[19637] in Kerberos_V5_Development
Re: pkinit plugin logic in pkinit_srv.c
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 24 11:02:56 2017
To: Craig Huckabee <craig.huckabee@spawar.navy.mil>, krbdev@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <7cd7e913-4eb0-48d7-19a1-af174ede6246@mit.edu>
Date: Thu, 24 Aug 2017 11:02:45 -0400
MIME-Version: 1.0
In-Reply-To: <3B62B9BA-C297-4753-907D-D7CEF67F21F8@spawar.navy.mil>
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 08/24/2017 09:39 AM, Craig Huckabee wrote:
> While running some tests with the latest development builds, I noticed that the plugin test logic in pkinit_srv.c might be flawed. The comment in the plugin check codes says:
>
> /*
> * Check the certificate against each certauth module. For the certificate
> * to be authorized at least one module must return 0, and no module can an
> * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from
> * modules that return 0 or pass.
> */
>
> but that’s not really true as each plugin returns KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found. This means the first plugin that fails kicks out of that loop and no other checks are performed. I noticed this specifically because we were testing with certs that need the dbmatch module to work but it was never being called.
Can you elaborate on "each plugin returns
KRB5KDC_ERR_CLIENT_NAME_MISMATCH when a match is not found"? Of the
built-in modules, I think only the san module would ever return that
code, and should only return it when it finds PKINIT or UPN SANs in the
certificate and they don't match. It should return
KRB5_PLUGIN_NO_HANDLE if the cert doesn't have either of those SAN types.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev