From: Sam Hartman Date: Wed, 23 Dec 2009 21:09:39 +0000 (+0000) Subject: If the anonymous principal is used, then do not initialize the X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=025aeacd867d25dee707c83757ea508fedce670b;p=thirdparty%2Fkrb5.git If the anonymous principal is used, then do not initialize the identity context. # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # On branch anonymous # Your branch is ahead of 'krb5/trunk' by 3 commits. # # Changes to be committed: # (use "git reset HEAD ..." to unstage) # # modified: ../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c # modified: ../src/plugins/preauth/pkinit/pkinit_identity.c # # Untracked files: # (use "git add ..." to include in what will be committed) # # ./ ../src/include/autoconf.stmp # ../static/ git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23489 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 5dc74798eb..bfb3bf1584 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -821,7 +821,11 @@ cms_signeddata_create(krb5_context context, X509 *cert = NULL; ASN1_OBJECT *oid = NULL; - /* start creating PKCS7 data */ + if (id_cryptoctx->my_certs == NULL) { + krb5_set_error_message(context, EINVAL, "cms_signdata_create called with no certificates"); + return EINVAL; + } +/* start creating PKCS7 data */ if ((p7 = PKCS7_new()) == NULL) goto cleanup; p7->type = OBJ_nid2obj(NID_pkcs7_signed); diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index aef0393610..dfb9dd71ee 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -505,65 +505,67 @@ pkinit_identity_initialize(krb5_context context, int i; pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx); - if (idopts == NULL || id_cryptoctx == NULL) - goto errout; - - /* - * If identity was specified, use that. (For the kdc, this - * is specified as pkinit_identity in the kdc.conf. For users, - * this is specified on the command line via X509_user_identity.) - * If a user did not specify identity on the command line, - * then we will try alternatives which may have been specified - * in the config file. - */ - if (idopts->identity != NULL) { - retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, - idopts->identity); - } else if (idopts->identity_alt != NULL) { - for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) - retval = process_option_identity(context, plg_cryptoctx, - req_cryptoctx, idopts, - id_cryptoctx, - idopts->identity_alt[i]); - } else { - pkiDebug("%s: no user identity options specified\n", __FUNCTION__); - goto errout; - } - if (retval) - goto errout; - - retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, princ); - if (retval) - goto errout; + if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) { + if (idopts == NULL || id_cryptoctx == NULL) + goto errout; - if (do_matching) { - retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, princ); - if (retval) { - pkiDebug("%s: No matching certificate found\n", __FUNCTION__); - crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); + /* + * If identity was specified, use that. (For the kdc, this + * is specified as pkinit_identity in the kdc.conf. For users, + * this is specified on the command line via X509_user_identity.) + * If a user did not specify identity on the command line, + * then we will try alternatives which may have been specified + * in the config file. + */ + if (idopts->identity != NULL) { + retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, + idopts, id_cryptoctx, + idopts->identity); + } else if (idopts->identity_alt != NULL) { + for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) + retval = process_option_identity(context, plg_cryptoctx, + req_cryptoctx, idopts, + id_cryptoctx, + idopts->identity_alt[i]); + } else { + pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } - } else { - /* Tell crypto code to use the "default" */ - retval = crypto_cert_select_default(context, plg_cryptoctx, - req_cryptoctx, id_cryptoctx); - if (retval) { - pkiDebug("%s: Failed while selecting default certificate\n", - __FUNCTION__); - crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); + if (retval) + goto errout; + + retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, + idopts, id_cryptoctx, princ); + if (retval) goto errout; + + if (do_matching) { + retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx, princ); + if (retval) { + pkiDebug("%s: No matching certificate found\n", __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; + } + } else { + /* Tell crypto code to use the "default" */ + retval = crypto_cert_select_default(context, plg_cryptoctx, + req_cryptoctx, id_cryptoctx); + if (retval) { + pkiDebug("%s: Failed while selecting default certificate\n", + __FUNCTION__); + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + goto errout; + } } - } - retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); - if (retval) - goto errout; + retval = crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); + if (retval) + goto errout; + } /*not anonymous principal*/ for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,