From 1530060a84cb90bc0c99cf26c7096bea5d339801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 4 May 2009 06:16:40 +0000 Subject: [PATCH] Assume old client if it doesn't send supportedCMSTypes. Add error message. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25167 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 2489b31ca..9e24098a5 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -839,13 +839,14 @@ _kdc_pk_rd_padata(krb5_context context, } else cp->keyex = USE_RSA; - if (ap.supportedCMSTypes) { - ret = hx509_peer_info_alloc(kdc_identity->hx509ctx, + ret = hx509_peer_info_alloc(kdc_identity->hx509ctx, &cp->peer); - if (ret) { - free_AuthPack(&ap); - goto out; - } + if (ret) { + free_AuthPack(&ap); + goto out; + } + + if (ap.supportedCMSTypes) { ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx, cp->peer, ap.supportedCMSTypes->val, @@ -854,6 +855,14 @@ _kdc_pk_rd_padata(krb5_context context, free_AuthPack(&ap); goto out; } + } else { + /* assume old client */ + hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_crypto_des_rsdi_ede3_cbc()); + hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_signature_rsa_with_sha1()); + hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer, + hx509_signature_sha1()); } free_AuthPack(&ap); } else @@ -1332,6 +1341,13 @@ _kdc_pk_mk_pa_reply(krb5_context context, cp, &info, &kdc_cert); + if (ret) { + free_PA_PK_AS_REP(&rep); + krb5_set_error_message(context, ret, + "create pa-reply-dh " + "failed %d", ret); + goto out; + } ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data, rep.u.dhInfo.dhSignedData.length, &info, &size,