pkinit plugin logic in pkinit_srv.c

Robbie Harwood rharwood at
Thu Aug 24 11:12:56 EDT 2017

Craig Huckabee <craig.huckabee at> writes:

> While running some tests with the latest development builds, I noticed
> that the plugin test logic in pkinit_srv.c might be flawed.  The
> comment in the plugin check codes says:
>      /*
>      * Check the certificate against each certauth module.  For the certificate
>      * to be authorized at least one module must return 0, and no module can an
>      * error code other than KRB5_PLUGIN_NO_HANDLE (pass).  Add indicators from
>      * modules that return 0 or pass.
>      */
> but that’s not really true as each plugin returns
> KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found.  This
> means the first plugin that fails kicks out of that loop and no other
> checks are performed.  I noticed this specifically because we were
> testing with certs that need the dbmatch module to work but it was
> never being called.
> Attached is a small patch that allows KRB5KDC_ERR_CLIENT_NAME_MISMATCH
> to be ignored and that will jump out of the loop on the first accepted
> match.

Hi, I'm not seeing a patch attached.  Also, if you prefer, we do accept
PRs on github:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url :

More information about the krbdev mailing list