BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224
# PK-INIT tests
#
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_revoked.ad_dc
#
# Windows 2000 PK-INIT tests
#
ret = _kdc_pk_rd_padata(r, pa, &pkp);
if (ret || pkp == NULL) {
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ if (ret == HX509_CERT_REVOKED) {
+ ret = KRB5_KDC_ERR_CLIENT_NOT_TRUSTED;
+ } else {
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
_kdc_r_log(r, 4, "Failed to decode PKINIT PA-DATA -- %s",
r->cname);
goto out;
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
+ dh_gen_keylen += size;
}
} else if (client_params->keyex == USE_ECDH) {
if (client_params->u.ecdh.public_key == NULL) {
hx509_verify_attach_anchors(cp->verify_ctx, trust_anchors);
hx509_certs_free(&trust_anchors);
+ hx509_verify_attach_revoke(cp->verify_ctx, kdc_identity->revokectx);
+
if (config->pkinit_allow_proxy_certs)
hx509_verify_set_proxy_certificate(cp->verify_ctx, 1);
anchors for PKINIT KDC certificates.
.It Li pkinit_revoke = Va HX509-STORE ...
This is a multi-valued parameter naming one or more stores of
-of CRLs for the issuers of PKINIT KDC certificates.
+CRLs for the issuers of PKINIT KDC certificates.
+Only the first valid CRL for a particular issuer will be checked.
If no CRLs are configured, then CRLs will not be checked.
This is because hx509 currently lacks support.
.El
type stores are OpenSSL-style CA certificate hash directories.
.It Li pkinit_revoke = Va HX509-STORE ...
This is a multi-valued parameter naming one or more stores of
-of CRLs for the issuers of PKINIT client certificates.
+CRLs for the issuers of PKINIT client certificates.
+Only the first valid CRL for a particular issuer will be checked.
If no CRLs are configured, then CRLs will not be checked.
This is because the KDC will not dereference CRL distribution
points nor request OCSP responses.
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
+ dh_gen_keylen += size;
}
} else {
git.samba.org / samba.git / commitdiff