diff options
| author | Greg Hudson <ghudson@mit.edu> | 2020-03-23 19:10:03 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-03-26 14:32:40 -0400 |
| commit | f1286842ce7b9e507a4ce0a47f44ab361a98be63 (patch) | |
| tree | 83502081721b8cffaf1e563b4cb2f7833b07eee8 /src/plugins | |
| parent | e5c911946ba98b2e90db6456e822788f678bdade (diff) | |
| download | krb5-f1286842ce7b9e507a4ce0a47f44ab361a98be63.zip krb5-f1286842ce7b9e507a4ce0a47f44ab361a98be63.tar.gz krb5-f1286842ce7b9e507a4ce0a47f44ab361a98be63.tar.bz2 | |
Eliminate redundant PKINIT responder invocation
In pkinit_client_prep_questions(), only act if the input padata type
is KRB5_PADATA_PK_AS_REQ. Otherwise we will ask questions again when
the KDC issues a ticket.
Commit 7621d2f9a87214327ca3b2594e34dc7cea84596b (ticket 8242)
unintentionally changed the behavior of pkinit_load_fs_cert_and_key(),
causing pkinit_client_prep_questions() to do nothing on its first
call. Restore the original behavior of returning 0 when prompting is
deferred.
Modify the existing "FILE identity, password on key (responder)"
PKINIT test to check that the responder is only invoked once.
ticket: 8885
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 5 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 13 |
2 files changed, 12 insertions, 6 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 1a64213..4d47f73 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -905,6 +905,11 @@ pkinit_client_prep_questions(krb5_context context, k5_json_object jval = NULL; k5_json_number jflag = NULL; + /* Don't ask questions for the informational padata items or when the + * ticket is issued. */ + if (pa_data->pa_type != KRB5_PADATA_PK_AS_REQ) + return 0; + if (!reqctx->identity_initialized) { pkinit_client_profile(context, plgctx, reqctx, cb, rock, &request->server->realm); diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 8c7fd0c..d7d1593 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -4309,17 +4309,18 @@ pkinit_load_fs_cert_and_key(krb5_context context, /* Load the certificate. */ retval = get_cert(certname, &x); - if (retval != 0 || x == NULL) { - retval = oerr(context, 0, _("Cannot read certificate file '%s'"), + if (retval) { + retval = oerr(context, retval, _("Cannot read certificate file '%s'"), certname); - goto cleanup; } + if (retval || x == NULL) + goto cleanup; /* Load the key. */ retval = get_key(context, id_cryptoctx, keyname, fsname, &y, password); - if (retval != 0 || y == NULL) { - retval = oerr(context, 0, _("Cannot read key file '%s'"), fsname); + if (retval) + retval = oerr(context, retval, _("Cannot read key file '%s'"), fsname); + if (retval || y == NULL) goto cleanup; - } id_cryptoctx->creds[cindex] = malloc(sizeof(struct _pkinit_cred_info)); if (id_cryptoctx->creds[cindex] == NULL) { |