allow optional q in DH DomainParameters

kdc/pkinit.c

@@ -361,7 +361,7 @@ get_dh_param(krb5_context context,
     }
 
     ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
-			    &dhparam.p, &dhparam.g, &dhparam.q, moduli,
+			    &dhparam.p, &dhparam.g, dhparam.q, moduli,
 			    &client_params->dh_group_name);
     if (ret) {
 	/* XXX send back proposal of better group */

lib/asn1/rfc2459.asn1

@@ -239,7 +239,7 @@ ValidationParms ::= SEQUENCE {
 DomainParameters ::= SEQUENCE {
 	p		INTEGER, -- odd prime, p=jq +1
 	g		INTEGER, -- generator, g
-	q		INTEGER, -- factor of p-1
+	q		INTEGER OPTIONAL, -- factor of p-1
 	j		INTEGER OPTIONAL, -- subgroup factor
 	validationParms	ValidationParms OPTIONAL -- ValidationParms
 }

lib/krb5/pkinit.c

@@ -492,7 +492,12 @@ build_auth_pack(krb5_context context,
 		free_DomainParameters(&dp);
 		return ret;
 	    }
-	    ret = BN_to_integer(context, dh->q, &dp.q);
+	    dp.q = calloc(1, sizeof(*dp.q));
+	    if (dp.q == NULL) {
+		free_DomainParameters(&dp);
+		return ENOMEM;
+	    }
+	    ret = BN_to_integer(context, dh->q, dp.q);
 	    if (ret) {
 		free_DomainParameters(&dp);
 		return ret;