[30975] in CVS-changelog-for-Kerberos-V5
krb5 commit: Only require one valid pkinit anchor/pool value
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Mar 8 18:52:08 2021
Date: Mon, 8 Mar 2021 18:52:00 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202103082352.128Nq0Lx026997@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/414cf4152c9743ca3aaef4cf9fb13628ec5f7896
commit 414cf4152c9743ca3aaef4cf9fb13628ec5f7896
Author: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Wed Feb 24 20:20:39 2021 -0500
Only require one valid pkinit anchor/pool value
When processing pkinit_anchor or pkinit_pool values, return
successfully if at least one value is successfully loaded (or if none
are configured).
pkinit_identity_prompt() was the backstop against trying anonymous
PKINIT without configured anchors. After this change it no longer is,
so add an explicit check for no anchors in pkinit_client_process().
[ghudson@mit.edu: added code to clear ignored errors; made minor style
edits; added no-anchors check]
ticket: 8988 (new)
src/plugins/preauth/pkinit/pkinit_clnt.c | 5 +++++
src/plugins/preauth/pkinit/pkinit_identity.c | 25 ++++++++++++++++++++-----
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2817cc2..d29b03d 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1101,6 +1101,11 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
}
if (processing_request) {
+ if (reqctx->idopts->anchors == NULL) {
+ krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+ _("No pkinit_anchors supplied"));
+ return KRB5_PREAUTH_FAILED;
+ }
pkinit_client_profile(context, plgctx, reqctx, cb, rock,
&request->server->realm);
/* Pull in PINs and passwords for identities which we deferred
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 4046b15..cee448d 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -576,8 +576,9 @@ pkinit_identity_prompt(krb5_context context,
int do_matching,
krb5_principal princ)
{
- krb5_error_code retval = EINVAL;
+ krb5_error_code retval = 0;
const char *signer_identity;
+ krb5_boolean valid;
int i;
pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
@@ -630,22 +631,36 @@ pkinit_identity_prompt(krb5_context context,
goto errout;
} /* Not anonymous principal */
+ /* Require at least one successful anchor if any are specified. */
+ valid = FALSE;
for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->anchors[i], CATYPE_ANCHORS);
- if (retval)
- goto errout;
+ if (!retval)
+ valid = TRUE;
}
+ if (retval && !valid)
+ goto errout;
+ krb5_clear_error_message(context);
+ retval = 0;
+
+ /* Require at least one successful intermediate if any are specified. */
+ valid = FALSE;
for (i = 0; idopts->intermediates != NULL
&& idopts->intermediates[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx,
idopts->intermediates[i],
CATYPE_INTERMEDIATES);
- if (retval)
- goto errout;
+ if (!retval)
+ valid = TRUE;
}
+ if (retval && !valid)
+ goto errout;
+ krb5_clear_error_message(context);
+ retval = 0;
+
for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
idopts, id_cryptoctx, idopts->crls[i],
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
