krb5 commit: Don't ask empty responder questions in PKINIT

Greg Hudson ghudson at MIT.EDU
Mon Jul 22 12:25:49 EDT 2013 

https://github.com/krb5/krb5/commit/b37a0be87e5146d730b89abd1378a3043d5015b2
commit b37a0be87e5146d730b89abd1378a3043d5015b2
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Jul 19 11:33:20 2013 -0400

    Don't ask empty responder questions in PKINIT
    
    When putting together the set of identity prompts for a responder
    challenge, if we don't need a PIN or password of some kind, don't ask
    an empty question.
    
    [ghudson at mit.edu: squashed commits, modified commit message, merged
    PKCS11 test with current Python script]

 src/plugins/preauth/pkinit/pkinit_clnt.c |    7 +++++++
 src/tests/responder.c                    |    8 ++++----
 src/tests/t_pkinit.py                    |   28 +++++++++++++++++++++++-----
 3 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index f708856..9d7d7bd 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1126,6 +1126,13 @@ pkinit_client_prep_questions(krb5_context context,
         continue;
     n = i;
 
+    /* Make sure we don't just return an empty challenge. */
+    if (n == 0) {
+        pkiDebug("%s: no questions to ask\n", __FUNCTION__);
+        retval = 0;
+        goto cleanup;
+    }
+
     /* Create the top-level object. */
     retval = k5_json_object_create(&jval);
     if (retval != 0)
diff --git a/src/tests/responder.c b/src/tests/responder.c
index 57106ff..13623d8 100644
--- a/src/tests/responder.c
+++ b/src/tests/responder.c
@@ -100,11 +100,11 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx)
             *value++ = '\0';
         /* Read the challenge. */
         challenge = krb5_responder_get_challenge(ctx, rctx, key);
-        if (challenge == NULL)
-            challenge = "";
-        /* See if the expected challenge looks like JSON-encoded data. */
         err = k5_json_decode(value, &decoded1);
-        if (err != 0) {
+        /* Check for "no challenge". */
+        if (challenge == NULL && *value == '\0') {
+            fprintf(stderr, "OK: (no challenge) == (no challenge)\n");
+        } else if (err != 0) {
             /* It's not JSON, so assume we're just after a string compare. */
             if (strcmp(challenge, value) == 0) {
                 fprintf(stderr, "OK: \"%s\" == \"%s\"\n", challenge, value);
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index fd1db92..7b20fa3 100644
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -89,7 +89,7 @@ realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS')
 # Run the basic test - PKINIT with FILE: identity, with no password on the key.
 realm.run(['./responder',
            '-x',
-           'pkinit={}',
+           'pkinit=',
            '-X',
            'X509_user_identity=%s' % file_identity,
            'user@%s' % realm.realm])
@@ -144,7 +144,7 @@ shutil.copy(user_pem, os.path.join(path, 'user.crt'))
 shutil.copy(user_pem, os.path.join(path_enc, 'user.crt'))
 realm.run(['./responder',
            '-x',
-           'pkinit={}',
+           'pkinit=',
            '-X',
            'X509_user_identity=%s' % dir_identity,
            'user@%s' % realm.realm])
@@ -195,7 +195,7 @@ realm.run([kvno, realm.host_princ])
 # PKINIT with PKCS12: identity, with no password on the bundle.
 realm.run(['./responder',
            '-x',
-           'pkinit={}',
+           'pkinit=',
            '-X',
            'X509_user_identity=%s' % p12_identity,
            'user@%s' % realm.realm])
@@ -243,13 +243,31 @@ realm.run([kvno, realm.host_princ])
 
 if have_soft_pkcs11:
     softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc')
+    realm.env['SOFTPKCS11RC'] = softpkcs11rc
+
+    # PKINIT with PKCS11: identity, with no need for a PIN.
     conf = open(softpkcs11rc, 'w')
     conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
-                                     privkey_enc_pem))
+                                     privkey_pem))
     conf.close()
-    realm.env['SOFTPKCS11RC'] = softpkcs11rc
+    # Expect to succeed without having to supply any more information.
+    realm.run(['./responder',
+               '-x',
+               'pkinit=',
+               '-X',
+               'X509_user_identity=%s' % p11_identity,
+               'user@%s' % realm.realm])
+    realm.kinit('user@%s' % realm.realm,
+                flags=['-X', 'X509_user_identity=%s' % p11_identity])
+    realm.klist('user@%s' % realm.realm)
+    realm.run([kvno, realm.host_princ])
 
     # PKINIT with PKCS11: identity, with a PIN supplied by the prompter.
+    os.remove(softpkcs11rc)
+    conf = open(softpkcs11rc, 'w')
+    conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem,
+                                     privkey_enc_pem))
+    conf.close()
     # Expect failure if the responder does nothing, and there's no prompter
     realm.run(['./responder',
                '-x',

More information about the cvs-krb5 mailing list