Make pkinit fall back to octetstring2key() if there are not matching KDFs
authorSam Hartman <hartmans@mit.edu>
Wed, 5 Oct 2011 21:30:16 +0000 (21:30 +0000)
committerSam Hartman <hartmans@mit.edu>
Wed, 5 Oct 2011 21:30:16 +0000 (21:30 +0000)
From: Margaret Wasserman <mrw@painless-security.com>

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/preauth/pkinit/pkinit_srv.c

index de6f03cd20bbb8e0ec19faffb75c62b91f9ea4d5..b7aea625ad7386120a46f01842897e7afe18b379 100644 (file)
@@ -662,6 +662,7 @@ pkinit_pick_kdf_alg(krb5_context context,
     krb5_octet_data *tmp_oid = NULL;
     int i, j = 0;
 
+    /* if we don't find a match, return NULL value */
     *alg_oid = NULL;
 
     /* for each of the OIDs that the server supports... */
@@ -677,14 +678,13 @@ pkinit_pick_kdf_alg(krb5_context context,
                 if (retval)
                     goto cleanup;
                 tmp_oid->length = supp_oid->length;
-                memcpy(tmp_oid->data, supp_oid->data, supp_oid->length);
+                memcpy(tmp_oid->data, supp_oid->data, tmp_oid->length);
                 *alg_oid = tmp_oid;
                 /* don't free the OID in clean-up if we are returning it */
                 tmp_oid = NULL;
                 goto cleanup;
             }
         }
-        retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF;
     }
 cleanup:
     if (tmp_oid)
@@ -1052,10 +1052,8 @@ pkinit_server_return_padata(krb5_context context,
          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
 
-        /* If supported KDFs are specified, use the alg agility KDF */
-        if ((reqctx->rcv_auth_pack != NULL &&
-             reqctx->rcv_auth_pack->supportedKDFs != NULL)) {
-
+        /* If mutually supported KDFs were found, use the alg agility KDF */
+        if (rep->u.dh_Info.kdfID) {
             secret.data = server_key;
             secret.length = server_key_len;
 
@@ -1072,7 +1070,7 @@ pkinit_server_return_padata(krb5_context context,
                 goto cleanup;
             }
 
-            /* Otherwise, use the older octetstring2key() function */
+        /* Otherwise, use the older octetstring2key() function */
         } else {
             retval = pkinit_octetstring2key(context, enctype, server_key,
                                             server_key_len, encrypting_key);