From: Ken Hornstein Date: Thu, 25 Feb 2021 01:20:39 +0000 (-0500) Subject: Only require one valid pkinit anchor/pool value X-Git-Tag: krb5-1.20-beta1~114 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=414cf4152c9743ca3aaef4cf9fb13628ec5f7896;p=thirdparty%2Fkrb5.git Only require one valid pkinit anchor/pool value When processing pkinit_anchor or pkinit_pool values, return successfully if at least one value is successfully loaded (or if none are configured). pkinit_identity_prompt() was the backstop against trying anonymous PKINIT without configured anchors. After this change it no longer is, so add an explicit check for no anchors in pkinit_client_process(). [ghudson@mit.edu: added code to clear ignored errors; made minor style edits; added no-anchors check] ticket: 8988 (new) --- diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 2817cc213b..d29b03dfb6 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1101,6 +1101,11 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, } if (processing_request) { + if (reqctx->idopts->anchors == NULL) { + krb5_set_error_message(context, KRB5_PREAUTH_FAILED, + _("No pkinit_anchors supplied")); + return KRB5_PREAUTH_FAILED; + } pkinit_client_profile(context, plgctx, reqctx, cb, rock, &request->server->realm); /* Pull in PINs and passwords for identities which we deferred diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 4046b15f4d..cee448db98 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -576,8 +576,9 @@ pkinit_identity_prompt(krb5_context context, int do_matching, krb5_principal princ) { - krb5_error_code retval = EINVAL; + krb5_error_code retval = 0; const char *signer_identity; + krb5_boolean valid; int i; pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx); @@ -630,22 +631,36 @@ pkinit_identity_prompt(krb5_context context, goto errout; } /* Not anonymous principal */ + /* Require at least one successful anchor if any are specified. */ + valid = FALSE; for (i = 0; idopts->anchors != NULL && idopts->anchors[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->anchors[i], CATYPE_ANCHORS); - if (retval) - goto errout; + if (!retval) + valid = TRUE; } + if (retval && !valid) + goto errout; + krb5_clear_error_message(context); + retval = 0; + + /* Require at least one successful intermediate if any are specified. */ + valid = FALSE; for (i = 0; idopts->intermediates != NULL && idopts->intermediates[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->intermediates[i], CATYPE_INTERMEDIATES); - if (retval) - goto errout; + if (!retval) + valid = TRUE; } + if (retval && !valid) + goto errout; + krb5_clear_error_message(context); + retval = 0; + for (i = 0; idopts->crls != NULL && idopts->crls[i] != NULL; i++) { retval = process_option_ca_crl(context, plg_cryptoctx, req_cryptoctx, idopts, id_cryptoctx, idopts->crls[i],