From 188111911c2a6bdc2c8982c06a59a742450113e7 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 16 Sep 2010 19:31:40 -0400
Subject: [PATCH] - fix selection of pkinit client certs when one or more don't
 include a subjectAltName extension (part of #629022, RT#6774)

---
 krb5-trunk-signed.patch | 42 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 krb5-trunk-signed.patch

diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch
new file mode 100644
index 0000000..c8be88e
--- /dev/null
+++ b/krb5-trunk-signed.patch
@@ -0,0 +1,42 @@
+In crypto_retrieve_X509_sans(), the "i" used to hold the result of
+X509_get_ext_by_NID() is unsigned, so without a cast or changing its
+type, the comparison to -1 will always succeed.
+
+If the attempt to parse the SAN value then fails because the extension
+is not present, then crypto_retrieve_X509_sans(),
+crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
+will all return EINVAL, pkinit_cert_matching() will fail, and
+pkinit_identity_initialize() will fail.  As a result, the presence one
+candidate certificate which doesn't contain any SAN values will cause
+the client to fail to locate its certificate.  RT#6774, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24322)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24323)
+@@ -1767,7 +1767,7 @@
+ {
+     krb5_error_code retval = EINVAL;
+     char buf[DN_BUF_LEN];
+-    int p = 0, u = 0, d = 0;
++    int p = 0, u = 0, d = 0, l;
+     krb5_principal *princs = NULL;
+     krb5_principal *upns = NULL;
+     unsigned char **dnss = NULL;
+@@ -1787,14 +1787,14 @@
+                       buf, sizeof(buf));
+     pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
+ 
+-    if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
++    if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+         X509_EXTENSION *ext = NULL;
+         GENERAL_NAMES *ialt = NULL;
+         GENERAL_NAME *gen = NULL;
+         int ret = 0;
+         unsigned int num_sans = 0;
+ 
+-        if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
++        if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+             pkiDebug("%s: found no subject alt name extensions\n",
+                      __FUNCTION__);
+             goto cleanup;