Don't fail if a candidate certificate has no SANs

When we're doing certificate matching and we're asked for the list of SAN values for a certifiate, and it contains none, don't return an error, as that will eventually cause the module to just return an error. Instead, just return an empty list of SAN values so that processing will continue on to check if other certificates match.
krb5 · May 10, 2013 · 2a39ca9 · 2a39ca9
1 parent 1e8ec64
commit 2a39ca9
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -3161,12 +3161,8 @@ crypto_cert_get_matching_data(krb5_context context,
     md->ku_bits = cert_get_ku_bits(context, cert_handle->cert);
     md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, PR_FALSE);
     if (cert_retrieve_cert_sans(context, cert_handle->cert,
-                                &md->sans, &md->sans, NULL) != 0) {
-        free(md->subject_dn);
-        free(md->issuer_dn);
-        free(md);
-        return ENOMEM;
-    }
+                                &md->sans, &md->sans, NULL) != 0)
+        md->sans = NULL;
     *ret_data = md;
     return 0;
 }