krb5 commit [krb5-1.10]: Ignore missing Q in dh_params

Tue Jun 4 22:05:08 EDT 2013

https://github.com/krb5/krb5/commit/3598d0990ec176c98fb82c3b8846058c6e576878
commit 3598d0990ec176c98fb82c3b8846058c6e576878
Author: Tom Yu <tlyu at mit.edu>
Date:   Thu Mar 28 19:09:04 2013 -0400

    Ignore missing Q in dh_params
    
    Some implementations don't send the required Q value in dh_params, so
    allow it to be absent.
    
    (cherry picked from commit ed77a25c53ed6afd41372838f205a98a561a89fb)
    
    ticket: 7658 (new)
    version_fixed: 1.10.6
    status: resolved

 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index c6e3f90..f9a9d2c 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2953,9 +2953,9 @@ pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len)
         }
 
     }
-    M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
-    if (aip == NULL)
-        return NULL;
+    M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+    if (aip == NULL || ai.data == NULL)
+        (*a)->q = NULL;
     else {
         (*a)->q = ASN1_INTEGER_to_BN(aip, NULL);
         if ((*a)->q == NULL)
@@ -3278,7 +3278,7 @@ pkinit_check_dh_params(BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1)
         if (!BN_cmp(g1, g2)) {
             q2 = BN_new();
             BN_rshift1(q2, p1);
-            if (!BN_cmp(q1, q2)) {
+            if (q1 == NULL || !BN_cmp(q1, q2)) {
                 pkiDebug("good %d dhparams\n", BN_num_bits(p1));
                 retval = 0;
             } else
