pkinit plugin logic in pkinit_srv.c
Robbie Harwood
rharwood at redhat.com
Thu Aug 24 11:12:56 EDT 2017
Craig Huckabee <craig.huckabee at spawar.navy.mil> writes:
> While running some tests with the latest development builds, I noticed
> that the plugin test logic in pkinit_srv.c might be flawed. The
> comment in the plugin check codes says:
>
> /*
> * Check the certificate against each certauth module. For the certificate
> * to be authorized at least one module must return 0, and no module can an
> * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
> * modules that return 0 or pass.
> */
>
> but that’s not really true as each plugin returns
> KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found. This
> means the first plugin that fails kicks out of that loop and no other
> checks are performed. I noticed this specifically because we were
> testing with certs that need the dbmatch module to work but it was
> never being called.
>
> Attached is a small patch that allows KRB5KDC_ERR_CLIENT_NAME_MISMATCH
> to be ignored and that will jump out of the loop on the first accepted
> match.
Hi, I'm not seeing a patch attached. Also, if you prefer, we do accept
PRs on github: https://github.com/krb5/krb5/
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20170824/b6526d9c/attachment.bin
More information about the krbdev
mailing list