Only require one valid pkinit anchor/pool value

When processing pkinit_anchor or pkinit_pool values, return
successfully if at least one value is successfully loaded (or if none
are configured).

pkinit_identity_prompt() was the backstop against trying anonymous
PKINIT without configured anchors.  After this change it no longer is,
so add an explicit check for no anchors in pkinit_client_process().

[ghudson@mit.edu: added code to clear ignored errors; made minor style
edits; added no-anchors check]

ticket: 8988 (new)

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2817cc213bb4191ed20dfc219e0f3b8f153cfab6..d29b03dfb6ad05cb9e93e9b9e6de22b01c880a73 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -1101,6 +1101,11 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
     }
 
     if (processing_request) {
+        if (reqctx->idopts->anchors == NULL) {
+            krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+                                   _("No pkinit_anchors supplied"));
+            return KRB5_PREAUTH_FAILED;
+        }
         pkinit_client_profile(context, plgctx, reqctx, cb, rock,
                               &request->server->realm);
         /* Pull in PINs and passwords for identities which we deferred

diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index 4046b15f4d99b7e5ee5814b42d7ca530607560b5..cee448db98aaa9eceeff94ef6de67aa0c94176f5 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -576,8 +576,9 @@ pkinit_identity_prompt(krb5_context context,
                        int do_matching,
                        krb5_principal princ)
 {
-    krb5_error_code retval = EINVAL;
+    krb5_error_code retval = 0;
     const char *signer_identity;
+    krb5_boolean valid;
     int i;
 
     pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
@@ -630,22 +631,36 @@ pkinit_identity_prompt(krb5_context context,
             goto errout;
     } /* Not anonymous principal */
 
+    /* Require at least one successful anchor if any are specified. */
+    valid = FALSE;
     for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) {
         retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
                                        idopts, id_cryptoctx,
                                        idopts->anchors[i], CATYPE_ANCHORS);
-        if (retval)
-            goto errout;
+        if (!retval)
+            valid = TRUE;
     }
+    if (retval && !valid)
+        goto errout;
+    krb5_clear_error_message(context);
+    retval = 0;
+
+    /* Require at least one successful intermediate if any are specified. */
+    valid = FALSE;
     for (i = 0; idopts->intermediates != NULL
              && idopts->intermediates[i] != NULL; i++) {
         retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
                                        idopts, id_cryptoctx,
                                        idopts->intermediates[i],
                                        CATYPE_INTERMEDIATES);
-        if (retval)
-            goto errout;
+        if (!retval)
+            valid = TRUE;
     }
+    if (retval && !valid)
+        goto errout;
+    krb5_clear_error_message(context);
+    retval = 0;
+
     for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) {
         retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx,
                                        idopts, id_cryptoctx, idopts->crls[i],