From 6be7d059b3bb26d8c9d6e383ada7f925ae623ef4 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 22 Sep 2011 13:31:43 -0400 Subject: [PATCH 143/150] - don't need to define KRB5KDC_ERR_NO_ACCEPTABLE_KDF any more - adjust to function signature change for pkinit_alg_agility_kdf - keep up with the 'anonymous flag means client is anonymous principal' change --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 31 +++++++++++++---------- 1 files changed, 17 insertions(+), 14 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index a689c9b..c52811a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -86,12 +86,6 @@ * include a friendly name. */ #define PKCS12_PREFIX "pkinit-pkcs12" -#ifndef KRB5KDC_ERR_NO_ACCEPTABLE_KDF -#ifdef KRB5PLACEHOLD_82 -#define KRB5KDC_ERR_NO_ACCEPTABLE_KDF KRB5PLACEHOLD_82 -#endif -#endif - /* Forward declaration. */ static krb5_error_code cert_retrieve_cert_sans(krb5_context context, CERTCertificate *cert, @@ -3744,12 +3738,12 @@ octet_data_and_data_and_length_equal(const krb5_octet_data *octets, static krb5_error_code encode_agility_kdf_other_info(krb5_context context, krb5_octet_data *alg_oid, - krb5_principal party_u_info, - krb5_principal party_v_info, + krb5_const_principal party_u_info, + krb5_const_principal party_v_info, krb5_enctype enctype, krb5_octet_data *as_req, krb5_octet_data *pk_as_rep, - krb5_data **other_info) + krb5_data **other_info) { krb5_error_code retval = 0; krb5_sp80056a_other_info other_info_fields; @@ -3757,6 +3751,13 @@ encode_agility_kdf_other_info(krb5_context context, krb5_data *supp_pub_info = NULL; krb5_algorithm_identifier alg_id; + /* If this is anonymous pkinit, we need to use the anonymous principal for + * party_u_info */ + if (party_u_info && + krb5_principal_compare_any_realm(context, party_u_info, + krb5_anonymous_principal())) + party_u_info = krb5_anonymous_principal(); + /* Encode the ASN.1 octet string for "SuppPubInfo" */ supp_pub_info_fields.enctype = enctype; supp_pub_info_fields.as_req = *as_req; @@ -3771,8 +3772,8 @@ encode_agility_kdf_other_info(krb5_context context, alg_id.algorithm = *alg_oid; /*alias, don't have to free it*/ other_info_fields.algorithm_identifier = alg_id; - other_info_fields.party_u_info = party_u_info; - other_info_fields.party_v_info = party_v_info; + other_info_fields.party_u_info = (krb5_principal) party_u_info; + other_info_fields.party_v_info = (krb5_principal) party_v_info; other_info_fields.supp_pub_info = *supp_pub_info; retval = encode_krb5_sp80056a_other_info(&other_info_fields, other_info); if (retval != 0) @@ -3791,8 +3792,8 @@ krb5_error_code pkinit_alg_agility_kdf(krb5_context context, krb5_octet_data *secret, krb5_octet_data *alg_oid, - krb5_principal party_u_info, - krb5_principal party_v_info, + krb5_const_principal party_u_info, + krb5_const_principal party_v_info, krb5_enctype enctype, krb5_octet_data *as_req, krb5_octet_data *pk_as_rep, @@ -3802,7 +3803,9 @@ pkinit_alg_agility_kdf(krb5_context context, krb5_error_code retval = ENOSYS; retval = encode_agility_kdf_other_info(context, - alg_oid, party_u_info, party_v_info, + alg_oid, + party_u_info, + party_v_info, enctype, as_req, pk_as_rep, &other_info); if (retval != 0) -- 1.7.6.4