From: Sam Hartman Date: Wed, 5 Oct 2011 21:30:16 +0000 (+0000) Subject: Make pkinit fall back to octetstring2key() if there are not matching KDFs X-Git-Tag: krb5-1.10-alpha1~71 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=e49364789067760d4d1a1967e74bc727a17d6ed0;p=krb5.git Make pkinit fall back to octetstring2key() if there are not matching KDFs From: Margaret Wasserman git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index de6f03cd2..b7aea625a 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -662,6 +662,7 @@ pkinit_pick_kdf_alg(krb5_context context, krb5_octet_data *tmp_oid = NULL; int i, j = 0; + /* if we don't find a match, return NULL value */ *alg_oid = NULL; /* for each of the OIDs that the server supports... */ @@ -677,14 +678,13 @@ pkinit_pick_kdf_alg(krb5_context context, if (retval) goto cleanup; tmp_oid->length = supp_oid->length; - memcpy(tmp_oid->data, supp_oid->data, supp_oid->length); + memcpy(tmp_oid->data, supp_oid->data, tmp_oid->length); *alg_oid = tmp_oid; /* don't free the OID in clean-up if we are returning it */ tmp_oid = NULL; goto cleanup; } } - retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF; } cleanup: if (tmp_oid) @@ -1052,10 +1052,8 @@ pkinit_server_return_padata(krb5_context context, rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - /* If supported KDFs are specified, use the alg agility KDF */ - if ((reqctx->rcv_auth_pack != NULL && - reqctx->rcv_auth_pack->supportedKDFs != NULL)) { - + /* If mutually supported KDFs were found, use the alg agility KDF */ + if (rep->u.dh_Info.kdfID) { secret.data = server_key; secret.length = server_key_len; @@ -1072,7 +1070,7 @@ pkinit_server_return_padata(krb5_context context, goto cleanup; } - /* Otherwise, use the older octetstring2key() function */ + /* Otherwise, use the older octetstring2key() function */ } else { retval = pkinit_octetstring2key(context, enctype, server_key, server_key_len, encrypting_key);