From: Tom Yu <tlyu@mit.edu>
Date: Thu, 28 Mar 2013 23:09:04 +0000 (-0400)
Subject: Ignore missing Q in dh_params
X-Git-Tag: krb5-1.12-alpha1~211
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ed77a25c53ed6afd41372838f205a98a561a89fb;p=thirdparty%2Fkrb5.git

Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

ticket: 7596
target_version: 1.11.3
tags: pullup
---

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 7186ce857f..c39a9a7d22 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2997,9 +2997,9 @@ pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len)
         }
 
     }
-    M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER);
-    if (aip == NULL)
-        return NULL;
+    M_ASN1_D2I_get_opt(aip, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
+    if (aip == NULL || ai.data == NULL)
+        (*a)->q = NULL;
     else {
         (*a)->q = ASN1_INTEGER_to_BN(aip, NULL);
         if ((*a)->q == NULL)
@@ -3322,7 +3322,7 @@ pkinit_check_dh_params(BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1)
         if (!BN_cmp(g1, g2)) {
             q2 = BN_new();
             BN_rshift1(q2, p1);
-            if (!BN_cmp(q1, q2)) {
+            if (q1 == NULL || !BN_cmp(q1, q2)) {
                 pkiDebug("good %d dhparams\n", BN_num_bits(p1));
                 retval = 0;
             } else