add BTMM style pkinit reply

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24210 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/pkinit.c

@@ -1344,14 +1344,44 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 	case choice_PA_PK_AS_REP_encKeyPack:
 	    os = rep.u.encKeyPack;
 	    break;
-	default:
+	default: {
+	    PA_PK_AS_REP_BTMM btmm;
 	    free_PA_PK_AS_REP(&rep);
+	    memset(&rep, 0, sizeof(rep));
+	    
+	    ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
+					   pa->padata_value.length,
+					   &btmm,
+					   &size);
+	    if (ret) {
 		krb5_set_error_message(context, EINVAL,
 				       N_("PKINIT: -27 reply "
 					  "invalid content type", ""));
 		return EINVAL;
 	    }
 
+	    if (btmm.dhSignedData || btmm.encKeyPack == NULL) {
+		free_PA_PK_AS_REP_BTMM(&btmm);
+		ret = EINVAL;
+		krb5_set_error_message(context, ret,
+				       N_("DH mode not supported for BTMM mode", ""));
+		return ret;
+	    }
+
+	    /*
+	     * Transform to IETF style PK-INIT reply so that free works below
+	     */
+
+	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
+	    rep.u.encKeyPack.data = btmm.encKeyPack->data;
+	    rep.u.encKeyPack.length = btmm.encKeyPack->length;
+	    btmm.encKeyPack->data = NULL;
+	    btmm.encKeyPack->length = 0;
+	    free_PA_PK_AS_REP_BTMM(&btmm);
+	    os = rep.u.encKeyPack;
+	}
+	}
+
 	ret = hx509_cms_unwrap_ContentInfo(&os, &oid, &data, NULL);
 	if (ret) {
 	    free_PA_PK_AS_REP(&rep);