From 9729492ff32002dcc153ad0850b0e30caa3df3fa Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 19 Sep 2011 00:58:38 +0000 Subject: [PATCH] Remove the ticket from the pkinit-alg-agility KDF function, to match agreed changes to the IETF specification. Includes removing a parameter from the KDF function, removing the ticket from the ASN.1 encoder, and updating the test code. Signed-off-by: Margaret Wasserman git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25197 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int-pkinit.h | 1 - src/lib/krb5/asn.1/asn1_k_encode.c | 1 - src/plugins/preauth/pkinit/pkinit_crypto.h | 1 - .../preauth/pkinit/pkinit_crypto_openssl.c | 5 +- src/plugins/preauth/pkinit/pkinit_kdf_test.c | 69 ++++++++----------- 5 files changed, 28 insertions(+), 49 deletions(-) diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 4f22cddb6..8490f82d9 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -188,7 +188,6 @@ typedef struct _krb5_pkinit_supp_pub_info { krb5_enctype enctype; krb5_octet_data as_req; krb5_octet_data pk_as_rep; - krb5_ticket *ticket; } krb5_pkinit_supp_pub_info; /* diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 9d06de109..2c7c43a83 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -1466,7 +1466,6 @@ static const struct field_info pkinit_supp_pub_info_fields[] = { FIELDOF_NORM(krb5_pkinit_supp_pub_info, int32, enctype, 0), FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, as_req.data, as_req.length, 1), FIELDOF_STRING(krb5_pkinit_supp_pub_info, octetstring, pk_as_rep.data, pk_as_rep.length, 2), - FIELDOF_NORM(krb5_pkinit_supp_pub_info, ticket_ptr, ticket, 3), }; DEFSEQTYPE(pkinit_supp_pub_info, krb5_pkinit_supp_pub_info, pkinit_supp_pub_info_fields, NULL); diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index e69fce3ea..528caecfb 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -640,7 +640,6 @@ pkinit_alg_agility_kdf(krb5_context context, krb5_enctype enctype, krb5_octet_data *as_req, krb5_octet_data *pk_as_rep, - const krb5_ticket *ticket, krb5_keyblock *key_block); extern const krb5_octet krb5_pkinit_sha1_oid[]; diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 509f8b6e4..6f7b8bc28 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2103,8 +2103,7 @@ pkinit_octetstring2key(krb5_context context, unsigned char *key, unsigned int dh_key_len, krb5_keyblock *key_block) -{ - krb5_error_code retval; +{ krb5_error_code retval; unsigned char *buf = NULL; unsigned char md[SHA_DIGEST_LENGTH]; unsigned char counter; @@ -2233,7 +2232,6 @@ pkinit_alg_agility_kdf(krb5_context context, krb5_enctype enctype, krb5_octet_data *as_req, krb5_octet_data *pk_as_rep, - const krb5_ticket *ticket, krb5_keyblock *key_block) { krb5_error_code retval = 0; @@ -2292,7 +2290,6 @@ pkinit_alg_agility_kdf(krb5_context context, supp_pub_info_fields.enctype = enctype; supp_pub_info_fields.as_req = *as_req; supp_pub_info_fields.pk_as_rep = *pk_as_rep; - supp_pub_info_fields.ticket = (krb5_ticket *) ticket; if (0 != ((retval = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields, &supp_pub_info)))) goto cleanup; diff --git a/src/plugins/preauth/pkinit/pkinit_kdf_test.c b/src/plugins/preauth/pkinit/pkinit_kdf_test.c index 1d659bfea..036d9e258 100644 --- a/src/plugins/preauth/pkinit/pkinit_kdf_test.c +++ b/src/plugins/preauth/pkinit/pkinit_kdf_test.c @@ -59,26 +59,11 @@ char party_u_name [] = "lha@SU.SE"; char party_v_name [] = "krbtgt/SU.SE@SU.SE"; int enctype_value = 18; krb5_octet key_hex [] = - {0xC7, 0x62, 0x89, 0xEC, 0x4B, 0x28, 0xA6, 0x91, - 0xFF, 0xCE, 0x80, 0xBB, 0xB7, 0xEC, 0x82, 0x41, - 0x52, 0x3F, 0x99, 0xB1, 0x90, 0xCF, 0x2D, 0x34, - 0x8F, 0x54, 0xA8, 0x65, 0x81, 0x2C, 0x32, 0x73}; + {0xe6, 0xAB, 0x38, 0xC9, 0x41, 0x3E, 0x03, 0x5B, + 0xB0, 0x79, 0x20, 0x1E, 0xD0, 0xB6, 0xB7, 0x3D, + 0x8D, 0x49, 0xA8, 0x14, 0xA7, 0x37, 0xC0, 0x4E, + 0xE6, 0x64, 0x96, 0x14, 0x20, 0x6F, 0x73, 0xAD}; const krb5_data lha_data = DATA_FROM_STRING("lha"); -const krb5_principal_data ticket_server = { - 0, /*magic*/ - DATA_FROM_STRING("SU.SE"), - (krb5_data *) &lha_data, - 1, 1}; -const krb5_ticket test_ticket = { - KV5M_TICKET, - (krb5_principal) &ticket_server, - {0, /*magic*/ - 18, - 0, - DATA_FROM_STRING("hejhej") }, - NULL}; - - int main (int argc, @@ -122,11 +107,11 @@ main (int argc, /* set-up the partyUInfo and partyVInfo principals */ if ((0 != (retval = krb5_parse_name(context, party_u_name, - &u_principal))) - (0 != (retval = krb5_parse_name(context, party_v_name, - &v_principal)))) { + &u_principal))) + (0 != (retval = krb5_parse_name(context, party_v_name, + &v_principal)))) { printf("ERROR in pkinit_kdf_test: Error parsing names, retval = %d", - retval); + retval); goto cleanup; } @@ -142,20 +127,20 @@ main (int argc, /* set-up the key_block */ if (0 != (retval = krb5_init_keyblock(context, enctype, max_keylen, &key_block_ptr))) { - printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d", - retval); - goto cleanup; + printf("ERROR in pkinit_kdf_test: can't init keybloc, retval = %d", + retval); + goto cleanup; - } + } - /* call krb5_pkinit_alg_agility_kdf() with test vector values*/ + /* call pkinit_alg_agility_kdf() with test vector values*/ if (0 != (retval = pkinit_alg_agility_kdf(context, &secret, &alg_id.algorithm, - u_principal, v_principal, - enctype, &as_req, &pk_as_rep, - &test_ticket, &key_block))) { + u_principal, v_principal, + enctype, &as_req, &pk_as_rep, + &key_block))) { printf("ERROR in pkinit_kdf_test: kdf call failed, retval = %d", - retval); - goto cleanup; + retval); + goto cleanup; } /* compare key to expected key value */ @@ -171,13 +156,13 @@ main (int argc, } cleanup: - /* release all allocated resources, whether good or bad return */ - if (secret.data) - free(secret.data); - if (u_principal) - free(u_principal); - if (v_principal) - free(v_principal); - krb5_free_keyblock_contents(context, &key_block); - exit(retval); + /* release all allocated resources, whether good or bad return */ + if (secret.data) + free(secret.data); + if (u_principal) + free(u_principal); + if (v_principal) + free(v_principal); + krb5_free_keyblock_contents(context, &key_block); + exit(retval); } -- 2.26.2