From 9c92a36dd8039c6fe0b0f483dba110a3fbe048dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 11 Dec 2008 05:04:50 +0000 Subject: [PATCH] return up kdc_cert from signing operation so that OSCP can do the right thing. cid#55 git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24130 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 34de4d2e2..bd125f9c5 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -685,7 +685,8 @@ pk_mk_pa_reply_enckey(krb5_context context, const KDC_REQ *req, const krb5_data *req_buffer, krb5_keyblock *reply_key, - ContentInfo *content_info) + ContentInfo *content_info, + hx509_cert *kdc_cert) { const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL; krb5_error_code ret; @@ -696,6 +697,8 @@ pk_mk_pa_reply_enckey(krb5_context context, krb5_data_zero(&buf); krb5_data_zero(&signed_data); + *kdc_cert = NULL; + /* * If the message client is a win2k-type but it send pa data * 09-binding it expects a IETF (checksum) reply so there can be @@ -809,7 +812,7 @@ pk_mk_pa_reply_enckey(krb5_context context, client_params->client_anchors, kdc_identity->certpool, &signed_data); - hx509_cert_free(cert); + *kdc_cert = cert; } krb5_data_free(&buf); @@ -840,6 +843,11 @@ pk_mk_pa_reply_enckey(krb5_context context, oid_id_pkcs7_envelopedData(), content_info); out: + if (ret && *kdc_cert) { + hx509_cert_free(*kdc_cert); + *kdc_cert = NULL; + } + krb5_data_free(&buf); krb5_data_free(&signed_data); return ret; @@ -1027,7 +1035,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, req, req_buffer, &client_params->reply_key, - &info); + &info, + &kdc_cert); if (ret) { free_PA_PK_AS_REP(&rep); goto out; @@ -1121,7 +1130,8 @@ _kdc_pk_mk_pa_reply(krb5_context context, req, req_buffer, &client_params->reply_key, - &info); + &info, + &kdc_cert); if (ret) { free_PA_PK_AS_REP_Win2k(&rep); goto out;