From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 10 Jan 2013 20:39:15 +0000 (-0500)
Subject: Traverse tokens like we do with OpenSSL for NSS
X-Git-Tag: krb5-1.12-alpha1~173
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88fe4c49320592047ae416887f27c1d74832ddac;p=thirdparty%2Fkrb5.git

Traverse tokens like we do with OpenSSL for NSS

When PKINIT is built with NSS, change how it traverses tokens to match
the way it's done when built using OpenSSL: ignore slot names (we used
to treat the token label as a possible slot label, too), and either only
look at the token with the specified label, or the first token if a no
token label was specified.
---

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2ef8ffdc03..f9e9b979aa 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2098,7 +2098,7 @@ crypto_load_pkcs11(krb5_context context,
     PK11SlotInfo *slot;
     char *spec;
     size_t spec_size;
-    const char *label, *id, *slotname, *tokenname;
+    const char *label, *id, *tokenname;
     SECStatus status;
     int i, j;
 
@@ -2166,21 +2166,16 @@ crypto_load_pkcs11(krb5_context context,
          (i < module->module->slotCount) &&
          ((slot = module->module->slots[i]) != NULL);
          i++) {
+        if (idopts->slotid != PK_NOSLOT) {
+            if (idopts->slotid != PK11_GetSlotID(slot))
+                continue;
+        }
+        tokenname = PK11_GetTokenName(slot);
+        if (tokenname == NULL || strlen(tokenname) == 0)
+            continue;
         if (idopts->token_label != NULL) {
-            label = idopts->token_label;
-            slotname = PK11_GetSlotName(slot);
-            tokenname = PK11_GetTokenName(slot);
-            if ((slotname != NULL) && (tokenname != NULL)) {
-                if ((strcmp(label, slotname) != 0) &&
-                    (strcmp(label, tokenname) != 0))
-                    continue;
-            } else if (slotname != NULL) {
-                if (strcmp(label, slotname) != 0)
-                    continue;
-            } else if (tokenname != NULL) {
-                if (strcmp(label, tokenname) != 0)
-                    continue;
-            }
+            if (strcmp(idopts->cert_label, tokenname) != 0)
+                continue;
         }
         /* Load private keys and their certs from this slot. */
         label = idopts->cert_label;
@@ -2188,6 +2183,10 @@ crypto_load_pkcs11(krb5_context context,
         if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
                                                 slot, label, id) == 0)
             status = SECSuccess;
+        /* If no label was specified, then we've looked at a token, so we're
+         * done. */
+        if (idopts->token_label == NULL)
+            break;
     }
     return status;
 }