From 7f61137222e557be1ca569b24563271f705dd020 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 4 Feb 2009 22:03:58 +0000
Subject: [PATCH] Use HX509_CMS_VS_ALLOW_ZERO_SIGNER for anonymous requests.
 Move the check client/anonoymous logic here

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24577 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/pkinit.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 2a5b9ba2c..016318c13 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -531,10 +531,14 @@ _kdc_pk_rd_padata(krb5_context context,
 
     {
 	hx509_certs signer_certs;
+	int flags = HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH; /* BTMM */
+
+	if (req->req_body.kdc_options.request_anonymous)
+	    flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
 
 	ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
 				      kdc_identity->verify_ctx,
-				      HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH,
+				      flags,
 				      signed_content.data,
 				      signed_content.length,
 				      NULL,
@@ -550,9 +554,11 @@ _kdc_pk_rd_padata(krb5_context context,
 	    goto out;
 	}
 
-	ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
-				 &client_params->cert);
-	hx509_certs_free(&signer_certs);
+	if (signer_certs) {
+	    ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
+				     &client_params->cert);
+	    hx509_certs_free(&signer_certs);
+	}
 	if (ret)
 	    goto out;
     }
@@ -1414,6 +1420,13 @@ _kdc_pk_check_client(krb5_context context,
     hx509_name name;
     int i;
 
+    if (client_params->cert == NULL) {
+	*subject_name = strdup("anonymous client client");
+	if (*subject_name == NULL)
+	    return ENOMEM;
+	return 0;
+    }
+
     ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
 				      client_params->cert,
 				      &name);