diff options
| author | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2021-01-27 21:21:19 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2021-02-11 12:50:44 -0500 |
| commit | 13ae08e70a05768d4f65978ce1a8d4e16fec0d35 (patch) | |
| tree | 35128e0f2d7f833f69575b8d70f27399581c762e /src/plugins | |
| parent | c374ab40dd059a5938ffc0440d87457ac5da3a46 (diff) | |
| download | krb5-13ae08e70a05768d4f65978ce1a8d4e16fec0d35.zip krb5-13ae08e70a05768d4f65978ce1a8d4e16fec0d35.tar.gz krb5-13ae08e70a05768d4f65978ce1a8d4e16fec0d35.tar.bz2 | |
Load certs when checking pkinit_identities values
Move the crypto_load_certs() probe from pkinit_identity_initialize()
to process_option_identity(). This will attempt to load a certificate
for each pkinit_identities value, and if the certificate load fails to
move to the next line.
For PKCS11, return an error if pkinit_open_session() fails, but do not
fail in pkinit_open_session() just because identity prompts are
deferred.
[ghudson@mit.edu: added test case; moved cert probe to
process_option_identity(); rewrote commit message]
ticket: 8984 (new)
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 10 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_identity.c | 30 |
2 files changed, 19 insertions, 21 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index d7d1593..e5940a5 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -3748,7 +3748,7 @@ pkinit_open_session(krb5_context context, pkinit_set_deferred_id(&cctx->deferred_ids, p11name, tinfo.flags, NULL); free(p11name); - return KRB5KRB_ERR_GENERIC; + return 0; } /* Look up a responder-supplied password for the token. */ password = pkinit_find_deferred_id(cctx->deferred_ids, p11name); @@ -4552,11 +4552,9 @@ pkinit_get_certs_pkcs11(krb5_context context, id_cryptoctx->slotid = idopts->slotid; id_cryptoctx->pkcs11_method = 1; - if (pkinit_open_session(context, id_cryptoctx)) { - pkiDebug("can't open pkcs11 session\n"); - if (!id_cryptoctx->defer_id_prompt) - return KRB5KDC_ERR_PREAUTH_FAILED; - } + r = pkinit_open_session(context, id_cryptoctx); + if (r != 0) + return r; if (id_cryptoctx->defer_id_prompt) { /* * We need to reset all of the PKCS#11 state, so that the next time we diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index b89c5d0..4046b15 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -378,7 +378,7 @@ process_option_identity(krb5_context context, pkinit_req_crypto_context req_cryptoctx, pkinit_identity_opts *idopts, pkinit_identity_crypto_context id_cryptoctx, - const char *value) + krb5_principal princ, const char *value) { const char *residual; int idtype; @@ -424,7 +424,7 @@ process_option_identity(krb5_context context, switch (idtype) { case IDTYPE_ENVVAR: return process_option_identity(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, + idopts, id_cryptoctx, princ, secure_getenv(residual)); break; case IDTYPE_FILE: @@ -450,7 +450,16 @@ process_option_identity(krb5_context context, retval = EINVAL; break; } - return retval; + if (retval) + return retval; + + retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, idopts, + id_cryptoctx, princ, TRUE); + if (retval) + return retval; + + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); + return 0; } static krb5_error_code @@ -525,12 +534,13 @@ pkinit_identity_initialize(krb5_context context, if (idopts->identity != NULL) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, - id_cryptoctx, idopts->identity); + id_cryptoctx, princ, + idopts->identity); } else if (idopts->identity_alt != NULL) { for (i = 0; retval != 0 && idopts->identity_alt[i] != NULL; i++) { retval = process_option_identity(context, plg_cryptoctx, req_cryptoctx, idopts, - id_cryptoctx, + id_cryptoctx, princ, idopts->identity_alt[i]); } } else { @@ -540,16 +550,6 @@ pkinit_identity_initialize(krb5_context context, pkiDebug("%s: no user identity options specified\n", __FUNCTION__); goto errout; } - if (retval) - goto errout; - - retval = crypto_load_certs(context, plg_cryptoctx, req_cryptoctx, - idopts, id_cryptoctx, princ, TRUE); - if (retval) - goto errout; - - crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx); } else { /* We're the anonymous principal. */ retval = 0; |