* Extend auth_pack

* extend dh_rep
* add krb5_free_octet_data
* extend pkinit free functions

pkinit: add supportedKDFs and kdfID to structures

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25194 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 40 insertions, 3 deletions

diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index 47e16e1c3..4f22cddb6 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -65,12 +65,13 @@ typedef struct _krb5_subject_pk_info {
     krb5_octet_data             subjectPublicKey; /* BIT STRING */
 } krb5_subject_pk_info;
 
-/* AuthPack */
+/** AuthPack  from RFC 4556*/
 typedef struct _krb5_auth_pack {
     krb5_pk_authenticator       pkAuthenticator;
     krb5_subject_pk_info        *clientPublicValue; /* Optional */
     krb5_algorithm_identifier   **supportedCMSTypes; /* Optional */
     krb5_octet_data             clientDHNonce; /* Optional */
+krb5_octet_data **supportedKDFs; /*< object identifiers of KDFs; OPTIONAL*/
 } krb5_auth_pack;
 
 /* AuthPack draft9 */
@@ -116,10 +117,11 @@ typedef struct _krb5_pa_pk_as_req {
     krb5_octet_data kdcPkId; /* Optional */
 } krb5_pa_pk_as_req;
 
-/* DHRepInfo */
+/** Pkinit DHRepInfo */
 typedef struct _krb5_dh_rep_info {
     krb5_octet_data dhSignedData;
     krb5_octet_data serverDHNonce; /* Optional */
+    krb5_octet_data *kdfID; /**< OID of selected KDF OPTIONAL*/
 } krb5_dh_rep_info;
 
 /* KDCDHKeyInfo */
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 049bf91f1..5b6f0b9c1 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -4647,7 +4647,22 @@ void KRB5_CALLCONV
 krb5_free_data(krb5_context context, krb5_data *val);
 
 /**
- * Free the contents of a krb_data structure.
+ * @brief Free storage associated with a @c krb5_octet_data structure and its pointer.
+ *
+ * @param context           Context structure [input, output]
+ * @param val               Pointer to data structure to be freed [input, output]
+ *
+ * @return
+ * None
+ */
+void KRB5_CALLCONV
+krb5_free_octet_data(krb5_context context, krb5_octet_data *val);
+
+/**
+ * @brief Free the contents of a @c _krb5_data structure and zero the data field.
+ *
+ * @param context           Context structure [input, output]
+ * @param val               Pointer to data structure to be freed [input, output]
  *
  * @param [in] context          Library context
  * @param [in] val              Data structure to free contents of
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 72b685759..071a97728 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -236,6 +236,16 @@ krb5_free_data(krb5_context context, krb5_data *val)
     free(val);
 }
 
+
+void KRB5_CALLCONV
+krb5_free_octet_data(krb5_context context, krb5_octet_data *val)
+{
+    if (val == NULL)
+        return;
+    free(val->data);
+    free(val);
+}
+
 void KRB5_CALLCONV
 krb5_free_data_contents(krb5_context context, krb5_data *val)
 {
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 2637712b9..87f462a7c 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -302,6 +302,7 @@ krb5_free_keytab_entry_contents
 krb5_free_krbhst
 krb5_free_ktypes
 krb5_free_last_req
+krb5_free_octet_data
 krb5_free_pa_data
 krb5_free_pa_enc_ts
 krb5_free_pa_for_user
diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
index fd4c0b528..8eb64019c 100644
--- a/src/plugins/preauth/pkinit/pkinit_lib.c
+++ b/src/plugins/preauth/pkinit/pkinit_lib.c
@@ -163,6 +163,14 @@ free_krb5_auth_pack(krb5_auth_pack **in)
     free((*in)->pkAuthenticator.paChecksum.contents);
     if ((*in)->supportedCMSTypes != NULL)
         free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes));
+    if (*(*in)->supportedKDFs) {
+        krb5_octet_data **supportedKDFs =
+            (*in)->supportedKDFs;
+        unsigned i;
+        for (i = 0; supportedKDFs[i]; i++)
+            krb5_free_octet_data(NULL, supportedKDFs[i]);
+        free(supportedKDFs);
+    }
     free(*in);
 }
 
@@ -181,6 +189,7 @@ free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in)
     if (*in == NULL) return;
     switch ((*in)->choice) {
     case choice_pa_pk_as_rep_dhInfo:
+        krb5_free_octet_data(NULL, (*in)->u.dh_Info.kdfID);
         free((*in)->u.dh_Info.dhSignedData.data);
         break;
     case choice_pa_pk_as_rep_encKeyPack: