svn rev #25217: trunk/src/plugins/preauth/pkinit/

hartmans@MIT.EDU hartmans at MIT.EDU
Wed Sep 21 14:40:09 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25217
Commit By: hartmans
Log Message:
Reordered pkinit_server_return_padata(), so that the alg-agility
KDF can be called after the reply is encoded, as it needs the
encoded reply as one of its arguments.
Signed-off-by: Margaret Wasserman <mrw at painless-security.com>


Changed Files:
U   trunk/src/plugins/preauth/pkinit/pkinit_srv.c
Modified: trunk/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_srv.c	2011-09-21 17:46:27 UTC (rev 25216)
+++ trunk/src/plugins/preauth/pkinit/pkinit_srv.c	2011-09-21 18:40:09 UTC (rev 25217)
@@ -796,18 +796,16 @@
             goto cleanup;
         }
     }
-
     if ((rep9 != NULL &&
          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
-        retval = pkinit_octetstring2key(context, enctype, server_key,
-                                        server_key_len, encrypting_key);
-        if (retval) {
-            pkiDebug("pkinit_octetstring2key failed: %s\n",
-                     error_message(retval));
-            goto cleanup;
-        }
 
+        /*
+         * This is DH, so don't generate the key until after we
+         * encode the reply, because the encoded reply is needed
+         * to generate the key in some cases.
+         */
+
         dhkey_info.subjectPublicKey.length = dh_pubkey_len;
         dhkey_info.subjectPublicKey.data = dh_pubkey;
         dhkey_info.nonce = request->nonce;
@@ -852,6 +850,7 @@
             }
             break;
         }
+
     } else {
         pkiDebug("received RSA key delivery AS REQ\n");
 
@@ -995,6 +994,19 @@
                          "/tmp/kdc_as_rep");
 #endif
 
+    /* If this is DH, we haven't computed the key yet, so do it now. */
+    if ((rep9 != NULL &&
+         rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
+        (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
+        retval = pkinit_octetstring2key(context, enctype, server_key,
+                                        server_key_len, encrypting_key);
+        if (retval) {
+            pkiDebug("pkinit_octetstring2key failed: %s\n",
+                     error_message(retval));
+            goto cleanup;
+        }
+    }
+
     *send_pa = malloc(sizeof(krb5_pa_data));
     if (*send_pa == NULL) {
         retval = ENOMEM;

More information about the cvs-krb5 mailing list