From 9fe3a53f6dc9807390ef8b15f5ad0f5e5dfa826f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 31 May 2007 20:58:07 +0000
Subject: [PATCH] Allow turning off sending trustedCertifiers in the request.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20752 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/pkinit.c | 45 ++++++++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 4d8f5a71b..c0840225a 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -83,10 +83,11 @@ struct krb5_pk_init_ctx_data {
     struct krb5_dh_moduli **m;
     hx509_peer_info peer;
     int type;
-    int require_binding;
-    int require_eku;
-    int require_krbtgt_otherName;
-    int require_hostname_match;
+    unsigned int require_binding:1;
+    unsigned int require_eku:1;
+    unsigned int require_krbtgt_otherName:1;
+    unsigned int require_hostname_match:1;
+    unsigned int trustedCertifiers:1;
 };
 
 static void
@@ -439,7 +440,6 @@ build_auth_pack(krb5_context context,
 	    return ret;
     }
 
-
     return ret;
 }
 
@@ -588,18 +588,21 @@ pk_mk_padata(krb5_context context,
 	memset(&req, 0, sizeof(req));
 	req.signedAuthPack = buf;	
 
-	req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
-	if (req.trustedCertifiers == NULL) {
-	    krb5_set_error_string(context, "malloc: out of memory");
-	    free_PA_PK_AS_REQ(&req);
-	    goto out;
-	}
-	ret = build_edi(context, ctx->id->hx509ctx, 
-			ctx->id->anchors, req.trustedCertifiers);
-	if (ret) {
-	    krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
-	    free_PA_PK_AS_REQ(&req);
-	    goto out;
+	if (ctx->trustedCertifiers) {
+
+	    req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+	    if (req.trustedCertifiers == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		free_PA_PK_AS_REQ(&req);
+		goto out;
+	    }
+	    ret = build_edi(context, ctx->id->hx509ctx, 
+			    ctx->id->anchors, req.trustedCertifiers);
+	    if (ret) {
+		krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+		free_PA_PK_AS_REQ(&req);
+		goto out;
+	    }
 	}
 	req.kdcPkId = NULL;
 
@@ -685,6 +688,14 @@ _krb5_pk_mk_padata(krb5_context context,
 				     "pkinit_require_hostname_match",
 				     NULL);
 
+    ctx->trustedCertifiers = 
+	krb5_config_get_bool_default(context, NULL,
+				     TRUE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_trustedCertifiers",
+				     NULL);
+
     return pk_mk_padata(context, ctx, req_body, nonce, md);
 }