned char *) + encoded_dhkey_info->data, encoded_dhkey_info->length, + (unsigned char **) &rep->u.dh_Info.dhSignedData.data, &rep->u.dh_Info.dhSignedData.length); if (retval) { @@ -838,8 +846,10 @@ pkinit_server_return_padata(krb5_context context, case KRB5_PADATA_PK_AS_REQ_OLD: retval = cms_signeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, CMS_SIGN_DRAFT9, 1, - (unsigned char *)encoded_dhkey_info->data, + (unsigned char *) + encoded_dhkey_info->data, encoded_dhkey_info->length, + (unsigned char **) &rep9->u.dhSignedData.data, &rep9->u.dhSignedData.length); if (retval) { @@ -913,9 +923,12 @@ pkinit_server_return_padata(krb5_context context, rep->choice = choice_pa_pk_as_rep_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, - (unsigned char *)encoded_key_pack->data, + (unsigned char *) + encoded_key_pack->data, encoded_key_pack->length, - &rep->u.encKeyPack.data, &rep->u.encKeyPack.length); + (unsigned char **) + &rep->u.encKeyPack.data, + &rep->u.encKeyPack.length); break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: @@ -943,8 +956,10 @@ pkinit_server_return_padata(krb5_context context, rep9->choice = choice_pa_pk_as_rep_draft9_encKeyPack; retval = cms_envelopeddata_create(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, padata->pa_type, 1, - (unsigned char *)encoded_key_pack->data, + (unsigned char *) + encoded_key_pack->data, encoded_key_pack->length, + (unsigned char **) &rep9->u.encKeyPack.data, &rep9->u.encKeyPack.length); break; } @@ -1018,15 +1033,13 @@ pkinit_server_return_padata(krb5_context context, /* If mutually supported KDFs were found, use the alg agility KDF */ if (rep->u.dh_Info.kdfID) { - secret.data = server_key; + secret.data = (char *)server_key; secret.length = server_key_len; retval = pkinit_alg_agility_kdf(context, &secret, rep->u.dh_Info.kdfID, request->client, request->server, - enctype, - (krb5_octet_data *)req_pkt, - (krb5_octet_data *)out_data, + enctype, req_pkt, out_data, encrypting_key); if (retval) { pkiDebug("pkinit_alg_agility_kdf failed: %s\n", -- 2.26.2