krb5/krb5-trunk-signed.patch

In crypto_retrieve_X509_sans(), the "i" used to hold the result of
X509_get_ext_by_NID() is unsigned, so without a cast or changing its
type, the comparison to -1 will always succeed.

If the attempt to parse the SAN value then fails because the extension
is not present, then crypto_retrieve_X509_sans(),
crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
will all return EINVAL, pkinit_cert_matching() will fail, and
pkinit_identity_initialize() will fail.  As a result, the presence one
candidate certificate which doesn't contain any SAN values will cause
the client to fail to locate its certificate.  RT#6774, part of #629022.

Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24322)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24323)
@@ -1767,7 +1767,7 @@
 {
     krb5_error_code retval = EINVAL;
     char buf[DN_BUF_LEN];
-    int p = 0, u = 0, d = 0;
+    int p = 0, u = 0, d = 0, l;
     krb5_principal *princs = NULL;
     krb5_principal *upns = NULL;
     unsigned char **dnss = NULL;
@@ -1787,14 +1787,14 @@
                       buf, sizeof(buf));
     pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
 
-    if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+    if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
         X509_EXTENSION *ext = NULL;
         GENERAL_NAMES *ialt = NULL;
         GENERAL_NAME *gen = NULL;
         int ret = 0;
         unsigned int num_sans = 0;
 
-        if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
+        if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
             pkiDebug("%s: found no subject alt name extensions\n",
                      __FUNCTION__);
             goto cleanup;
- fix selection of pkinit client certs when one or more don't include a subjectAltName extension (part of #629022, RT#6774) 2010-09-16 23:31:40 +00:00			`In crypto_retrieve_X509_sans(), the "i" used to hold the result of`
			`X509_get_ext_by_NID() is unsigned, so without a cast or changing its`
			`type, the comparison to -1 will always succeed.`

			`If the attempt to parse the SAN value then fails because the extension`
			`is not present, then crypto_retrieve_X509_sans(),`
			`crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()`
			`will all return EINVAL, pkinit_cert_matching() will fail, and`
			`pkinit_identity_initialize() will fail. As a result, the presence one`
			`candidate certificate which doesn't contain any SAN values will cause`
			`the client to fail to locate its certificate. RT#6774, part of #629022.`

			`Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`===================================================================`
			`--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322)`
			`+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323)`
			`@@ -1767,7 +1767,7 @@`
			`{`
			`krb5_error_code retval = EINVAL;`
			`char buf[DN_BUF_LEN];`
			`- int p = 0, u = 0, d = 0;`
			`+ int p = 0, u = 0, d = 0, l;`
			`krb5_principal *princs = NULL;`
			`krb5_principal *upns = NULL;`
			`unsigned char **dnss = NULL;`
			`@@ -1787,14 +1787,14 @@`
			`buf, sizeof(buf));`
			`pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);`

			`- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {`
			`+ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {`
			`X509_EXTENSION *ext = NULL;`
			`GENERAL_NAMES *ialt = NULL;`
			`GENERAL_NAME *gen = NULL;`
			`int ret = 0;`
			`unsigned int num_sans = 0;`

			`- if (!(ext = X509_get_ext(cert, i)) \|\| !(ialt = X509V3_EXT_d2i(ext))) {`
			`+ if (!(ext = X509_get_ext(cert, l)) \|\| !(ialt = X509V3_EXT_d2i(ext))) {`
			`pkiDebug("%s: found no subject alt name extensions\n",`
			`__FUNCTION__);`
			`goto cleanup;`