krb5 commit: Only require one valid pkinit anchor/pool value
Greg Hudson
ghudson at mit.edu
Mon Mar 8 18:52:00 EST 2021
https://github.com/krb5/krb5/commit/414cf4152c9743ca3aaef4cf9fb13628ec5f7896
commit 414cf4152c9743ca3aaef4cf9fb13628ec5f7896
Author: Ken Hornstein <kenh at cmf.nrl.navy.mil>
Date: Wed Feb 24 20:20:39 2021 -0500
Only require one valid pkinit anchor/pool value
When processing pkinit_anchor or pkinit_pool values, return
successfully if at least one value is successfully loaded (or if none
are configured).
pkinit_identity_prompt() was the backstop against trying anonymous
PKINIT without configured anchors. After this change it no longer is,
so add an explicit check for no anchors in pkinit_client_process().
[ghudson at mit.edu: added code to clear ignored errors; made minor style
edits; added no-anchors check]
ticket: 8988 (new)
src/plugins/preauth/pkinit/pkinit_clnt.c | 5 +++++
src/plugins/preauth/pkinit/pkinit_identity.c | 25 ++++++++++++++++++++-----
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2817cc2..d29b03d 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1101,6 +1101,11 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
}
if (processing_request) {
+ if (reqctx->idopts->anchors == NULL) {
+ krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+ _("No pkinit_anchors supplied"));
+ return KRB5_PREAUTH_FAILED;
+ }
pkinit_client_profile(context, plgctx, reqctx, cb, rock,
&request->server->realm);
/* Pull in PINs and passwords for identities which we deferred
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 4046b15..cee448d 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -576,8 +576,9 @@ pkinit_identity_prompt(krb5_context context,
int do_matching,
krb5_principal princ)
{
- krb5_error_code retval = EINVAL;
+ krb5_error_code retval = 0;
const char *signer_identity;
+ krb5_boolean valid;
int i;
pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
@@ -630,22 +631,36 @@ pkinit_identity_prompt(krb5_context context,
goto errout;
} /* Not anonymous principal */
+ /* Require at least one successful anchor if any are specified. */
+ valid = FALSE;
for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->anchors[i], CATYPE_ANCHORS);
- if (retval)
- goto errout;
+ if (!retval)
+ valid = TRUE;
}
+ if (retval && !valid)
+ goto errout;
+ krb5_clear_error_message(context);
+ retval = 0;
+
+ /* Require at least one successful intermediate if any are specified. */
+ valid = FALSE;
for (i = 0; idopts->intermediates != NULL
&& idopts->intermediates[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->intermediates[i],
CATYPE_INTERMEDIATES);
- if (retval)
- goto errout;
+ if (!retval)
+ valid = TRUE;
}
+ if (retval && !valid)
+ goto errout;
+ krb5_clear_error_message(context);
+ retval = 0;
+
for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx, idopts->crls[i],
More information about the cvs-krb5
mailing list