rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)

Browse Source
This commit is contained in:
Robbie Harwood 2019-06-26 18:07:12 -04:00
parent 2843572c2f
commit 7bee5f19e1
6 changed files with 2719 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From c6e61b6ce3f305765dab2acf05a676172c596ddd Mon Sep 17 00:00:00 2001
From cac8b2d0da82fd625da0a351bb80b51a0bb811a2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] Remove 3des support
@ -7,6 +7,8 @@ Completely remove support for all DES3 enctypes (des3-cbc-raw,
des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
their constants.
(cherry picked from commit 49b086ddbf861ad0e2e84c402f3d65e9ea8a2392)
---
doc/admin/advanced/retiring-des.rst | 11 +
doc/admin/conf_files/kdc_conf.rst | 7 +-
@ -16,7 +18,7 @@ their constants.
doc/mitK5features.rst | 2 +-
src/Makefile.in | 4 +-
src/configure.in | 1 -
src/include/krb5/krb5.hin | 10 +-
src/include/krb5/krb5.hin | 12 +-
src/kadmin/testing/proto/kdc.conf.proto | 4 +-
src/kdc/kdc_util.c | 4 -
src/lib/crypto/Makefile.in | 8 +-
@ -103,7 +105,7 @@ their constants.
src/tests/t_salt.py | 5 +-
src/util/k5test.py | 10 -
.../leash/htmlhelp/html/Encryption_Types.htm | 13 -
95 files changed, 162 insertions(+), 4836 deletions(-)
95 files changed, 163 insertions(+), 4837 deletions(-)
delete mode 100644 src/lib/crypto/builtin/des/ISSUES
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -300,9 +302,15 @@ index 8d781a7c8..a19a0ea97 100644
lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2
lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 5f596d1fc..9a05ce32d 100644
index 5f596d1fc..ca7eb6a80 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -1,4 +1,4 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+./* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* General definitions for Kerberos version 5. */
/*
* Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
@ -5771,29 +5779,29 @@ index 28ded4a89..47f4727bd 100644
#define CKK_CAST3 (0x17)
#define CKK_CAST128 (0x18)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 58400d555..a5337b6f5 100644
index 1a642139a..2f0431991 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -237,14 +237,6 @@ pkinit_as_req_create(krb5_context context,
auth_pack.clientDHNonce.length = 0;
auth_pack.clientPublicValue = &info;
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
@@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context,
auth_pack.clientPublicValue = &info;
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
- /* add List of CMS algorithms */
- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
- reqctx->cryptoctx,
- reqctx->idctx, &cmstypes);
- auth_pack.supportedCMSTypes = cmstypes;
- if (retval)
- goto cleanup;
-
- /* add List of CMS algorithms */
- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
- reqctx->cryptoctx,
- reqctx->idctx, &cmstypes);
- auth_pack.supportedCMSTypes = cmstypes;
- if (retval)
- goto cleanup;
break;
default:
pkiDebug("as_req: unrecognized pa_type = %d\n",
switch(protocol) {
case DH_PROTOCOL:
TRACE_PKINIT_CLIENT_REQ_DH(context);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 0acb731cd..d42acfa4b 100644
index 8064a07d0..a291889b0 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -381,18 +381,6 @@ krb5_error_code server_process_dh
@@ -380,18 +380,6 @@ krb5_error_code server_process_dh
unsigned int *server_key_len_out); /* OUT
receives length of DH secret key */
@ -5813,10 +5821,10 @@ index 0acb731cd..d42acfa4b 100644
* this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 8aa2c5257..b101d179f 100644
index 8c7fd0cca..52976895b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5596,44 +5596,6 @@ cleanup:
@@ -5487,44 +5487,6 @@ cleanup:
return retval;
}

967
Remove-PKINIT-draft-9-ASN.1-code-and-types.patch Normal file
View File

@ -0,0 +1,967 @@
From fc909a6d2881c4b434c946023c5f581cec9e96c9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 18 Jun 2019 11:40:48 -0400
Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
ticket: 8817
(cherry picked from commit c82e21d8836d4cb4c6ac7047752c9f600cb1ce33)
---
src/include/k5-int-pkinit.h | 74 --------------------------
src/include/k5-int.h | 30 +----------
src/lib/krb5/asn.1/asn1_k_encode.c | 81 ----------------------------
src/lib/krb5/os/accessor.c | 7 ---
src/tests/asn.1/krb5_decode_test.c | 41 --------------
src/tests/asn.1/krb5_encode_test.c | 40 --------------
src/tests/asn.1/ktest.c | 85 ------------------------------
src/tests/asn.1/ktest.h | 11 ----
src/tests/asn.1/ktest_equal.c | 51 ------------------
src/tests/asn.1/ktest_equal.h | 3 --
src/tests/asn.1/pkinit_encode.out | 5 --
src/tests/asn.1/pkinit_trval.out | 47 -----------------
12 files changed, 1 insertion(+), 474 deletions(-)
diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index 4622a629e..c23cfd304 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -45,14 +45,6 @@ typedef struct _krb5_pk_authenticator {
krb5_data *freshnessToken;
} krb5_pk_authenticator;
-/* PKAuthenticator draft9 */
-typedef struct _krb5_pk_authenticator_draft9 {
- krb5_principal kdcName;
- krb5_int32 cusec; /* (0..999999) */
- krb5_timestamp ctime;
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_pk_authenticator_draft9;
-
/* AlgorithmIdentifier */
typedef struct _krb5_algorithm_identifier {
krb5_data algorithm; /* OID */
@@ -74,12 +66,6 @@ typedef struct _krb5_auth_pack {
krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
} krb5_auth_pack;
-/* AuthPack draft9 */
-typedef struct _krb5_auth_pack_draft9 {
- krb5_pk_authenticator_draft9 pkAuthenticator;
- krb5_subject_pk_info *clientPublicValue; /* Optional */
-} krb5_auth_pack_draft9;
-
/* ExternalPrincipalIdentifier */
typedef struct _krb5_external_principal_identifier {
krb5_data subjectName; /* Optional */
@@ -87,14 +73,6 @@ typedef struct _krb5_external_principal_identifier {
krb5_data subjectKeyIdentifier; /* Optional */
} krb5_external_principal_identifier;
-/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
-/* This has four fields, but we only care about the first and third for
- * encoding, and the only about the first for decoding. */
-typedef struct _krb5_pa_pk_as_req_draft9 {
- krb5_data signedAuthPack;
- krb5_data kdcCert; /* Optional */
-} krb5_pa_pk_as_req_draft9;
-
/* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
typedef struct _krb5_pa_pk_as_req {
krb5_data signedAuthPack;
@@ -116,37 +94,12 @@ typedef struct _krb5_kdc_dh_key_info {
krb5_timestamp dhKeyExpiration; /* Optional */
} krb5_kdc_dh_key_info;
-/* KDCDHKeyInfo draft9*/
-typedef struct _krb5_kdc_dh_key_info_draft9 {
- krb5_data subjectPublicKey; /* BIT STRING */
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_kdc_dh_key_info_draft9;
-
/* ReplyKeyPack */
typedef struct _krb5_reply_key_pack {
krb5_keyblock replyKey;
krb5_checksum asChecksum;
} krb5_reply_key_pack;
-/* ReplyKeyPack */
-typedef struct _krb5_reply_key_pack_draft9 {
- krb5_keyblock replyKey;
- krb5_int32 nonce;
-} krb5_reply_key_pack_draft9;
-
-/* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
-typedef struct _krb5_pa_pk_as_rep_draft9 {
- enum krb5_pa_pk_as_rep_draft9_selection {
- choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
- choice_pa_pk_as_rep_draft9_dhSignedData = 0,
- choice_pa_pk_as_rep_draft9_encKeyPack = 1
- } choice;
- union krb5_pa_pk_as_rep_draft9_choices {
- krb5_data dhSignedData;
- krb5_data encKeyPack;
- } u;
-} krb5_pa_pk_as_rep_draft9;
-
/* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
typedef struct _krb5_pa_pk_as_rep {
enum krb5_pa_pk_as_rep_selection {
@@ -186,34 +139,18 @@ typedef struct _krb5_pkinit_supp_pub_info {
krb5_error_code
encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
krb5_error_code
encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
-krb5_error_code
-encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
krb5_data **code);
@@ -237,19 +174,12 @@ encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
krb5_error_code
decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
-krb5_error_code
-decode_krb5_pa_pk_as_req_draft9(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
krb5_error_code
decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
-krb5_error_code
-decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **);
-
krb5_error_code
decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
@@ -259,10 +189,6 @@ decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
krb5_error_code
decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
-krb5_error_code
-decode_krb5_reply_key_pack_draft9(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
decode_krb5_td_trusted_certifiers(const krb5_data *,
krb5_external_principal_identifier ***);
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0857fd1cc..cb328785d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1836,7 +1836,7 @@ krb5int_random_string(krb5_context, char *string, unsigned int length);
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 22
+#define KRB5INT_ACCESS_STRUCT_VERSION 23
typedef struct _krb5int_access {
krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
@@ -1865,10 +1865,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
- krb5_error_code
- (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
krb5_data **code);
@@ -1877,26 +1873,14 @@ typedef struct _krb5int_access {
(*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *,
krb5_data **code);
@@ -1908,17 +1892,9 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
- krb5_error_code
- (*decode_krb5_auth_pack_draft9)(const krb5_data *,
- krb5_auth_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
- krb5_error_code
- (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
@@ -1931,10 +1907,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
- krb5_error_code
- (*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_td_dh_parameters)(const krb5_data *,
krb5_algorithm_identifier ***);
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 81a34bac9..a026ab390 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1446,19 +1446,6 @@ static const struct atype_info *pk_authenticator_fields[] = {
};
DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields);
-DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal);
-DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1,
- realm_of_principal);
-DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32);
-DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time);
-DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32);
-static const struct atype_info *pk_authenticator_draft9_fields[] = {
- &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2,
- &k5_atype_pkauth9_3, &k5_atype_pkauth9_4
-};
-DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9,
- pk_authenticator_draft9_fields);
-
DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
k5_asn1_encode_bitstring, k5_asn1_decode_bitstring,
ASN1_BITSTRING);
@@ -1488,15 +1475,6 @@ static const struct atype_info *auth_pack_fields[] = {
};
DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields);
-DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0,
- pk_authenticator_draft9);
-DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1,
- opt_subject_pk_info_ptr);
-static const struct atype_info *auth_pack_draft9_fields[] = {
- &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1
-};
-DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields);
-
DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier,
subjectName, 0, opt_ostring_data);
DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier,
@@ -1529,29 +1507,6 @@ static const struct atype_info *pa_pk_as_req_fields[] = {
};
DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields);
-/*
- * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we
- * only ever use the first and third. The fields are specified as explicitly
- * tagged, but our historical behavior is to pretend that they are wrapped in
- * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't
- * want to change that without interop testing.
- */
-DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0,
- ostring_data);
-DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2,
- opt_ostring_data);
-static const struct atype_info *pa_pk_as_req_draft9_fields[] = {
- &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2
-};
-DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_fields);
-/* For decoding, we only care about the first field; we can ignore the rest. */
-static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = {
- &k5_atype_pa_pk_as_req9_0
-};
-DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_decode_fields);
-
DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0,
ostring_data);
DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data);
@@ -1577,14 +1532,6 @@ static const struct atype_info *reply_key_pack_fields[] = {
};
DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields);
-DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key);
-DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32);
-static const struct atype_info *reply_key_pack_draft9_fields[] = {
- &k5_atype_key_pack9_0, &k5_atype_key_pack9_1
-};
-DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9,
- reply_key_pack_draft9_fields);
-
DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info);
DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data);
static const struct atype_info *pa_pk_as_rep_alternatives[] = {
@@ -1595,44 +1542,16 @@ DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices,
DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice,
pa_pk_as_rep_choice);
-/*
- * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as
- * explicitly tagged SignedData and EnvelopedData respectively, which means
- * they should have constructed context tags. However, our historical behavior
- * is to use primitive context tags, and we don't want to change that behavior
- * without interop testing. We have the encodings for each alternative in a
- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
- * order to wrap them in primitive [0] and [1] tags.
- */
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data);
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data);
-static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = {
- &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1
-};
-DEFCHOICETYPE(pa_pk_as_rep_draft9_choice,
- union krb5_pa_pk_as_rep_draft9_choices,
- enum krb5_pa_pk_as_rep_draft9_selection,
- pa_pk_as_rep_draft9_alternatives);
-DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice,
- pa_pk_as_rep_draft9_choice);
-
MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req);
MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req);
-MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9);
-MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode);
MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep);
MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep);
-MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9);
MAKE_ENCODER(encode_krb5_auth_pack, auth_pack);
MAKE_DECODER(decode_krb5_auth_pack, auth_pack);
-MAKE_ENCODER(encode_krb5_auth_pack_draft9, auth_pack_draft9);
-MAKE_DECODER(decode_krb5_auth_pack_draft9, auth_pack_draft9);
MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack);
MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack);
-MAKE_ENCODER(encode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
-MAKE_DECODER(decode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
MAKE_ENCODER(encode_krb5_td_trusted_certifiers,
seqof_external_principal_identifier);
MAKE_DECODER(decode_krb5_td_trusted_certifiers,
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index d77f8c6b7..12a39a2ab 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -80,25 +80,18 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
#define SC(FIELD, VAL) S(FIELD, 0)
#endif
SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req),
- SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9),
SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep),
- SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9),
SC (encode_krb5_auth_pack, encode_krb5_auth_pack),
- SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9),
SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info),
SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack),
- SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9),
SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers),
SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters),
SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req),
- SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9),
SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep),
SC (decode_krb5_auth_pack, decode_krb5_auth_pack),
- SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9),
SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info),
SC (decode_krb5_principal_name, decode_krb5_principal_name),
SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack),
- SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9),
SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers),
SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index cbd99ba63..7a116b40d 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -42,8 +42,6 @@ void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
#ifndef DISABLE_PKINIT
static int equal_principal(krb5_principal *ref, krb5_principal var);
static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val);
-static void ktest_free_auth_pack_draft9(krb5_context context,
- krb5_auth_pack_draft9 *val);
static void ktest_free_kdc_dh_key_info(krb5_context context,
krb5_kdc_dh_key_info *val);
static void ktest_free_pa_pk_as_req(krb5_context context,
@@ -52,8 +50,6 @@ static void ktest_free_pa_pk_as_rep(krb5_context context,
krb5_pa_pk_as_rep *val);
static void ktest_free_reply_key_pack(krb5_context context,
krb5_reply_key_pack *val);
-static void ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val);
#endif
static void ktest_free_kkdcp_message(krb5_context context,
krb5_kkdcp_message *val);
@@ -1183,16 +1179,6 @@ int main(argc, argv)
ktest_empty_auth_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_auth_pack_draft9 */
- {
- setup(krb5_auth_pack_draft9,ktest_make_sample_auth_pack_draft9);
- decode_run("krb5_auth_pack_draft9","","30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_auth_pack_draft9,
- ktest_equal_auth_pack_draft9,ktest_free_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_kdc_dh_key_info */
{
@@ -1213,16 +1199,6 @@ int main(argc, argv)
ktest_empty_reply_key_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_reply_key_pack_draft9 */
- {
- setup(krb5_reply_key_pack_draft9,ktest_make_sample_reply_key_pack_draft9);
- decode_run("krb5_reply_key_pack_draft9","","30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A",
- acc.decode_krb5_reply_key_pack_draft9,
- ktest_equal_reply_key_pack_draft9,ktest_free_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_principal_name */
/* We have no encoder for this type (KerberosName from RFC 4556); the
@@ -1279,14 +1255,6 @@ ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val)
free(val);
}
-static void
-ktest_free_auth_pack_draft9(krb5_context context, krb5_auth_pack_draft9 *val)
-{
- if (val)
- ktest_empty_auth_pack_draft9(val);
- free(val);
-}
-
static void
ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val)
{
@@ -1319,15 +1287,6 @@ ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val)
free(val);
}
-static void
-ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val)
-{
- if (val)
- ktest_empty_reply_key_pack_draft9(val);
- free(val);
-}
-
#endif /* not DISABLE_PKINIT */
static void
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index 3efbfb4c0..72c013468 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -798,15 +798,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_req(&req);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_req_draft9 */
- {
- krb5_pa_pk_as_req_draft9 req;
- ktest_make_sample_pa_pk_as_req_draft9(&req);
- encode_run(req, "pa_pk_as_req_draft9", "",
- acc.encode_krb5_pa_pk_as_req_draft9);
- ktest_empty_pa_pk_as_req_draft9(&req);
- }
- /****************************************************************/
/* encode_krb5_pa_pk_as_rep */
{
krb5_pa_pk_as_rep rep;
@@ -820,19 +811,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_rep(&rep);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_rep_draft9 */
- {
- krb5_pa_pk_as_rep_draft9 rep;
- ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(dhSignedData)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(encKeyPack)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- }
- /****************************************************************/
/* encode_krb5_auth_pack */
{
krb5_auth_pack pack;
@@ -841,15 +819,6 @@ main(argc, argv)
ktest_empty_auth_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_auth_pack_draft9_draft9 */
- {
- krb5_auth_pack_draft9 pack;
- ktest_make_sample_auth_pack_draft9(&pack);
- encode_run(pack, "auth_pack_draft9", "",
- acc.encode_krb5_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_kdc_dh_key_info */
{
krb5_kdc_dh_key_info ki;
@@ -866,15 +835,6 @@ main(argc, argv)
ktest_empty_reply_key_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_reply_key_pack_draft9 */
- {
- krb5_reply_key_pack_draft9 pack;
- ktest_make_sample_reply_key_pack_draft9(&pack);
- encode_run(pack, "reply_key_pack_draft9", "",
- acc.encode_krb5_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_sp80056a_other_info */
{
krb5_sp80056a_other_info info;
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 258377299..7bb698732 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -729,15 +729,6 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p)
ktest_make_sample_data(p->freshnessToken);
}
-static void
-ktest_make_sample_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_make_sample_principal(&p->kdcName);
- p->cusec = SAMPLE_USEC;
- p->ctime = SAMPLE_TIME;
- p->nonce = SAMPLE_NONCE;
-}
-
static void
ktest_make_sample_oid(krb5_data *p)
{
@@ -788,13 +779,6 @@ ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_make_sample_data(&p->kdcPkId);
}
-void
-ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_make_sample_data(&p->signedAuthPack);
- ktest_make_sample_data(&p->kdcCert);
-}
-
static void
ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -818,20 +802,6 @@ ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p)
ktest_make_sample_data(&p->u.encKeyPack);
}
-void
-ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
- ktest_make_sample_data(&p->u.dhSignedData);
-}
-
-void
-ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
- ktest_make_sample_data(&p->u.encKeyPack);
-}
-
void
ktest_make_sample_auth_pack(krb5_auth_pack *p)
{
@@ -851,14 +821,6 @@ ktest_make_sample_auth_pack(krb5_auth_pack *p)
p->supportedKDFs[1] = NULL;
}
-void
-ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_make_sample_pk_authenticator_draft9(&p->pkAuthenticator);
- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info));
- ktest_make_sample_subject_pk_info(p->clientPublicValue);
-}
-
void
ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -874,13 +836,6 @@ ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p)
ktest_make_sample_checksum(&p->asChecksum);
}
-void
-ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_make_sample_keyblock(&p->replyKey);
- p->nonce = SAMPLE_NONCE;
-}
-
void
ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
@@ -1717,12 +1672,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p)
p->freshnessToken = NULL;
}
-static void
-ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_destroy_principal(&p->kdcName);
-}
-
static void
ktest_empty_subject_pk_info(krb5_subject_pk_info *p)
{
@@ -1754,13 +1703,6 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_empty_data(&p->kdcPkId);
}
-void
-ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_empty_data(&p->signedAuthPack);
- ktest_empty_data(&p->kdcCert);
-}
-
static void
ktest_empty_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -1779,16 +1721,6 @@ ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p)
p->choice = choice_pa_pk_as_rep_UNKNOWN;
}
-void
-ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p)
-{
- if (p->choice == choice_pa_pk_as_rep_draft9_dhSignedData)
- ktest_empty_data(&p->u.dhSignedData);
- else if (p->choice == choice_pa_pk_as_rep_draft9_encKeyPack)
- ktest_empty_data(&p->u.encKeyPack);
- p->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-}
-
void
ktest_empty_auth_pack(krb5_auth_pack *p)
{
@@ -1820,17 +1752,6 @@ ktest_empty_auth_pack(krb5_auth_pack *p)
}
}
-void
-ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_empty_pk_authenticator_draft9(&p->pkAuthenticator);
- if (p->clientPublicValue != NULL) {
- ktest_empty_subject_pk_info(p->clientPublicValue);
- free(p->clientPublicValue);
- p->clientPublicValue = NULL;
- }
-}
-
void
ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -1844,12 +1765,6 @@ ktest_empty_reply_key_pack(krb5_reply_key_pack *p)
ktest_empty_checksum(&p->asChecksum);
}
-void
-ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_empty_keyblock(&p->replyKey);
-}
-
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
ktest_empty_algorithm_identifier(&p->algorithm_identifier);
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 1413cfae1..d9cc90a5c 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -101,18 +101,11 @@ void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p);
void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(
- krb5_pa_pk_as_rep_draft9 *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(
- krb5_pa_pk_as_rep_draft9 *p);
void ktest_make_sample_auth_pack(krb5_auth_pack *p);
-void ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
@@ -197,14 +190,10 @@ void ktest_empty_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p);
-void ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p);
void ktest_empty_auth_pack(krb5_auth_pack *p);
-void ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_empty_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 714cc4398..8a3911cdc 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -876,20 +876,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref,
return p;
}
-static int
-ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref,
- krb5_pk_authenticator_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(kdcName, ktest_equal_principal_data);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(nonce);
- return p;
-}
-
static int
ktest_equal_subject_pk_info(krb5_subject_pk_info *ref,
krb5_subject_pk_info *var)
@@ -937,18 +923,6 @@ ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var)
return p;
}
-int
-ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref,
- krb5_pa_pk_as_req_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(signedAuthPack);
- p = p && equal_str(kdcCert);
- return p;
-}
-
static int
ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var)
{
@@ -996,19 +970,6 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var)
return p;
}
-int
-ktest_equal_auth_pack_draft9(krb5_auth_pack_draft9 *ref,
- krb5_auth_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(pkAuthenticator,
- ktest_equal_pk_authenticator_draft9);
- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info);
- return p;
-}
-
int
ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref,
krb5_kdc_dh_key_info *var)
@@ -1033,18 +994,6 @@ ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var)
return p;
}
-int
-ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref,
- krb5_reply_key_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(replyKey, ktest_equal_keyblock);
- p = p && scalar_equal(nonce);
- return p;
-}
-
#endif /* not DISABLE_PKINIT */
int
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index cfa82ac6e..80a0d781a 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -139,13 +139,10 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
#ifndef DISABLE_PKINIT
generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req);
-generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9);
generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep);
generic(ktest_equal_auth_pack, krb5_auth_pack);
-generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9);
generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info);
generic(ktest_equal_reply_key_pack, krb5_reply_key_pack);
-generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9);
#endif /* not DISABLE_PKINIT */
int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 55a60bbef..9bd08e159 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,13 +1,8 @@
encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
-encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61
encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 9557188a8..3675fba38 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -15,14 +15,6 @@ encode_krb5_pa_pk_as_req:
. [2] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_pa_pk_as_req_draft9:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. [2] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
encode_krb5_pa_pk_as_rep(dhInfo):
[CONT 0]
@@ -36,16 +28,6 @@ encode_krb5_pa_pk_as_rep(dhInfo):
encode_krb5_pa_pk_as_rep(encKeyPack):
-[CONT 1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData):
-
-[CONT 0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack):
-
[CONT 1] <8>
6b 72 62 35 64 61 74 61 krb5data
@@ -79,27 +61,6 @@ encode_krb5_auth_pack:
. . . [0] [Object Identifier] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_auth_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [1] [General string] "ATHENA.MIT.EDU"
-. . [2] [Integer] 123456
-. . [3] [Generalized Time] "19940610060317Z"
-. . [4] [Integer] 42
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. . . [Octet String] "params"
-. . [Bit String] <9>
- 00 6b 72 62 35 64 61 74 61 .krb5data
-
encode_krb5_kdc_dh_key_info:
[Sequence/Sequence Of]
@@ -118,14 +79,6 @@ encode_krb5_reply_key_pack:
. . [0] [Integer] 1
. . [1] [Octet String] "1234"
-encode_krb5_reply_key_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "12345678"
-. [1] [Integer] 42
-
encode_krb5_sp80056a_other_info:
[Sequence/Sequence Of]

1712
Remove-PKINIT-draft-9-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2
Remove-strerror-calls-from-k5_get_error.patch
View File

@ -1,4 +1,4 @@
From f9c5dd7a9bb19dc99de8ee046b0ac1506c494f4e Mon Sep 17 00:00:00 2001
From 80ce19337573b31c372251ea5af4e66f4b75e7ef Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 6 Jun 2019 11:46:58 -0400
Subject: [PATCH] Remove strerror() calls from k5_get_error()

2
krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
View File

@ -1,4 +1,4 @@
From a57e6f65c6368b3fe99baaaeafccd166dad006b4 Mon Sep 17 00:00:00 2001
From fd2088635e27ce571e2d98c40fea34db15243b7a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS

9
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 31%{?dist}
Release: 32%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -105,9 +105,11 @@ Patch140: Display-unsupported-enctype-names.patch
Patch142: Add-zapfreedata-convenience-function.patch
Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
Patch144: Remove-krb5int_c_combine_keys.patch
Patch145: Remove-3des-support.patch
Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
Patch147: Remove-strerror-calls-from-k5_get_error.patch
Patch148: Remove-PKINIT-draft-9-support.patch
Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
Patch150: Remove-3des-support.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -717,6 +719,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Jun 26 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-32
- Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)
* Mon Jun 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-31
- Remove strerror() calls from k5_get_error()