pkinit plugin logic in pkinit_srv.c
craig.huckabee at spawar.navy.mil
Thu Aug 24 09:39:22 EDT 2017
While running some tests with the latest development builds, I noticed that the plugin test logic in pkinit_srv.c might be flawed. The comment in the plugin check codes says:
* Check the certificate against each certauth module. For the certificate
* to be authorized at least one module must return 0, and no module can an
* error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
* modules that return 0 or pass.
but that’s not really true as each plugin returns KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found. This means the first plugin that fails kicks out of that loop and no other checks are performed. I noticed this specifically because we were testing with certs that need the dbmatch module to work but it was never being called.
Attached is a small patch that allows KRB5KDC_ERR_CLIENT_NAME_MISMATCH to be ignored and that will jump out of the loop on the first accepted match.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1753 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20170824/0d7eecfb/attachment.bin
More information about the krbdev