From fea203a70857a1bf7ebcd3dab324aa2be3cf846e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 13 Jul 2006 18:32:45 +0000 Subject: [PATCH] (_kdc_pk_check_client): use the acl in the kerberos database git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17830 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/pkinit.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 920efd7ab..7c1c07a5d 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -1194,6 +1194,7 @@ _kdc_pk_check_client(krb5_context context, pk_client_params *client_params, char **subject_name) { + const HDB_Ext_PKINIT_acl *acl; krb5_error_code ret; hx509_name name; int i; @@ -1224,6 +1225,28 @@ _kdc_pk_check_client(krb5_context context, } } + ret = hdb_entry_get_pkinit_acl(&client->entry, &acl); + if (ret == 0) { + /* + * Cheat here and compare the generated name with the string + * and not the reverse. + */ + for (i = 0; i < acl->len; i++) { + if (strcmp(*subject_name, acl->val[0].subject) != 0) + continue; + + /* Don't support isser and anchor checking right now */ + if (acl->val[0].issuer) + continue; + if (acl->val[0].anchor) + continue; + + kdc_log(context, config, 5, + "Found matching PK-INIT database ACL"); + return 0; + } + } + for (i = 0; i < principal_mappings.len; i++) { krb5_boolean b; @@ -1234,11 +1257,14 @@ _kdc_pk_check_client(krb5_context context, continue; if (strcmp(principal_mappings.val[i].subject, *subject_name) != 0) continue; + kdc_log(context, config, 5, + "Found matching PK-INIT FILE ACL"); return 0; } - free(*subject_name); + free(*subject_name); *subject_name = NULL; + krb5_set_error_string(context, "PKINIT no matching principals"); return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; }