From: Nalin Dahyabhai Date: Fri, 19 Jul 2013 15:33:20 +0000 (-0400) Subject: Don't ask empty responder questions in PKINIT X-Git-Tag: krb5-1.12-alpha1~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b37a0be87e5146d730b89abd1378a3043d5015b2;p=thirdparty%2Fkrb5.git Don't ask empty responder questions in PKINIT When putting together the set of identity prompts for a responder challenge, if we don't need a PIN or password of some kind, don't ask an empty question. [ghudson@mit.edu: squashed commits, modified commit message, merged PKCS11 test with current Python script] --- diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index f708856c19..9d7d7bd6e7 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1126,6 +1126,13 @@ pkinit_client_prep_questions(krb5_context context, continue; n = i; + /* Make sure we don't just return an empty challenge. */ + if (n == 0) { + pkiDebug("%s: no questions to ask\n", __FUNCTION__); + retval = 0; + goto cleanup; + } + /* Create the top-level object. */ retval = k5_json_object_create(&jval); if (retval != 0) diff --git a/src/tests/responder.c b/src/tests/responder.c index 57106ffc12..13623d8324 100644 --- a/src/tests/responder.c +++ b/src/tests/responder.c @@ -100,11 +100,11 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx) *value++ = '\0'; /* Read the challenge. */ challenge = krb5_responder_get_challenge(ctx, rctx, key); - if (challenge == NULL) - challenge = ""; - /* See if the expected challenge looks like JSON-encoded data. */ err = k5_json_decode(value, &decoded1); - if (err != 0) { + /* Check for "no challenge". */ + if (challenge == NULL && *value == '\0') { + fprintf(stderr, "OK: (no challenge) == (no challenge)\n"); + } else if (err != 0) { /* It's not JSON, so assume we're just after a string compare. */ if (strcmp(challenge, value) == 0) { fprintf(stderr, "OK: \"%s\" == \"%s\"\n", challenge, value); diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index fd1db929f4..7b20fa37b7 100644 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -89,7 +89,7 @@ realm.run_kadminl('delprinc -force WELLKNOWN/ANONYMOUS') # Run the basic test - PKINIT with FILE: identity, with no password on the key. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % file_identity, 'user@%s' % realm.realm]) @@ -144,7 +144,7 @@ shutil.copy(user_pem, os.path.join(path, 'user.crt')) shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % dir_identity, 'user@%s' % realm.realm]) @@ -195,7 +195,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with no password on the bundle. realm.run(['./responder', '-x', - 'pkinit={}', + 'pkinit=', '-X', 'X509_user_identity=%s' % p12_identity, 'user@%s' % realm.realm]) @@ -243,13 +243,31 @@ realm.run([kvno, realm.host_princ]) if have_soft_pkcs11: softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') + realm.env['SOFTPKCS11RC'] = softpkcs11rc + + # PKINIT with PKCS11: identity, with no need for a PIN. conf = open(softpkcs11rc, 'w') conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, - privkey_enc_pem)) + privkey_pem)) conf.close() - realm.env['SOFTPKCS11RC'] = softpkcs11rc + # Expect to succeed without having to supply any more information. + realm.run(['./responder', + '-x', + 'pkinit=', + '-X', + 'X509_user_identity=%s' % p11_identity, + 'user@%s' % realm.realm]) + realm.kinit('user@%s' % realm.realm, + flags=['-X', 'X509_user_identity=%s' % p11_identity]) + realm.klist('user@%s' % realm.realm) + realm.run([kvno, realm.host_princ]) # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. + os.remove(softpkcs11rc) + conf = open(softpkcs11rc, 'w') + conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, + privkey_enc_pem)) + conf.close() # Expect failure if the responder does nothing, and there's no prompter realm.run(['./responder', '-x',