krb5 commit: Traverse tokens like we do with OpenSSL for NSS
Greg Hudson
ghudson at MIT.EDU
Mon May 13 02:00:05 EDT 2013
https://github.com/krb5/krb5/commit/88fe4c49320592047ae416887f27c1d74832ddac
commit 88fe4c49320592047ae416887f27c1d74832ddac
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Jan 10 15:39:15 2013 -0500
Traverse tokens like we do with OpenSSL for NSS
When PKINIT is built with NSS, change how it traverses tokens to match
the way it's done when built using OpenSSL: ignore slot names (we used
to treat the token label as a possible slot label, too), and either only
look at the token with the specified label, or the first token if a no
token label was specified.
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 29 +++++++++++------------
1 files changed, 14 insertions(+), 15 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2ef8ffd..f9e9b97 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2098,7 +2098,7 @@ crypto_load_pkcs11(krb5_context context,
PK11SlotInfo *slot;
char *spec;
size_t spec_size;
- const char *label, *id, *slotname, *tokenname;
+ const char *label, *id, *tokenname;
SECStatus status;
int i, j;
@@ -2166,21 +2166,16 @@ crypto_load_pkcs11(krb5_context context,
(i < module->module->slotCount) &&
((slot = module->module->slots[i]) != NULL);
i++) {
+ if (idopts->slotid != PK_NOSLOT) {
+ if (idopts->slotid != PK11_GetSlotID(slot))
+ continue;
+ }
+ tokenname = PK11_GetTokenName(slot);
+ if (tokenname == NULL || strlen(tokenname) == 0)
+ continue;
if (idopts->token_label != NULL) {
- label = idopts->token_label;
- slotname = PK11_GetSlotName(slot);
- tokenname = PK11_GetTokenName(slot);
- if ((slotname != NULL) && (tokenname != NULL)) {
- if ((strcmp(label, slotname) != 0) &&
- (strcmp(label, tokenname) != 0))
- continue;
- } else if (slotname != NULL) {
- if (strcmp(label, slotname) != 0)
- continue;
- } else if (tokenname != NULL) {
- if (strcmp(label, tokenname) != 0)
- continue;
- }
+ if (strcmp(idopts->cert_label, tokenname) != 0)
+ continue;
}
/* Load private keys and their certs from this slot. */
label = idopts->cert_label;
@@ -2188,6 +2183,10 @@ crypto_load_pkcs11(krb5_context context,
if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
slot, label, id) == 0)
status = SECSuccess;
+ /* If no label was specified, then we've looked at a token, so we're
+ * done. */
+ if (idopts->token_label == NULL)
+ break;
}
return status;
}
More information about the cvs-krb5
mailing list