Reordered pkinit_server_return_padata(), so that the alg-agility

KDF can be called after the reply is encoded, as it needs the encoded reply as one of its arguments. Signed-off-by: Margaret Wasserman <mrw@painless-security.com> git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25217 dc483132-0cff-0310-8789-dd5450dbe970
author: Sam Hartman <hartmans@mit.edu> 2011-09-21 18:40:09 +0000
committer: Sam Hartman <hartmans@mit.edu> 2011-09-21 18:40:09 +0000
commit: 013643be34ccfacd0be794ff55a89f609d576796 (patch)
tree: 028bbb02ede90c61aa606b8232f63ffe5158c513 /src/plugins
parent: c5c5b3641beb7a41592626c845ae06d75429ecb1 (diff)
download: krb5-013643be34ccfacd0be794ff55a89f609d576796.tar.gz
krb5-013643be34ccfacd0be794ff55a89f609d576796.tar.xz
krb5-013643be34ccfacd0be794ff55a89f609d576796.zip
1 files changed, 20 insertions, 8 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 1e208fa84..46bcc2ca7 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -796,17 +796,15 @@ pkinit_server_return_padata(krb5_context context,
             goto cleanup;
         }
     }
-
     if ((rep9 != NULL &&
          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
-        retval = pkinit_octetstring2key(context, enctype, server_key,
-                                        server_key_len, encrypting_key);
-        if (retval) {
-            pkiDebug("pkinit_octetstring2key failed: %s\n",
-                     error_message(retval));
-            goto cleanup;
-        }
+
+        /*
+         * This is DH, so don't generate the key until after we
+         * encode the reply, because the encoded reply is needed
+         * to generate the key in some cases.
+         */
 
         dhkey_info.subjectPublicKey.length = dh_pubkey_len;
         dhkey_info.subjectPublicKey.data = dh_pubkey;
@@ -852,6 +850,7 @@ pkinit_server_return_padata(krb5_context context,
             }
             break;
         }
+
     } else {
         pkiDebug("received RSA key delivery AS REQ\n");
 
@@ -995,6 +994,19 @@ pkinit_server_return_padata(krb5_context context,
                          "/tmp/kdc_as_rep");
 #endif
 
+    /* If this is DH, we haven't computed the key yet, so do it now. */
+    if ((rep9 != NULL &&
+         rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
+        (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
+        retval = pkinit_octetstring2key(context, enctype, server_key,
+                                        server_key_len, encrypting_key);
+        if (retval) {
+            pkiDebug("pkinit_octetstring2key failed: %s\n",
+                     error_message(retval));
+            goto cleanup;
+        }
+    }
+
     *send_pa = malloc(sizeof(krb5_pa_data));
     if (*send_pa == NULL) {
         retval = ENOMEM;
author	Sam Hartman <hartmans@mit.edu>	2011-09-21 18:40:09 +0000
committer	Sam Hartman <hartmans@mit.edu>	2011-09-21 18:40:09 +0000
commit	013643be34ccfacd0be794ff55a89f609d576796 (patch)
tree	028bbb02ede90c61aa606b8232f63ffe5158c513 /src/plugins
parent	c5c5b3641beb7a41592626c845ae06d75429ecb1 (diff)
download	krb5-013643be34ccfacd0be794ff55a89f609d576796.tar.gz krb5-013643be34ccfacd0be794ff55a89f609d576796.tar.xz krb5-013643be34ccfacd0be794ff55a89f609d576796.zip