svn rev #23489: branches/anonymous/src/plugins/preauth/pkinit/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Dec 23 16:09:40 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23489
Commit By: hartmans
Log Message:
If the anonymous principal is used, then do not initialize the
identity context.
# Please enter the commit message for your
changes. Lines starting # with '#' will be ignored, and an empty
message aborts the commit. # On branch anonymous # Your branch is
ahead of 'krb5/trunk' by 3 commits. # # Changes to be committed: #
(use "git reset HEAD <file>..." to unstage) # # modified:
./src/plugins/preauth/pkinit/pkinit_crypto_openssl.c # modified:
./src/plugins/preauth/pkinit/pkinit_identity.c # # Untracked files: #
(use "git add <file>..." to include in what will be committed) # # ./
./src/include/autoconf.stmp # ../static/
Changed Files:
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c
Modified: branches/anonymous/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- branches/anonymous/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-12-23 21:09:00 UTC (rev 23488)
+++ branches/anonymous/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-12-23 21:09:39 UTC (rev 23489)
@@ -821,7 +821,11 @@
X509 *cert = NULL;
ASN1_OBJECT *oid = NULL;
- /* start creating PKCS7 data */
+ if (id_cryptoctx->my_certs == NULL) {
+ krb5_set_error_message(context, EINVAL, "cms_signdata_create called with no certificates");
+ return EINVAL;
+ }
+/* start creating PKCS7 data */
if ((p7 = PKCS7_new()) == NULL)
goto cleanup;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
Modified: branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c
===================================================================
--- branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c 2009-12-23 21:09:00 UTC (rev 23488)
+++ branches/anonymous/src/plugins/preauth/pkinit/pkinit_identity.c 2009-12-23 21:09:39 UTC (rev 23489)
@@ -505,65 +505,67 @@
int i;
pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
- if (idopts == NULL || id_cryptoctx == NULL)
- goto errout;
+ if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) {
+ if (idopts == NULL || id_cryptoctx == NULL)
+ goto errout;
- /*
- * If identity was specified, use that. (For the kdc, this
- * is specified as pkinit_identity in the kdc.conf. For users,
- * this is specified on the command line via X509_user_identity.)
- * If a user did not specify identity on the command line,
- * then we will try alternatives which may have been specified
- * in the config file.
- */
- if (idopts->identity != NULL) {
- retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx,
- idopts->identity);
- } else if (idopts->identity_alt != NULL) {
- for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
- retval = process_option_identity(context, plg_cryptoctx,
- req_cryptoctx, idopts,
- id_cryptoctx,
- idopts->identity_alt[i]);
- } else {
- pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
- goto errout;
- }
- if (retval)
- goto errout;
-
- retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
- idopts, id_cryptoctx, princ);
- if (retval)
- goto errout;
-
- if (do_matching) {
- retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx, princ);
- if (retval) {
- pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
- crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
+ /*
+ * If identity was specified, use that. (For the kdc, this
+ * is specified as pkinit_identity in the kdc.conf. For users,
+ * this is specified on the command line via X509_user_identity.)
+ * If a user did not specify identity on the command line,
+ * then we will try alternatives which may have been specified
+ * in the config file.
+ */
+ if (idopts->identity != NULL) {
+ retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx,
+ idopts, id_cryptoctx,
+ idopts->identity);
+ } else if (idopts->identity_alt != NULL) {
+ for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++)
+ retval = process_option_identity(context, plg_cryptoctx,
+ req_cryptoctx, idopts,
+ id_cryptoctx,
+ idopts->identity_alt[i]);
+ } else {
+ pkiDebug("%s: no user identity options specified\n", __FUNCTION__);
goto errout;
}
- } else {
- /* Tell crypto code to use the "default" */
- retval = crypto_cert_select_default(context, plg_cryptoctx,
- req_cryptoctx, id_cryptoctx);
- if (retval) {
- pkiDebug("%s: Failed while selecting default certificate\n",
- __FUNCTION__);
- crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
+ if (retval)
goto errout;
+
+ retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx,
+ idopts, id_cryptoctx, princ);
+ if (retval)
+ goto errout;
+
+ if (do_matching) {
+ retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx, princ);
+ if (retval) {
+ pkiDebug("%s: No matching certificate found\n", __FUNCTION__);
+ crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx);
+ goto errout;
+ }
+ } else {
+ /* Tell crypto code to use the "default" */
+ retval = crypto_cert_select_default(context, plg_cryptoctx,
+ req_cryptoctx, id_cryptoctx);
+ if (retval) {
+ pkiDebug("%s: Failed while selecting default certificate\n",
+ __FUNCTION__);
+ crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx);
+ goto errout;
+ }
}
- }
- retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
- id_cryptoctx);
- if (retval)
- goto errout;
+ retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx,
+ id_cryptoctx);
+ if (retval)
+ goto errout;
+ } /*not anonymous principal*/
for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
More information about the cvs-krb5
mailing list