[27747] in CVS-changelog-for-Kerberos-V5
krb5 commit: Don't fail if a candidate certificate has no SANs
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 13 02:00:10 2013
Date: Mon, 13 May 2013 02:00:04 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201305130600.r4D604Cv010983@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/2a39ca97af97ddd508262eab33e5a0fa6abc4b00
commit 2a39ca97af97ddd508262eab33e5a0fa6abc4b00
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Mon Jan 14 13:57:54 2013 -0500
Don't fail if a candidate certificate has no SANs
When we're doing certificate matching and we're asked for the list of
SAN values for a certifiate, and it contains none, don't return an
error, as that will eventually cause the module to just return an error.
Instead, just return an empty list of SAN values so that processing will
continue on to check if other certificates match.
src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 8 ++------
1 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2690198..1aae614 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -3161,12 +3161,8 @@ crypto_cert_get_matching_data(krb5_context context,
md->ku_bits = cert_get_ku_bits(context, cert_handle->cert);
md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, PR_FALSE);
if (cert_retrieve_cert_sans(context, cert_handle->cert,
- &md->sans, &md->sans, NULL) != 0) {
- free(md->subject_dn);
- free(md->issuer_dn);
- free(md);
- return ENOMEM;
- }
+ &md->sans, &md->sans, NULL) != 0)
+ md->sans = NULL;
*ret_data = md;
return 0;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5