[27748] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Traverse tokens like we do with OpenSSL for NSS

daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 13 02:00:11 2013

Date: Mon, 13 May 2013 02:00:05 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201305130600.r4D605aK011034@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/88fe4c49320592047ae416887f27c1d74832ddac
commit 88fe4c49320592047ae416887f27c1d74832ddac
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Thu Jan 10 15:39:15 2013 -0500

    Traverse tokens like we do with OpenSSL for NSS
    
    When PKINIT is built with NSS, change how it traverses tokens to match
    the way it's done when built using OpenSSL: ignore slot names (we used
    to treat the token label as a possible slot label, too), and either only
    look at the token with the specified label, or the first token if a no
    token label was specified.

 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   29 +++++++++++------------
 1 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 2ef8ffd..f9e9b97 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -2098,7 +2098,7 @@ crypto_load_pkcs11(krb5_context context,
     PK11SlotInfo *slot;
     char *spec;
     size_t spec_size;
-    const char *label, *id, *slotname, *tokenname;
+    const char *label, *id, *tokenname;
     SECStatus status;
     int i, j;
 
@@ -2166,21 +2166,16 @@ crypto_load_pkcs11(krb5_context context,
          (i < module->module->slotCount) &&
          ((slot = module->module->slots[i]) != NULL);
          i++) {
+        if (idopts->slotid != PK_NOSLOT) {
+            if (idopts->slotid != PK11_GetSlotID(slot))
+                continue;
+        }
+        tokenname = PK11_GetTokenName(slot);
+        if (tokenname == NULL || strlen(tokenname) == 0)
+            continue;
         if (idopts->token_label != NULL) {
-            label = idopts->token_label;
-            slotname = PK11_GetSlotName(slot);
-            tokenname = PK11_GetTokenName(slot);
-            if ((slotname != NULL) && (tokenname != NULL)) {
-                if ((strcmp(label, slotname) != 0) &&
-                    (strcmp(label, tokenname) != 0))
-                    continue;
-            } else if (slotname != NULL) {
-                if (strcmp(label, slotname) != 0)
-                    continue;
-            } else if (tokenname != NULL) {
-                if (strcmp(label, tokenname) != 0)
-                    continue;
-            }
+            if (strcmp(idopts->cert_label, tokenname) != 0)
+                continue;
         }
         /* Load private keys and their certs from this slot. */
         label = idopts->cert_label;
@@ -2188,6 +2183,10 @@ crypto_load_pkcs11(krb5_context context,
         if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx,
                                                 slot, label, id) == 0)
             status = SECSuccess;
+        /* If no label was specified, then we've looked at a token, so we're
+         * done. */
+        if (idopts->token_label == NULL)
+            break;
     }
     return status;
 }
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post