From 61b1ea80dedfc948e4f37b700030f53f85889615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sun, 25 Sep 2005 15:18:14 +0000 Subject: [PATCH] The public DH key is encoded as an INTEGER in subjectPublicKey. Don't verify OID's for now. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16098 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 097ed1bf4..ee1f36cea 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -401,6 +401,13 @@ get_dh_param(krb5_context context, SubjectPublicKeyInfo *dh_key_info, goto out; } + if ((dh_key_info->subjectPublicKey.length % 8) != 0) { + ret = KRB5_BADMSGTYPE; + krb5_set_error_string(context, "PKINIT: subjectPublicKey not aligned " + "to 8 bit boundary"); + goto out; + } + dh = DH_new(); if (dh == NULL) { krb5_set_error_string(context, "Cannot create DH structure (%s)", @@ -423,10 +430,10 @@ get_dh_param(krb5_context context, SubjectPublicKeyInfo *dh_key_info, heim_integer glue; size_t size; - ret = der_get_heim_integer(dh_key_info->subjectPublicKey.data, - dh_key_info->subjectPublicKey.length / 8, - &glue, - &size); + ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data, + dh_key_info->subjectPublicKey.length / 8, + &glue, + &size); if (ret) { krb5_clear_error_string(context); return ret; @@ -435,10 +442,9 @@ get_dh_param(krb5_context context, SubjectPublicKeyInfo *dh_key_info, client_params->dh_public_key = integer_to_BN(context, "subjectPublicKey", &glue); - if (client_params->dh_public_key == NULL) { - krb5_clear_error_string(context); + free_heim_integer(&glue); + if (client_params->dh_public_key == NULL) goto out; - } } if (DH_check(dh, &dhret) != 1) { @@ -715,12 +721,14 @@ _kdc_pk_rd_padata(krb5_context context, if (ret) goto out; +#if 0 /* Signature is correct, now verify the signed message */ if (heim_oid_cmp(&eContentType, pa_contentType)) { krb5_set_error_string(context, "got wrong oid for pkauthdata"); ret = KRB5_BADMSGTYPE; goto out; } +#endif if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) { AuthPack_Win2k ap;