From 6ed91603b53edd0dfb74d9029fea43308946c39f Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Thu, 30 Sep 2010 19:32:11 -0400
Subject: [PATCH 037/150] first pass at pkinit_create_td_dh_parameters

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   66 ++++++++++++++++++++++-
 1 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index cf6a2f1..f862301 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -58,6 +58,7 @@ static krb5_error_code cert_retrieve_cert_sans(krb5_context context,
 					       krb5_principal **upn_sans,
 					       unsigned char ***kdc_hostname);
 static int cert_load_default_identity(pkinit_identity_crypto_context id);
+static SECItem *get_oid_from_tag(SECOidTag tag);
 
 /* Plugin and request state. */
 struct _pkinit_plg_crypto_context {
@@ -426,7 +427,7 @@ secitem_from_dh_pubval(PLArenaPool *pool,
 
 static struct oakley_group {
 	int identifier;
-	unsigned int bits;
+	int bits;
 	char name[32];
 	char prime[4096]; /* large enough to hold that prime */
 	int generator;
@@ -696,7 +697,7 @@ oakley_parse_group(PLArenaPool *pool, struct oakley_group *group,
 }
 
 static struct domain_parameters *
-oakley_get_group(PLArenaPool *pool, unsigned int minimum_prime_size)
+oakley_get_group(PLArenaPool *pool, int minimum_prime_size)
 {
 	unsigned int i;
 	struct domain_parameters *params;
@@ -1745,7 +1746,66 @@ pkinit_create_td_dh_parameters(krb5_context context,
 			       pkinit_plg_opts *opts,
 			       krb5_data **edata)
 {
-	return ENOSYS;
+	struct domain_parameters *params;
+	SECItem tmp, *oid;
+	krb5_algorithm_identifier id[sizeof(oakley_groups) /
+				     sizeof(oakley_groups[0])];
+	const krb5_algorithm_identifier *ids[sizeof(id) / sizeof(id[0]) + 1];
+	unsigned int i, j;
+	krb5_data *data;
+	krb5_typed_data typed_datum;
+	const krb5_typed_data *typed_data[2];
+	krb5_error_code code;
+
+	/* Fetch the algorithm OID. */
+	oid = get_oid_from_tag(SEC_OID_X942_DIFFIE_HELMAN_KEY);
+	if (oid == NULL) {
+		return ENOMEM;
+	}
+	/* Walk the lists of parameters that we know. */
+	for (i = 0, j = 0; i < sizeof(id) / sizeof(id[0]); i++) {
+		if (oakley_groups[i].bits < opts->dh_min_bits) {
+			continue;
+		}
+		/* Encode these parameters for use as algorithm parameters. */
+		if (oakley_parse_group(req_cryptoctx->pool, &oakley_groups[i],
+				       &params) != 0) {
+			continue;
+		}
+		memset(&params, 0, sizeof(params));
+		if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &tmp,
+				       params,
+				       domain_parameters_template) != SECSuccess) {
+			continue;
+		}
+		/* Add it to the list. */
+		memset(&id[j], 0, sizeof(id[j]));
+		id[j].algorithm.data = oid->data;
+		id[j].algorithm.length = oid->len;
+		id[j].parameters.data = tmp.data;
+		id[j].parameters.length = tmp.len;
+		ids[j] = &id[j];
+		j++;
+	}
+	if (j == 0) {
+		return ENOENT;
+	}
+	ids[j] = NULL;
+	/* Pass it back up. */
+	data = NULL;
+	code = k5int_encode_krb5_td_dh_parameters(ids, &data);
+	if (code != 0) {
+		return code;
+	}
+	memset(&typed_datum, 0, sizeof(typed_datum));
+	typed_datum.type = TD_DH_PARAMETERS;
+	typed_datum.length = data->length;
+	typed_datum.data = (unsigned char *) data->data;
+	typed_data[0] = &typed_datum;
+	typed_data[1] = NULL;
+	code = k5int_encode_krb5_typed_data(typed_data, edata);
+	krb5_free_data(context, data);
+	return code;
 }
 
 krb5_error_code
-- 
1.7.6.4