diff options
| author | Sam Hartman <hartmans@mit.edu> | 2011-10-05 21:30:16 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2011-10-05 21:30:16 +0000 |
| commit | e49364789067760d4d1a1967e74bc727a17d6ed0 (patch) | |
| tree | ee69a113be1162a43dcabd8566e3409c7fde4d19 /src/plugins/preauth | |
| parent | 22eae763a45f9047a3bd52f60a7cf0942d3285da (diff) | |
| download | krb5-e49364789067760d4d1a1967e74bc727a17d6ed0.tar.gz krb5-e49364789067760d4d1a1967e74bc727a17d6ed0.tar.xz krb5-e49364789067760d4d1a1967e74bc727a17d6ed0.zip | |
Make pkinit fall back to octetstring2key() if there are not matching KDFs
From: Margaret Wasserman <mrw@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25304 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index de6f03cd20..b7aea625ad 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -662,6 +662,7 @@ pkinit_pick_kdf_alg(krb5_context context, krb5_octet_data *tmp_oid = NULL; int i, j = 0; + /* if we don't find a match, return NULL value */ *alg_oid = NULL; /* for each of the OIDs that the server supports... */ @@ -677,14 +678,13 @@ pkinit_pick_kdf_alg(krb5_context context, if (retval) goto cleanup; tmp_oid->length = supp_oid->length; - memcpy(tmp_oid->data, supp_oid->data, supp_oid->length); + memcpy(tmp_oid->data, supp_oid->data, tmp_oid->length); *alg_oid = tmp_oid; /* don't free the OID in clean-up if we are returning it */ tmp_oid = NULL; goto cleanup; } } - retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF; } cleanup: if (tmp_oid) @@ -1052,10 +1052,8 @@ pkinit_server_return_padata(krb5_context context, rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - /* If supported KDFs are specified, use the alg agility KDF */ - if ((reqctx->rcv_auth_pack != NULL && - reqctx->rcv_auth_pack->supportedKDFs != NULL)) { - + /* If mutually supported KDFs were found, use the alg agility KDF */ + if (rep->u.dh_Info.kdfID) { secret.data = server_key; secret.length = server_key_len; @@ -1072,7 +1070,7 @@ pkinit_server_return_padata(krb5_context context, goto cleanup; } - /* Otherwise, use the older octetstring2key() function */ + /* Otherwise, use the older octetstring2key() function */ } else { retval = pkinit_octetstring2key(context, enctype, server_key, server_key_len, encrypting_key); |