rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)

Browse Source
This commit is contained in:
Robbie Harwood 2019-06-26 18:07:12 -04:00
parent 2843572c2f
commit 7bee5f19e1
6 changed files with 2719 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Remove-3des-support.patch
View File

@ -1,4 +1,4 @@
From c6e61b6ce3f305765dab2acf05a676172c596ddd Mon Sep 17 00:00:00 2001 From cac8b2d0da82fd625da0a351bb80b51a0bb811a2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 26 Mar 2019 18:51:10 -0400 Date: Tue, 26 Mar 2019 18:51:10 -0400
Subject: [PATCH] Remove 3des support Subject: [PATCH] Remove 3des support
@ -7,6 +7,8 @@ Completely remove support for all DES3 enctypes (des3-cbc-raw,
des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation des3-hmac-sha1, des3-cbc-sha1-kd). Update all tests and documentation
to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain to user other enctypes. Mark the 3DES enctypes UNSUPPORTED and retain
their constants. their constants.
(cherry picked from commit 49b086ddbf861ad0e2e84c402f3d65e9ea8a2392)
--- ---
doc/admin/advanced/retiring-des.rst | 11 + doc/admin/advanced/retiring-des.rst | 11 +
doc/admin/conf_files/kdc_conf.rst | 7 +- doc/admin/conf_files/kdc_conf.rst | 7 +-
@ -16,7 +18,7 @@ their constants.
doc/mitK5features.rst | 2 +- doc/mitK5features.rst | 2 +-
src/Makefile.in | 4 +- src/Makefile.in | 4 +-
src/configure.in | 1 - src/configure.in | 1 -
src/include/krb5/krb5.hin | 10 +- src/include/krb5/krb5.hin | 12 +-
src/kadmin/testing/proto/kdc.conf.proto | 4 +- src/kadmin/testing/proto/kdc.conf.proto | 4 +-
src/kdc/kdc_util.c | 4 - src/kdc/kdc_util.c | 4 -
src/lib/crypto/Makefile.in | 8 +- src/lib/crypto/Makefile.in | 8 +-
@ -103,7 +105,7 @@ their constants.
src/tests/t_salt.py | 5 +- src/tests/t_salt.py | 5 +-
src/util/k5test.py | 10 - src/util/k5test.py | 10 -
.../leash/htmlhelp/html/Encryption_Types.htm | 13 - .../leash/htmlhelp/html/Encryption_Types.htm | 13 -
95 files changed, 162 insertions(+), 4836 deletions(-) 95 files changed, 163 insertions(+), 4837 deletions(-)
delete mode 100644 src/lib/crypto/builtin/des/ISSUES delete mode 100644 src/lib/crypto/builtin/des/ISSUES
delete mode 100644 src/lib/crypto/builtin/des/Makefile.in delete mode 100644 src/lib/crypto/builtin/des/Makefile.in
delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c delete mode 100644 src/lib/crypto/builtin/des/d3_aead.c
@ -300,9 +302,15 @@ index 8d781a7c8..a19a0ea97 100644
lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2 lib/crypto/$CRYPTO_IMPL/sha1 lib/crypto/$CRYPTO_IMPL/sha2
lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia lib/crypto/$CRYPTO_IMPL/aes lib/crypto/$CRYPTO_IMPL/camellia
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 5f596d1fc..9a05ce32d 100644 index 5f596d1fc..ca7eb6a80 100644
--- a/src/include/krb5/krb5.hin --- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin
@@ -1,4 +1,4 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+./* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* General definitions for Kerberos version 5. */
/*
* Copyright 1989, 1990, 1995, 2001, 2003, 2007, 2011 by the Massachusetts
@@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov { @@ -426,8 +426,8 @@ typedef struct _krb5_crypto_iov {
#define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_MD4 0x0002 /**< @deprecated no longer supported */
#define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */ #define ENCTYPE_DES_CBC_MD5 0x0003 /**< @deprecated no longer supported */
@ -5771,29 +5779,29 @@ index 28ded4a89..47f4727bd 100644
#define CKK_CAST3 (0x17) #define CKK_CAST3 (0x17)
#define CKK_CAST128 (0x18) #define CKK_CAST128 (0x18)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 58400d555..a5337b6f5 100644 index 1a642139a..2f0431991 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c --- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -237,14 +237,6 @@ pkinit_as_req_create(krb5_context context, @@ -212,14 +212,6 @@ pkinit_as_req_create(krb5_context context,
auth_pack.clientDHNonce.length = 0; auth_pack.clientPublicValue = &info;
auth_pack.clientPublicValue = &info; auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids;
- /* add List of CMS algorithms */
- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx,
- reqctx->cryptoctx,
- reqctx->idctx, &cmstypes);
- auth_pack.supportedCMSTypes = cmstypes;
- if (retval)
- goto cleanup;
- -
- /* add List of CMS algorithms */ switch(protocol) {
- retval = create_krb5_supportedCMSTypes(context, plgctx->cryptoctx, case DH_PROTOCOL:
- reqctx->cryptoctx, TRACE_PKINIT_CLIENT_REQ_DH(context);
- reqctx->idctx, &cmstypes);
- auth_pack.supportedCMSTypes = cmstypes;
- if (retval)
- goto cleanup;
break;
default:
pkiDebug("as_req: unrecognized pa_type = %d\n",
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
index 0acb731cd..d42acfa4b 100644 index 8064a07d0..a291889b0 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h --- a/src/plugins/preauth/pkinit/pkinit_crypto.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
@@ -381,18 +381,6 @@ krb5_error_code server_process_dh @@ -380,18 +380,6 @@ krb5_error_code server_process_dh
unsigned int *server_key_len_out); /* OUT unsigned int *server_key_len_out); /* OUT
receives length of DH secret key */ receives length of DH secret key */
@ -5813,10 +5821,10 @@ index 0acb731cd..d42acfa4b 100644
* this functions takes in crypto specific representation of * this functions takes in crypto specific representation of
* trustedCertifiers and creates a list of * trustedCertifiers and creates a list of
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 8aa2c5257..b101d179f 100644 index 8c7fd0cca..52976895b 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5596,44 +5596,6 @@ cleanup: @@ -5487,44 +5487,6 @@ cleanup:
return retval; return retval;
} }

967
Remove-PKINIT-draft-9-ASN.1-code-and-types.patch Normal file
View File

@ -0,0 +1,967 @@
From fc909a6d2881c4b434c946023c5f581cec9e96c9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 18 Jun 2019 11:40:48 -0400
Subject: [PATCH] Remove PKINIT draft 9 ASN.1 code and types
ticket: 8817
(cherry picked from commit c82e21d8836d4cb4c6ac7047752c9f600cb1ce33)
---
src/include/k5-int-pkinit.h | 74 --------------------------
src/include/k5-int.h | 30 +----------
src/lib/krb5/asn.1/asn1_k_encode.c | 81 ----------------------------
src/lib/krb5/os/accessor.c | 7 ---
src/tests/asn.1/krb5_decode_test.c | 41 --------------
src/tests/asn.1/krb5_encode_test.c | 40 --------------
src/tests/asn.1/ktest.c | 85 ------------------------------
src/tests/asn.1/ktest.h | 11 ----
src/tests/asn.1/ktest_equal.c | 51 ------------------
src/tests/asn.1/ktest_equal.h | 3 --
src/tests/asn.1/pkinit_encode.out | 5 --
src/tests/asn.1/pkinit_trval.out | 47 -----------------
12 files changed, 1 insertion(+), 474 deletions(-)
diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index 4622a629e..c23cfd304 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -45,14 +45,6 @@ typedef struct _krb5_pk_authenticator {
krb5_data *freshnessToken;
} krb5_pk_authenticator;
-/* PKAuthenticator draft9 */
-typedef struct _krb5_pk_authenticator_draft9 {
- krb5_principal kdcName;
- krb5_int32 cusec; /* (0..999999) */
- krb5_timestamp ctime;
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_pk_authenticator_draft9;
-
/* AlgorithmIdentifier */
typedef struct _krb5_algorithm_identifier {
krb5_data algorithm; /* OID */
@@ -74,12 +66,6 @@ typedef struct _krb5_auth_pack {
krb5_data **supportedKDFs; /* OIDs of KDFs; OPTIONAL */
} krb5_auth_pack;
-/* AuthPack draft9 */
-typedef struct _krb5_auth_pack_draft9 {
- krb5_pk_authenticator_draft9 pkAuthenticator;
- krb5_subject_pk_info *clientPublicValue; /* Optional */
-} krb5_auth_pack_draft9;
-
/* ExternalPrincipalIdentifier */
typedef struct _krb5_external_principal_identifier {
krb5_data subjectName; /* Optional */
@@ -87,14 +73,6 @@ typedef struct _krb5_external_principal_identifier {
krb5_data subjectKeyIdentifier; /* Optional */
} krb5_external_principal_identifier;
-/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
-/* This has four fields, but we only care about the first and third for
- * encoding, and the only about the first for decoding. */
-typedef struct _krb5_pa_pk_as_req_draft9 {
- krb5_data signedAuthPack;
- krb5_data kdcCert; /* Optional */
-} krb5_pa_pk_as_req_draft9;
-
/* PA-PK-AS-REQ (rfc4556 -- PA TYPE 16) */
typedef struct _krb5_pa_pk_as_req {
krb5_data signedAuthPack;
@@ -116,37 +94,12 @@ typedef struct _krb5_kdc_dh_key_info {
krb5_timestamp dhKeyExpiration; /* Optional */
} krb5_kdc_dh_key_info;
-/* KDCDHKeyInfo draft9*/
-typedef struct _krb5_kdc_dh_key_info_draft9 {
- krb5_data subjectPublicKey; /* BIT STRING */
- krb5_int32 nonce; /* (0..4294967295) */
-} krb5_kdc_dh_key_info_draft9;
-
/* ReplyKeyPack */
typedef struct _krb5_reply_key_pack {
krb5_keyblock replyKey;
krb5_checksum asChecksum;
} krb5_reply_key_pack;
-/* ReplyKeyPack */
-typedef struct _krb5_reply_key_pack_draft9 {
- krb5_keyblock replyKey;
- krb5_int32 nonce;
-} krb5_reply_key_pack_draft9;
-
-/* PA-PK-AS-REP (Draft 9 -- PA TYPE 15) */
-typedef struct _krb5_pa_pk_as_rep_draft9 {
- enum krb5_pa_pk_as_rep_draft9_selection {
- choice_pa_pk_as_rep_draft9_UNKNOWN = -1,
- choice_pa_pk_as_rep_draft9_dhSignedData = 0,
- choice_pa_pk_as_rep_draft9_encKeyPack = 1
- } choice;
- union krb5_pa_pk_as_rep_draft9_choices {
- krb5_data dhSignedData;
- krb5_data encKeyPack;
- } u;
-} krb5_pa_pk_as_rep_draft9;
-
/* PA-PK-AS-REP (rfc4556 -- PA TYPE 17) */
typedef struct _krb5_pa_pk_as_rep {
enum krb5_pa_pk_as_rep_selection {
@@ -186,34 +139,18 @@ typedef struct _krb5_pkinit_supp_pub_info {
krb5_error_code
encode_krb5_pa_pk_as_req(const krb5_pa_pk_as_req *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_req_draft9(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_pa_pk_as_rep(const krb5_pa_pk_as_rep *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_pa_pk_as_rep_draft9(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_auth_pack(const krb5_auth_pack *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_auth_pack_draft9(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
encode_krb5_kdc_dh_key_info(const krb5_kdc_dh_key_info *rep, krb5_data **code);
krb5_error_code
encode_krb5_reply_key_pack(const krb5_reply_key_pack *, krb5_data **code);
-krb5_error_code
-encode_krb5_reply_key_pack_draft9(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
encode_krb5_td_trusted_certifiers(krb5_external_principal_identifier *const *,
krb5_data **code);
@@ -237,19 +174,12 @@ encode_krb5_pkinit_supp_pub_info(const krb5_pkinit_supp_pub_info *,
krb5_error_code
decode_krb5_pa_pk_as_req(const krb5_data *, krb5_pa_pk_as_req **);
-krb5_error_code
-decode_krb5_pa_pk_as_req_draft9(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
decode_krb5_pa_pk_as_rep(const krb5_data *, krb5_pa_pk_as_rep **);
krb5_error_code
decode_krb5_auth_pack(const krb5_data *, krb5_auth_pack **);
-krb5_error_code
-decode_krb5_auth_pack_draft9(const krb5_data *, krb5_auth_pack_draft9 **);
-
krb5_error_code
decode_krb5_kdc_dh_key_info(const krb5_data *, krb5_kdc_dh_key_info **);
@@ -259,10 +189,6 @@ decode_krb5_principal_name(const krb5_data *, krb5_principal_data **);
krb5_error_code
decode_krb5_reply_key_pack(const krb5_data *, krb5_reply_key_pack **);
-krb5_error_code
-decode_krb5_reply_key_pack_draft9(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
decode_krb5_td_trusted_certifiers(const krb5_data *,
krb5_external_principal_identifier ***);
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 0857fd1cc..cb328785d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1836,7 +1836,7 @@ krb5int_random_string(krb5_context, char *string, unsigned int length);
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 22
+#define KRB5INT_ACCESS_STRUCT_VERSION 23
typedef struct _krb5int_access {
krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
@@ -1865,10 +1865,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
- krb5_error_code
- (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
krb5_data **code);
@@ -1877,26 +1873,14 @@ typedef struct _krb5int_access {
(*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
- krb5_data **code);
-
krb5_error_code
(*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *,
krb5_data **code);
@@ -1908,17 +1892,9 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
- krb5_error_code
- (*decode_krb5_auth_pack_draft9)(const krb5_data *,
- krb5_auth_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
- krb5_error_code
- (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
- krb5_pa_pk_as_req_draft9 **);
-
krb5_error_code
(*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
@@ -1931,10 +1907,6 @@ typedef struct _krb5int_access {
krb5_error_code
(*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
- krb5_error_code
- (*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
- krb5_reply_key_pack_draft9 **);
-
krb5_error_code
(*decode_krb5_td_dh_parameters)(const krb5_data *,
krb5_algorithm_identifier ***);
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 81a34bac9..a026ab390 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1446,19 +1446,6 @@ static const struct atype_info *pk_authenticator_fields[] = {
};
DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields);
-DEFFIELD(pkauth9_0, krb5_pk_authenticator_draft9, kdcName, 0, principal);
-DEFFIELD(pkauth9_1, krb5_pk_authenticator_draft9, kdcName, 1,
- realm_of_principal);
-DEFFIELD(pkauth9_2, krb5_pk_authenticator_draft9, cusec, 2, int32);
-DEFFIELD(pkauth9_3, krb5_pk_authenticator_draft9, ctime, 3, kerberos_time);
-DEFFIELD(pkauth9_4, krb5_pk_authenticator_draft9, nonce, 4, int32);
-static const struct atype_info *pk_authenticator_draft9_fields[] = {
- &k5_atype_pkauth9_0, &k5_atype_pkauth9_1, &k5_atype_pkauth9_2,
- &k5_atype_pkauth9_3, &k5_atype_pkauth9_4
-};
-DEFSEQTYPE(pk_authenticator_draft9, krb5_pk_authenticator_draft9,
- pk_authenticator_draft9_fields);
-
DEFCOUNTEDSTRINGTYPE(s_bitstring, char *, unsigned int,
k5_asn1_encode_bitstring, k5_asn1_decode_bitstring,
ASN1_BITSTRING);
@@ -1488,15 +1475,6 @@ static const struct atype_info *auth_pack_fields[] = {
};
DEFSEQTYPE(auth_pack, krb5_auth_pack, auth_pack_fields);
-DEFFIELD(auth_pack9_0, krb5_auth_pack_draft9, pkAuthenticator, 0,
- pk_authenticator_draft9);
-DEFFIELD(auth_pack9_1, krb5_auth_pack_draft9, clientPublicValue, 1,
- opt_subject_pk_info_ptr);
-static const struct atype_info *auth_pack_draft9_fields[] = {
- &k5_atype_auth_pack9_0, &k5_atype_auth_pack9_1
-};
-DEFSEQTYPE(auth_pack_draft9, krb5_auth_pack_draft9, auth_pack_draft9_fields);
-
DEFFIELD_IMPLICIT(extprinc_0, krb5_external_principal_identifier,
subjectName, 0, opt_ostring_data);
DEFFIELD_IMPLICIT(extprinc_1, krb5_external_principal_identifier,
@@ -1529,29 +1507,6 @@ static const struct atype_info *pa_pk_as_req_fields[] = {
};
DEFSEQTYPE(pa_pk_as_req, krb5_pa_pk_as_req, pa_pk_as_req_fields);
-/*
- * In draft-ietf-cat-kerberos-pk-init-09, this sequence has four fields, but we
- * only ever use the first and third. The fields are specified as explicitly
- * tagged, but our historical behavior is to pretend that they are wrapped in
- * IMPLICIT OCTET STRING (i.e., generate primitive context tags), and we don't
- * want to change that without interop testing.
- */
-DEFFIELD_IMPLICIT(pa_pk_as_req9_0, krb5_pa_pk_as_req_draft9, signedAuthPack, 0,
- ostring_data);
-DEFFIELD_IMPLICIT(pa_pk_as_req9_2, krb5_pa_pk_as_req_draft9, kdcCert, 2,
- opt_ostring_data);
-static const struct atype_info *pa_pk_as_req_draft9_fields[] = {
- &k5_atype_pa_pk_as_req9_0, &k5_atype_pa_pk_as_req9_2
-};
-DEFSEQTYPE(pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_fields);
-/* For decoding, we only care about the first field; we can ignore the rest. */
-static const struct atype_info *pa_pk_as_req_draft9_decode_fields[] = {
- &k5_atype_pa_pk_as_req9_0
-};
-DEFSEQTYPE(pa_pk_as_req_draft9_decode, krb5_pa_pk_as_req_draft9,
- pa_pk_as_req_draft9_decode_fields);
-
DEFFIELD_IMPLICIT(dh_rep_info_0, krb5_dh_rep_info, dhSignedData, 0,
ostring_data);
DEFFIELD(dh_rep_info_1, krb5_dh_rep_info, serverDHNonce, 1, opt_ostring_data);
@@ -1577,14 +1532,6 @@ static const struct atype_info *reply_key_pack_fields[] = {
};
DEFSEQTYPE(reply_key_pack, krb5_reply_key_pack, reply_key_pack_fields);
-DEFFIELD(key_pack9_0, krb5_reply_key_pack_draft9, replyKey, 0, encryption_key);
-DEFFIELD(key_pack9_1, krb5_reply_key_pack_draft9, nonce, 1, int32);
-static const struct atype_info *reply_key_pack_draft9_fields[] = {
- &k5_atype_key_pack9_0, &k5_atype_key_pack9_1
-};
-DEFSEQTYPE(reply_key_pack_draft9, krb5_reply_key_pack_draft9,
- reply_key_pack_draft9_fields);
-
DEFCTAGGEDTYPE(pa_pk_as_rep_0, 0, dh_rep_info);
DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep_1, 1, ostring_data);
static const struct atype_info *pa_pk_as_rep_alternatives[] = {
@@ -1595,44 +1542,16 @@ DEFCHOICETYPE(pa_pk_as_rep_choice, union krb5_pa_pk_as_rep_choices,
DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep, krb5_pa_pk_as_rep, u, choice,
pa_pk_as_rep_choice);
-/*
- * draft-ietf-cat-kerberos-pk-init-09 specifies these alternatives as
- * explicitly tagged SignedData and EnvelopedData respectively, which means
- * they should have constructed context tags. However, our historical behavior
- * is to use primitive context tags, and we don't want to change that behavior
- * without interop testing. We have the encodings for each alternative in a
- * krb5_data object; pretend that they are wrapped in IMPLICIT OCTET STRING in
- * order to wrap them in primitive [0] and [1] tags.
- */
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_0, 0, ostring_data);
-DEFCTAGGEDTYPE_IMPLICIT(pa_pk_as_rep9_1, 1, ostring_data);
-static const struct atype_info *pa_pk_as_rep_draft9_alternatives[] = {
- &k5_atype_pa_pk_as_rep9_0, &k5_atype_pa_pk_as_rep9_1
-};
-DEFCHOICETYPE(pa_pk_as_rep_draft9_choice,
- union krb5_pa_pk_as_rep_draft9_choices,
- enum krb5_pa_pk_as_rep_draft9_selection,
- pa_pk_as_rep_draft9_alternatives);
-DEFCOUNTEDTYPE_SIGNED(pa_pk_as_rep_draft9, krb5_pa_pk_as_rep_draft9, u, choice,
- pa_pk_as_rep_draft9_choice);
-
MAKE_ENCODER(encode_krb5_pa_pk_as_req, pa_pk_as_req);
MAKE_DECODER(decode_krb5_pa_pk_as_req, pa_pk_as_req);
-MAKE_ENCODER(encode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9);
-MAKE_DECODER(decode_krb5_pa_pk_as_req_draft9, pa_pk_as_req_draft9_decode);
MAKE_ENCODER(encode_krb5_pa_pk_as_rep, pa_pk_as_rep);
MAKE_DECODER(decode_krb5_pa_pk_as_rep, pa_pk_as_rep);
-MAKE_ENCODER(encode_krb5_pa_pk_as_rep_draft9, pa_pk_as_rep_draft9);
MAKE_ENCODER(encode_krb5_auth_pack, auth_pack);
MAKE_DECODER(decode_krb5_auth_pack, auth_pack);
-MAKE_ENCODER(encode_krb5_auth_pack_draft9, auth_pack_draft9);
-MAKE_DECODER(decode_krb5_auth_pack_draft9, auth_pack_draft9);
MAKE_ENCODER(encode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_DECODER(decode_krb5_kdc_dh_key_info, kdc_dh_key_info);
MAKE_ENCODER(encode_krb5_reply_key_pack, reply_key_pack);
MAKE_DECODER(decode_krb5_reply_key_pack, reply_key_pack);
-MAKE_ENCODER(encode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
-MAKE_DECODER(decode_krb5_reply_key_pack_draft9, reply_key_pack_draft9);
MAKE_ENCODER(encode_krb5_td_trusted_certifiers,
seqof_external_principal_identifier);
MAKE_DECODER(decode_krb5_td_trusted_certifiers,
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index d77f8c6b7..12a39a2ab 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -80,25 +80,18 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
#define SC(FIELD, VAL) S(FIELD, 0)
#endif
SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req),
- SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9),
SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep),
- SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9),
SC (encode_krb5_auth_pack, encode_krb5_auth_pack),
- SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9),
SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info),
SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack),
- SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9),
SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers),
SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters),
SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req),
- SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9),
SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep),
SC (decode_krb5_auth_pack, decode_krb5_auth_pack),
- SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9),
SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info),
SC (decode_krb5_principal_name, decode_krb5_principal_name),
SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack),
- SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9),
SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers),
SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index cbd99ba63..7a116b40d 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -42,8 +42,6 @@ void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val);
#ifndef DISABLE_PKINIT
static int equal_principal(krb5_principal *ref, krb5_principal var);
static void ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val);
-static void ktest_free_auth_pack_draft9(krb5_context context,
- krb5_auth_pack_draft9 *val);
static void ktest_free_kdc_dh_key_info(krb5_context context,
krb5_kdc_dh_key_info *val);
static void ktest_free_pa_pk_as_req(krb5_context context,
@@ -52,8 +50,6 @@ static void ktest_free_pa_pk_as_rep(krb5_context context,
krb5_pa_pk_as_rep *val);
static void ktest_free_reply_key_pack(krb5_context context,
krb5_reply_key_pack *val);
-static void ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val);
#endif
static void ktest_free_kkdcp_message(krb5_context context,
krb5_kkdcp_message *val);
@@ -1183,16 +1179,6 @@ int main(argc, argv)
ktest_empty_auth_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_auth_pack_draft9 */
- {
- setup(krb5_auth_pack_draft9,ktest_make_sample_auth_pack_draft9);
- decode_run("krb5_auth_pack_draft9","","30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61",
- acc.decode_krb5_auth_pack_draft9,
- ktest_equal_auth_pack_draft9,ktest_free_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_kdc_dh_key_info */
{
@@ -1213,16 +1199,6 @@ int main(argc, argv)
ktest_empty_reply_key_pack(&ref);
}
- /****************************************************************/
- /* decode_krb5_reply_key_pack_draft9 */
- {
- setup(krb5_reply_key_pack_draft9,ktest_make_sample_reply_key_pack_draft9);
- decode_run("krb5_reply_key_pack_draft9","","30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A",
- acc.decode_krb5_reply_key_pack_draft9,
- ktest_equal_reply_key_pack_draft9,ktest_free_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&ref);
- }
-
/****************************************************************/
/* decode_krb5_principal_name */
/* We have no encoder for this type (KerberosName from RFC 4556); the
@@ -1279,14 +1255,6 @@ ktest_free_auth_pack(krb5_context context, krb5_auth_pack *val)
free(val);
}
-static void
-ktest_free_auth_pack_draft9(krb5_context context, krb5_auth_pack_draft9 *val)
-{
- if (val)
- ktest_empty_auth_pack_draft9(val);
- free(val);
-}
-
static void
ktest_free_kdc_dh_key_info(krb5_context context, krb5_kdc_dh_key_info *val)
{
@@ -1319,15 +1287,6 @@ ktest_free_reply_key_pack(krb5_context context, krb5_reply_key_pack *val)
free(val);
}
-static void
-ktest_free_reply_key_pack_draft9(krb5_context context,
- krb5_reply_key_pack_draft9 *val)
-{
- if (val)
- ktest_empty_reply_key_pack_draft9(val);
- free(val);
-}
-
#endif /* not DISABLE_PKINIT */
static void
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index 3efbfb4c0..72c013468 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -798,15 +798,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_req(&req);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_req_draft9 */
- {
- krb5_pa_pk_as_req_draft9 req;
- ktest_make_sample_pa_pk_as_req_draft9(&req);
- encode_run(req, "pa_pk_as_req_draft9", "",
- acc.encode_krb5_pa_pk_as_req_draft9);
- ktest_empty_pa_pk_as_req_draft9(&req);
- }
- /****************************************************************/
/* encode_krb5_pa_pk_as_rep */
{
krb5_pa_pk_as_rep rep;
@@ -820,19 +811,6 @@ main(argc, argv)
ktest_empty_pa_pk_as_rep(&rep);
}
/****************************************************************/
- /* encode_krb5_pa_pk_as_rep_draft9 */
- {
- krb5_pa_pk_as_rep_draft9 rep;
- ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(dhSignedData)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(&rep);
- encode_run(rep, "pa_pk_as_rep_draft9", "(encKeyPack)",
- acc.encode_krb5_pa_pk_as_rep_draft9);
- ktest_empty_pa_pk_as_rep_draft9(&rep);
- }
- /****************************************************************/
/* encode_krb5_auth_pack */
{
krb5_auth_pack pack;
@@ -841,15 +819,6 @@ main(argc, argv)
ktest_empty_auth_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_auth_pack_draft9_draft9 */
- {
- krb5_auth_pack_draft9 pack;
- ktest_make_sample_auth_pack_draft9(&pack);
- encode_run(pack, "auth_pack_draft9", "",
- acc.encode_krb5_auth_pack_draft9);
- ktest_empty_auth_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_kdc_dh_key_info */
{
krb5_kdc_dh_key_info ki;
@@ -866,15 +835,6 @@ main(argc, argv)
ktest_empty_reply_key_pack(&pack);
}
/****************************************************************/
- /* encode_krb5_reply_key_pack_draft9 */
- {
- krb5_reply_key_pack_draft9 pack;
- ktest_make_sample_reply_key_pack_draft9(&pack);
- encode_run(pack, "reply_key_pack_draft9", "",
- acc.encode_krb5_reply_key_pack_draft9);
- ktest_empty_reply_key_pack_draft9(&pack);
- }
- /****************************************************************/
/* encode_krb5_sp80056a_other_info */
{
krb5_sp80056a_other_info info;
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 258377299..7bb698732 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -729,15 +729,6 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p)
ktest_make_sample_data(p->freshnessToken);
}
-static void
-ktest_make_sample_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_make_sample_principal(&p->kdcName);
- p->cusec = SAMPLE_USEC;
- p->ctime = SAMPLE_TIME;
- p->nonce = SAMPLE_NONCE;
-}
-
static void
ktest_make_sample_oid(krb5_data *p)
{
@@ -788,13 +779,6 @@ ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_make_sample_data(&p->kdcPkId);
}
-void
-ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_make_sample_data(&p->signedAuthPack);
- ktest_make_sample_data(&p->kdcCert);
-}
-
static void
ktest_make_sample_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -818,20 +802,6 @@ ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p)
ktest_make_sample_data(&p->u.encKeyPack);
}
-void
-ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_dhSignedData;
- ktest_make_sample_data(&p->u.dhSignedData);
-}
-
-void
-ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(krb5_pa_pk_as_rep_draft9 *p)
-{
- p->choice = choice_pa_pk_as_rep_draft9_encKeyPack;
- ktest_make_sample_data(&p->u.encKeyPack);
-}
-
void
ktest_make_sample_auth_pack(krb5_auth_pack *p)
{
@@ -851,14 +821,6 @@ ktest_make_sample_auth_pack(krb5_auth_pack *p)
p->supportedKDFs[1] = NULL;
}
-void
-ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_make_sample_pk_authenticator_draft9(&p->pkAuthenticator);
- p->clientPublicValue = ealloc(sizeof(krb5_subject_pk_info));
- ktest_make_sample_subject_pk_info(p->clientPublicValue);
-}
-
void
ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -874,13 +836,6 @@ ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p)
ktest_make_sample_checksum(&p->asChecksum);
}
-void
-ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_make_sample_keyblock(&p->replyKey);
- p->nonce = SAMPLE_NONCE;
-}
-
void
ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
@@ -1717,12 +1672,6 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p)
p->freshnessToken = NULL;
}
-static void
-ktest_empty_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *p)
-{
- ktest_destroy_principal(&p->kdcName);
-}
-
static void
ktest_empty_subject_pk_info(krb5_subject_pk_info *p)
{
@@ -1754,13 +1703,6 @@ ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p)
ktest_empty_data(&p->kdcPkId);
}
-void
-ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p)
-{
- ktest_empty_data(&p->signedAuthPack);
- ktest_empty_data(&p->kdcCert);
-}
-
static void
ktest_empty_dh_rep_info(krb5_dh_rep_info *p)
{
@@ -1779,16 +1721,6 @@ ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p)
p->choice = choice_pa_pk_as_rep_UNKNOWN;
}
-void
-ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p)
-{
- if (p->choice == choice_pa_pk_as_rep_draft9_dhSignedData)
- ktest_empty_data(&p->u.dhSignedData);
- else if (p->choice == choice_pa_pk_as_rep_draft9_encKeyPack)
- ktest_empty_data(&p->u.encKeyPack);
- p->choice = choice_pa_pk_as_rep_draft9_UNKNOWN;
-}
-
void
ktest_empty_auth_pack(krb5_auth_pack *p)
{
@@ -1820,17 +1752,6 @@ ktest_empty_auth_pack(krb5_auth_pack *p)
}
}
-void
-ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p)
-{
- ktest_empty_pk_authenticator_draft9(&p->pkAuthenticator);
- if (p->clientPublicValue != NULL) {
- ktest_empty_subject_pk_info(p->clientPublicValue);
- free(p->clientPublicValue);
- p->clientPublicValue = NULL;
- }
-}
-
void
ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p)
{
@@ -1844,12 +1765,6 @@ ktest_empty_reply_key_pack(krb5_reply_key_pack *p)
ktest_empty_checksum(&p->asChecksum);
}
-void
-ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p)
-{
- ktest_empty_keyblock(&p->replyKey);
-}
-
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p)
{
ktest_empty_algorithm_identifier(&p->algorithm_identifier);
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index 1413cfae1..d9cc90a5c 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -101,18 +101,11 @@ void ktest_make_maximal_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_make_sample_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_make_sample_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_make_sample_pa_pk_as_rep_dhInfo(krb5_pa_pk_as_rep *p);
void ktest_make_sample_pa_pk_as_rep_encKeyPack(krb5_pa_pk_as_rep *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_dhSignedData(
- krb5_pa_pk_as_rep_draft9 *p);
-void ktest_make_sample_pa_pk_as_rep_draft9_encKeyPack(
- krb5_pa_pk_as_rep_draft9 *p);
void ktest_make_sample_auth_pack(krb5_auth_pack *p);
-void ktest_make_sample_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_make_sample_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_make_sample_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_make_sample_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_make_sample_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_make_sample_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
@@ -197,14 +190,10 @@ void ktest_empty_pa_otp_req(krb5_pa_otp_req *p);
#ifndef DISABLE_PKINIT
void ktest_empty_pa_pk_as_req(krb5_pa_pk_as_req *p);
-void ktest_empty_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *p);
void ktest_empty_pa_pk_as_rep(krb5_pa_pk_as_rep *p);
-void ktest_empty_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 *p);
void ktest_empty_auth_pack(krb5_auth_pack *p);
-void ktest_empty_auth_pack_draft9(krb5_auth_pack_draft9 *p);
void ktest_empty_kdc_dh_key_info(krb5_kdc_dh_key_info *p);
void ktest_empty_reply_key_pack(krb5_reply_key_pack *p);
-void ktest_empty_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *p);
void ktest_empty_sp80056a_other_info(krb5_sp80056a_other_info *p);
void ktest_empty_pkinit_supp_pub_info(krb5_pkinit_supp_pub_info *p);
#endif
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 714cc4398..8a3911cdc 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -876,20 +876,6 @@ ktest_equal_pk_authenticator(krb5_pk_authenticator *ref,
return p;
}
-static int
-ktest_equal_pk_authenticator_draft9(krb5_pk_authenticator_draft9 *ref,
- krb5_pk_authenticator_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && ptr_equal(kdcName, ktest_equal_principal_data);
- p = p && scalar_equal(cusec);
- p = p && scalar_equal(ctime);
- p = p && scalar_equal(nonce);
- return p;
-}
-
static int
ktest_equal_subject_pk_info(krb5_subject_pk_info *ref,
krb5_subject_pk_info *var)
@@ -937,18 +923,6 @@ ktest_equal_pa_pk_as_req(krb5_pa_pk_as_req *ref, krb5_pa_pk_as_req *var)
return p;
}
-int
-ktest_equal_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 *ref,
- krb5_pa_pk_as_req_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && equal_str(signedAuthPack);
- p = p && equal_str(kdcCert);
- return p;
-}
-
static int
ktest_equal_dh_rep_info(krb5_dh_rep_info *ref, krb5_dh_rep_info *var)
{
@@ -996,19 +970,6 @@ ktest_equal_auth_pack(krb5_auth_pack *ref, krb5_auth_pack *var)
return p;
}
-int
-ktest_equal_auth_pack_draft9(krb5_auth_pack_draft9 *ref,
- krb5_auth_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(pkAuthenticator,
- ktest_equal_pk_authenticator_draft9);
- p = p && ptr_equal(clientPublicValue, ktest_equal_subject_pk_info);
- return p;
-}
-
int
ktest_equal_kdc_dh_key_info(krb5_kdc_dh_key_info *ref,
krb5_kdc_dh_key_info *var)
@@ -1033,18 +994,6 @@ ktest_equal_reply_key_pack(krb5_reply_key_pack *ref, krb5_reply_key_pack *var)
return p;
}
-int
-ktest_equal_reply_key_pack_draft9(krb5_reply_key_pack_draft9 *ref,
- krb5_reply_key_pack_draft9 *var)
-{
- int p = TRUE;
- if (ref == var) return TRUE;
- else if (ref == NULL || var == NULL) return FALSE;
- p = p && struct_equal(replyKey, ktest_equal_keyblock);
- p = p && scalar_equal(nonce);
- return p;
-}
-
#endif /* not DISABLE_PKINIT */
int
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index cfa82ac6e..80a0d781a 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -139,13 +139,10 @@ int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
#ifndef DISABLE_PKINIT
generic(ktest_equal_pa_pk_as_req, krb5_pa_pk_as_req);
-generic(ktest_equal_pa_pk_as_req_draft9, krb5_pa_pk_as_req_draft9);
generic(ktest_equal_pa_pk_as_rep, krb5_pa_pk_as_rep);
generic(ktest_equal_auth_pack, krb5_auth_pack);
-generic(ktest_equal_auth_pack_draft9, krb5_auth_pack_draft9);
generic(ktest_equal_kdc_dh_key_info, krb5_kdc_dh_key_info);
generic(ktest_equal_reply_key_pack, krb5_reply_key_pack);
-generic(ktest_equal_reply_key_pack_draft9, krb5_reply_key_pack_draft9);
#endif /* not DISABLE_PKINIT */
int ktest_equal_kkdcp_message(krb5_kkdcp_message *ref,
diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index 55a60bbef..9bd08e159 100644
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,13 +1,8 @@
encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_req_draft9: 30 14 80 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
-encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61
encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A
encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
-encode_krb5_reply_key_pack_draft9: 30 1A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 03 02 01 2A
encode_krb5_sp80056a_other_info: 30 81 81 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A0 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 32 04 30 30 2E A0 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
encode_krb5_pkinit_supp_pub_info: 30 1D A0 03 02 01 14 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0A 04 08 6B 72 62 35 64 61 74 61
diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 9557188a8..3675fba38 100644
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -15,14 +15,6 @@ encode_krb5_pa_pk_as_req:
. [2] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_pa_pk_as_req_draft9:
-
-[Sequence/Sequence Of]
-. [0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-. [2] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
encode_krb5_pa_pk_as_rep(dhInfo):
[CONT 0]
@@ -36,16 +28,6 @@ encode_krb5_pa_pk_as_rep(dhInfo):
encode_krb5_pa_pk_as_rep(encKeyPack):
-[CONT 1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(dhSignedData):
-
-[CONT 0] <8>
- 6b 72 62 35 64 61 74 61 krb5data
-
-encode_krb5_pa_pk_as_rep_draft9(encKeyPack):
-
[CONT 1] <8>
6b 72 62 35 64 61 74 61 krb5data
@@ -79,27 +61,6 @@ encode_krb5_auth_pack:
. . . [0] [Object Identifier] <8>
6b 72 62 35 64 61 74 61 krb5data
-encode_krb5_auth_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Sequence/Sequence Of]
-. . . [0] [Integer] 1
-. . . [1] [Sequence/Sequence Of]
-. . . . [General string] "hftsai"
-. . . . [General string] "extra"
-. . [1] [General string] "ATHENA.MIT.EDU"
-. . [2] [Integer] 123456
-. . [3] [Generalized Time] "19940610060317Z"
-. . [4] [Integer] 42
-. [1] [Sequence/Sequence Of]
-. . [Sequence/Sequence Of]
-. . . [Object Identifier] <9>
- 2a 86 48 86 f7 12 01 02 02 *.H......
-. . . [Octet String] "params"
-. . [Bit String] <9>
- 00 6b 72 62 35 64 61 74 61 .krb5data
-
encode_krb5_kdc_dh_key_info:
[Sequence/Sequence Of]
@@ -118,14 +79,6 @@ encode_krb5_reply_key_pack:
. . [0] [Integer] 1
. . [1] [Octet String] "1234"
-encode_krb5_reply_key_pack_draft9:
-
-[Sequence/Sequence Of]
-. [0] [Sequence/Sequence Of]
-. . [0] [Integer] 1
-. . [1] [Octet String] "12345678"
-. [1] [Integer] 42
-
encode_krb5_sp80056a_other_info:
[Sequence/Sequence Of]

1712
Remove-PKINIT-draft-9-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2
Remove-strerror-calls-from-k5_get_error.patch
View File

@ -1,4 +1,4 @@
From f9c5dd7a9bb19dc99de8ee046b0ac1506c494f4e Mon Sep 17 00:00:00 2001 From 80ce19337573b31c372251ea5af4e66f4b75e7ef Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu> From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 6 Jun 2019 11:46:58 -0400 Date: Thu, 6 Jun 2019 11:46:58 -0400
Subject: [PATCH] Remove strerror() calls from k5_get_error() Subject: [PATCH] Remove strerror() calls from k5_get_error()

2
krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
View File

@ -1,4 +1,4 @@
From a57e6f65c6368b3fe99baaaeafccd166dad006b4 Mon Sep 17 00:00:00 2001 From fd2088635e27ce571e2d98c40fea34db15243b7a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com> From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 9 Nov 2018 15:12:21 -0500 Date: Fri, 9 Nov 2018 15:12:21 -0500
Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS Subject: [PATCH] krb5-1.17post4 FIPS with PRNG, SPAKE, and RADIUS

9
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.17 Version: 1.17
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 31%{?dist} Release: 32%{?dist}
# lookaside-cached sources; two downloads and a build artifact # lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@ -105,9 +105,11 @@ Patch140: Display-unsupported-enctype-names.patch
Patch142: Add-zapfreedata-convenience-function.patch Patch142: Add-zapfreedata-convenience-function.patch
Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch Patch143: Remove-support-for-no-flags-SAM-2-preauth.patch
Patch144: Remove-krb5int_c_combine_keys.patch Patch144: Remove-krb5int_c_combine_keys.patch
Patch145: Remove-3des-support.patch
Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch Patch146: krb5-1.17post4-FIPS-with-PRNG-SPAKE-and-RADIUS.patch
Patch147: Remove-strerror-calls-from-k5_get_error.patch Patch147: Remove-strerror-calls-from-k5_get_error.patch
Patch148: Remove-PKINIT-draft-9-support.patch
Patch149: Remove-PKINIT-draft-9-ASN.1-code-and-types.patch
Patch150: Remove-3des-support.patch
License: MIT License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
@ -717,6 +719,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Wed Jun 26 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-32
- Remove PKINIT draft9 support (compat with EOL, pre-2008 Windows)
* Mon Jun 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-31 * Mon Jun 10 2019 Robbie Harwood <rharwood@redhat.com> - 1.17-31
- Remove strerror() calls from k5_get_error() - Remove strerror() calls from k5_get_error()