rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update backports of certauth and corresponding test

Browse Source
This commit is contained in:
Robbie Harwood 2017-04-19 17:39:28 +00:00
parent 291b968871
commit 21848ec3e1
6 changed files with 183 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
Add-certauth-pluggable-interface.patch
View File

@ -1,4 +1,4 @@
From ee26c1e3f7e98ed656b154c212bd5a335e87f312 Mon Sep 17 00:00:00 2001 From bb76ee06b88ebfc1a2abc95fc096299bda8946e9 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com> From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 28 Feb 2017 15:55:24 -0500 Date: Tue, 28 Feb 2017 15:55:24 -0500
Subject: [PATCH] Add certauth pluggable interface Subject: [PATCH] Add certauth pluggable interface
@ -21,7 +21,7 @@ doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst.
[ghudson@mit.edu: simplified code, edited docs] [ghudson@mit.edu: simplified code, edited docs]
ticket: 8561 (new) ticket: 8561 (new)
(cherry picked from commit 6a48b95e3ad65605a657020385b34875677e8b75) (cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57)
--- ---
doc/admin/conf_files/krb5_conf.rst | 21 ++ doc/admin/conf_files/krb5_conf.rst | 21 ++
doc/plugindev/certauth.rst | 27 ++ doc/plugindev/certauth.rst | 27 ++
@ -37,12 +37,12 @@ ticket: 8561 (new)
src/plugins/certauth/test/deps | 14 + src/plugins/certauth/test/deps | 14 +
src/plugins/certauth/test/main.c | 209 +++++++++++++ src/plugins/certauth/test/main.c | 209 +++++++++++++
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 26 ++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++
src/plugins/preauth/pkinit/pkinit_srv.c | 340 ++++++++++++++++++--- src/plugins/preauth/pkinit/pkinit_srv.c | 335 ++++++++++++++++++---
src/plugins/preauth/pkinit/pkinit_trace.h | 5 + src/plugins/preauth/pkinit/pkinit_trace.h | 5 +
src/tests/Makefile.in | 1 + src/tests/Makefile.in | 1 +
src/tests/t_certauth.py | 43 +++ src/tests/t_certauth.py | 47 +++
19 files changed, 783 insertions(+), 42 deletions(-) 19 files changed, 786 insertions(+), 42 deletions(-)
create mode 100644 doc/plugindev/certauth.rst create mode 100644 doc/plugindev/certauth.rst
create mode 100644 src/include/krb5/certauth_plugin.h create mode 100644 src/include/krb5/certauth_plugin.h
create mode 100644 src/plugins/certauth/test/Makefile.in create mode 100644 src/plugins/certauth/test/Makefile.in
@ -52,7 +52,7 @@ ticket: 8561 (new)
create mode 100644 src/tests/t_certauth.py create mode 100644 src/tests/t_certauth.py
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 653aad613..ac89e3b52 100644 index 653aad613..c0e4349c0 100644
--- a/doc/admin/conf_files/krb5_conf.rst --- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst
@@ -858,6 +858,27 @@ built-in modules exist for this interface: @@ -858,6 +858,27 @@ built-in modules exist for this interface:
@ -76,8 +76,8 @@ index 653aad613..ac89e3b52 100644
+ is set to true for the realm. + is set to true for the realm.
+ +
+**pkinit_eku** +**pkinit_eku**
+ This module rejects the certificate if it does not contain the + This module rejects the certificate if it does not contain an
+ PKINIT Extended Key Usage attribute consistent with the + Extended Key Usage attribute consistent with the
+ **pkinit_eku_checking** value for the realm. + **pkinit_eku_checking** value for the realm.
+ +
@ -85,11 +85,11 @@ index 653aad613..ac89e3b52 100644
-------------- --------------
diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst
new file mode 100644 new file mode 100644
index 000000000..8b0360327 index 000000000..8a7f7c5eb
--- /dev/null --- /dev/null
+++ b/doc/plugindev/certauth.rst +++ b/doc/plugindev/certauth.rst
@@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
+.. _certauth: +.. _certauth_plugin:
+ +
+PKINIT certificate authorization interface (certauth) +PKINIT certificate authorization interface (certauth)
+===================================================== +=====================================================
@ -583,7 +583,7 @@ index b483affed..49b96b8ee 100644
+ +
#endif /* _PKINIT_CRYPTO_H */ #endif /* _PKINIT_CRYPTO_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 8def8c542..c1276521b 100644 index 8def8c542..a5b010b26 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context, @@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context,
@ -594,7 +594,7 @@ index 8def8c542..c1276521b 100644
goto cleanup; goto cleanup;
} }
num_sans = sk_GENERAL_NAME_num(ialt); num_sans = sk_GENERAL_NAME_num(ialt);
@@ -6176,3 +6177,28 @@ crypto_get_deferred_ids(krb5_context context, @@ -6176,3 +6177,32 @@ crypto_get_deferred_ids(krb5_context context,
ret = (const pkinit_deferred_id *)deferred; ret = (const pkinit_deferred_id *)deferred;
return ret; return ret;
} }
@ -605,7 +605,7 @@ index 8def8c542..c1276521b 100644
+ uint8_t **der_out, size_t *der_len) + uint8_t **der_out, size_t *der_len)
+{ +{
+ int len; + int len;
+ unsigned char *p; + unsigned char *der, *p;
+ +
+ *der_out = NULL; + *der_out = NULL;
+ *der_len = 0; + *der_len = 0;
@ -616,15 +616,19 @@ index 8def8c542..c1276521b 100644
+ len = i2d_X509(reqctx->received_cert, NULL); + len = i2d_X509(reqctx->received_cert, NULL);
+ if (len <= 0) + if (len <= 0)
+ return EINVAL; + return EINVAL;
+ p = malloc(len); + p = der = malloc(len);
+ if (p == NULL) + if (p == NULL)
+ return ENOMEM; + return ENOMEM;
+ *der_out = p; + if (i2d_X509(reqctx->received_cert, &p) <= 0) {
+ free(p);
+ return EINVAL;
+ }
+ *der_out = der;
+ *der_len = len; + *der_len = len;
+ return 0; + return 0;
+} +}
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index b5638a367..23826c5e8 100644 index b5638a367..731d14eb8 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c --- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -31,6 +31,25 @@ @@ -31,6 +31,25 @@
@ -653,7 +657,7 @@ index b5638a367..23826c5e8 100644
static krb5_error_code static krb5_error_code
pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
@@ -51,6 +70,36 @@ pkinit_find_realm_context(krb5_context context, @@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context,
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_moddata moddata,
krb5_principal princ); krb5_principal princ);
@ -674,14 +678,12 @@ index b5638a367..23826c5e8 100644
+free_certauth_handles(krb5_context context, certauth_handle *list) +free_certauth_handles(krb5_context context, certauth_handle *list)
+{ +{
+ int i; + int i;
+ certauth_handle h;
+ +
+ if (list == NULL) + if (list == NULL)
+ return; + return;
+ for (i = 0; list[i] != NULL; i++) { + for (i = 0; list[i] != NULL; i++) {
+ h = list[i]; + if (list[i]->vt.fini != NULL)
+ if (h->vt.fini != NULL) + list[i]->vt.fini(context, list[i]->moddata);
+ h->vt.fini(context, h->moddata);
+ free(list[i]); + free(list[i]);
+ } + }
+ free(list); + free(list);
@ -690,7 +692,7 @@ index b5638a367..23826c5e8 100644
static krb5_error_code static krb5_error_code
pkinit_create_edata(krb5_context context, pkinit_create_edata(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx, pkinit_plg_crypto_context plg_cryptoctx,
@@ -123,7 +172,7 @@ verify_client_san(krb5_context context, @@ -123,7 +170,7 @@ verify_client_san(krb5_context context,
pkinit_kdc_req_context reqctx, pkinit_kdc_req_context reqctx,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_callbacks cb,
krb5_kdcpreauth_rock rock, krb5_kdcpreauth_rock rock,
@ -699,7 +701,7 @@ index b5638a367..23826c5e8 100644
int *valid_san) int *valid_san)
{ {
krb5_error_code retval; krb5_error_code retval;
@@ -134,12 +183,15 @@ verify_client_san(krb5_context context, @@ -134,12 +181,15 @@ verify_client_san(krb5_context context,
char *client_string = NULL, *san_string; char *client_string = NULL, *san_string;
#endif #endif
@ -716,7 +718,7 @@ index b5638a367..23826c5e8 100644
pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
goto out; goto out;
@@ -273,6 +325,76 @@ out: @@ -273,6 +323,73 @@ out:
return retval; return retval;
} }
@ -730,7 +732,7 @@ index b5638a367..23826c5e8 100644
+ krb5_principal client) + krb5_principal client)
+{ +{
+ krb5_error_code ret; + krb5_error_code ret;
+ certauth_handle hd; + certauth_handle h;
+ struct certauth_req_opts opts; + struct certauth_req_opts opts;
+ krb5_boolean accepted = FALSE; + krb5_boolean accepted = FALSE;
+ uint8_t *cert; + uint8_t *cert;
@ -739,7 +741,7 @@ index b5638a367..23826c5e8 100644
+ char **ais = NULL, **ai = NULL; + char **ais = NULL, **ai = NULL;
+ +
+ /* Re-encode the received certificate into DER, which is extra work, but + /* Re-encode the received certificate into DER, which is extra work, but
+ * avoids creating a crypto dependency on the interface. */ + * avoids creating an X.509 library dependency in the interface. */
+ ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len); + ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len);
+ if (ret) + if (ret)
+ goto cleanup; + goto cleanup;
@ -760,12 +762,9 @@ index b5638a367..23826c5e8 100644
+ */ + */
+ ret = KRB5_PLUGIN_NO_HANDLE; + ret = KRB5_PLUGIN_NO_HANDLE;
+ for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { + for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) {
+ hd = certauth_modules[i]; + h = certauth_modules[i];
+ if (hd->vt.authorize == NULL) + ret = h->vt.authorize(context, h->moddata, cert, cert_len, client,
+ continue; + &opts, db_ent, &ais);
+
+ ret = hd->vt.authorize(context, hd->moddata, cert, cert_len, client,
+ &opts, db_ent, &ais);
+ if (ret == 0) + if (ret == 0)
+ accepted = TRUE; + accepted = TRUE;
+ else if (ret != KRB5_PLUGIN_NO_HANDLE) + else if (ret != KRB5_PLUGIN_NO_HANDLE)
@ -778,7 +777,7 @@ index b5638a367..23826c5e8 100644
+ if (ret) + if (ret)
+ goto cleanup; + goto cleanup;
+ } + }
+ hd->vt.free_ind(context, hd->moddata, ais); + h->vt.free_ind(context, h->moddata, ais);
+ ais = NULL; + ais = NULL;
+ } + }
+ } + }
@ -793,7 +792,7 @@ index b5638a367..23826c5e8 100644
static void static void
pkinit_server_verify_padata(krb5_context context, pkinit_server_verify_padata(krb5_context context,
krb5_data *req_pkt, krb5_data *req_pkt,
@@ -295,7 +417,6 @@ pkinit_server_verify_padata(krb5_context context, @@ -295,7 +412,6 @@ pkinit_server_verify_padata(krb5_context context,
pkinit_kdc_req_context reqctx = NULL; pkinit_kdc_req_context reqctx = NULL;
krb5_checksum cksum = {0, 0, 0, NULL}; krb5_checksum cksum = {0, 0, 0, NULL};
krb5_data *der_req = NULL; krb5_data *der_req = NULL;
@ -801,7 +800,7 @@ index b5638a367..23826c5e8 100644
krb5_data k5data; krb5_data k5data;
int is_signed = 1; int is_signed = 1;
krb5_pa_data **e_data = NULL; krb5_pa_data **e_data = NULL;
@@ -388,27 +509,11 @@ pkinit_server_verify_padata(krb5_context context, @@ -388,27 +504,11 @@ pkinit_server_verify_padata(krb5_context context,
goto cleanup; goto cleanup;
} }
if (is_signed) { if (is_signed) {
@ -831,7 +830,7 @@ index b5638a367..23826c5e8 100644
} else { /* !is_signed */ } else { /* !is_signed */
if (!krb5_principal_compare(context, request->client, if (!krb5_principal_compare(context, request->client,
krb5_anonymous_principal())) { krb5_anonymous_principal())) {
@@ -1245,11 +1350,15 @@ pkinit_find_realm_context(krb5_context context, @@ -1245,11 +1345,15 @@ pkinit_find_realm_context(krb5_context context,
krb5_principal princ) krb5_principal princ)
{ {
int i; int i;
@ -848,7 +847,7 @@ index b5638a367..23826c5e8 100644
for (i = 0; realm_contexts[i] != NULL; i++) { for (i = 0; realm_contexts[i] != NULL; i++) {
pkinit_kdc_context p = realm_contexts[i]; pkinit_kdc_context p = realm_contexts[i];
@@ -1331,6 +1440,155 @@ errout: @@ -1331,6 +1435,155 @@ errout:
return retval; return retval;
} }
@ -1004,7 +1003,7 @@ index b5638a367..23826c5e8 100644
static int static int
pkinit_server_plugin_init(krb5_context context, pkinit_server_plugin_init(krb5_context context,
krb5_kdcpreauth_moddata *moddata_out, krb5_kdcpreauth_moddata *moddata_out,
@@ -1338,6 +1596,8 @@ pkinit_server_plugin_init(krb5_context context, @@ -1338,6 +1591,8 @@ pkinit_server_plugin_init(krb5_context context,
{ {
krb5_error_code retval = ENOMEM; krb5_error_code retval = ENOMEM;
pkinit_kdc_context plgctx, *realm_contexts = NULL; pkinit_kdc_context plgctx, *realm_contexts = NULL;
@ -1013,7 +1012,7 @@ index b5638a367..23826c5e8 100644
size_t i, j; size_t i, j;
size_t numrealms; size_t numrealms;
@@ -1368,16 +1628,22 @@ pkinit_server_plugin_init(krb5_context context, @@ -1368,16 +1623,22 @@ pkinit_server_plugin_init(krb5_context context,
goto errout; goto errout;
} }
@ -1044,7 +1043,7 @@ index b5638a367..23826c5e8 100644
return retval; return retval;
} }
@@ -1405,17 +1671,11 @@ static void @@ -1405,17 +1666,11 @@ static void
pkinit_server_plugin_fini(krb5_context context, pkinit_server_plugin_fini(krb5_context context,
krb5_kdcpreauth_moddata moddata) krb5_kdcpreauth_moddata moddata)
{ {
@ -1094,13 +1093,17 @@ index b55469146..0e93d6b59 100644
$(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py
new file mode 100644 new file mode 100644
index 000000000..ca7df2b42 index 000000000..e64a57b0d
--- /dev/null --- /dev/null
+++ b/src/tests/t_certauth.py +++ b/src/tests/t_certauth.py
@@ -0,0 +1,43 @@ @@ -0,0 +1,47 @@
+#!/usr/bin/python +#!/usr/bin/python
+from k5test import * +from k5test import *
+ +
+# Skip this test if pkinit wasn't built.
+if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')):
+ skip_rest('certauth tests', 'PKINIT module not built')
+
+certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') +certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs')
+ca_pem = os.path.join(certs, 'ca.pem') +ca_pem = os.path.join(certs, 'ca.pem')
+kdc_pem = os.path.join(certs, 'kdc.pem') +kdc_pem = os.path.join(certs, 'kdc.pem')

96
Add-k5test-expected_msg-expected_trace.patch Normal file
View File

@ -0,0 +1,96 @@
From 771cbaa6c4cc441f46985d67381de69c77349ed7 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Jan 2017 11:24:41 -0500
Subject: [PATCH] Add k5test expected_msg, expected_trace
In k5test.py, add the optional keyword argument "expected_msg" to
methods that run commands, to make it easier to look for substrings in
the command output. Add the optional keyword "expected_trace" to run
the command with KRB5_TRACE enabled and look for an ordered series of
substrings in the trace output.
(cherry picked from commit 8bb5fce69a4aa6c3082fa7def66a93974e10e17a)
[rharwood@redhat.com: Removed .gitignore change]
---
src/config/post.in | 2 +-
src/util/k5test.py | 37 ++++++++++++++++++++++++++++++++++---
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/src/config/post.in b/src/config/post.in
index 77a9bffdf..aecac9d3b 100644
--- a/src/config/post.in
+++ b/src/config/post.in
@@ -156,7 +156,7 @@ clean: clean-$(WHAT)
clean-unix::
$(RM) $(OBJS) $(DEPTARGETS_CLEAN) $(EXTRA_FILES)
- $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog
+ $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog testtrace
-$(RM) -r testdir
clean-windows::
diff --git a/src/util/k5test.py b/src/util/k5test.py
index c3d026377..4d30baf40 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -223,8 +223,11 @@ Scripts may use the following realm methods and attributes:
command-line debugging options. Fail if the command does not return
0. Log the command output appropriately, and return it as a single
multi-line string. Keyword arguments can contain input='string' to
- send an input string to the command, and expected_code=N to expect a
- return code other than 0.
+ send an input string to the command, expected_code=N to expect a
+ return code other than 0, expected_msg=MSG to expect a substring in
+ the command output, and expected_trace=('a', 'b', ...) to expect an
+ ordered series of line substrings in the command's KRB5_TRACE
+ output.
* realm.kprop_port(): Returns a port number based on realm.portbase
intended for use by kprop and kpropd.
@@ -647,10 +650,31 @@ def _stop_or_shell(stop, shell, env, ind):
subprocess.call(os.getenv('SHELL'), env=env)
-def _run_cmd(args, env, input=None, expected_code=0):
+# Read tracefile and look for the expected strings in successive lines.
+def _check_trace(tracefile, expected):
+ output('*** Trace output for previous command:\n')
+ i = 0
+ with open(tracefile, 'r') as f:
+ for line in f:
+ output(line)
+ if i < len(expected) and expected[i] in line:
+ i += 1
+ if i < len(expected):
+ fail('Expected string not found in trace output: ' + expected[i])
+
+
+def _run_cmd(args, env, input=None, expected_code=0, expected_msg=None,
+ expected_trace=None):
global null_input, _cmd_index, _last_cmd, _last_cmd_output, _debug
global _stop_before, _stop_after, _shell_before, _shell_after
+ if expected_trace is not None:
+ tracefile = 'testtrace'
+ if os.path.exists(tracefile):
+ os.remove(tracefile)
+ env = env.copy()
+ env['KRB5_TRACE'] = tracefile
+
if (_match_cmdnum(_debug, _cmd_index)):
return _debug_cmd(args, env, input)
@@ -679,6 +703,13 @@ def _run_cmd(args, env, input=None, expected_code=0):
# Check the return code and return the output.
if code != expected_code:
fail('%s failed with code %d.' % (args[0], code))
+
+ if expected_msg is not None and expected_msg not in outdata:
+ fail('Expected string not found in command output: ' + expected_msg)
+
+ if expected_trace is not None:
+ _check_trace(tracefile, expected_trace)
+
return outdata

2
Add-the-client_name-kdcpreauth-callback.patch
View File

@ -1,4 +1,4 @@
From 5d560c28ff46b04013ab64dc51a7d912d38b01de Mon Sep 17 00:00:00 2001 From efc27c7800ac9863493b4d3b763fefcaac4e3801 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com> From: Matt Rogers <mrogers@redhat.com>
Date: Tue, 4 Apr 2017 16:54:56 -0400 Date: Tue, 4 Apr 2017 16:54:56 -0400
Subject: [PATCH] Add the client_name() kdcpreauth callback Subject: [PATCH] Add the client_name() kdcpreauth callback

32
Correct-error-handling-bug-in-prior-commit.patch Normal file
View File

@ -0,0 +1,32 @@
From edb91a5cafe2380209e5d482062dfdd608b23772 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 23 Mar 2017 13:42:55 -0400
Subject: [PATCH] Correct error handling bug in prior commit
In crypto_encode_der_cert(), if the second i2d_X509() invocation
fails, make sure to free the allocated pointer and not the
possibly-modified alias.
ticket: 8561
(cherry picked from commit 7fdaef7c3280c86b5df25ae061fb04cc56d8620c)
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index a5b010b26..90c30dbf5 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -6196,10 +6196,10 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx,
if (len <= 0)
return EINVAL;
p = der = malloc(len);
- if (p == NULL)
+ if (der == NULL)
return ENOMEM;
if (i2d_X509(reqctx->received_cert, &p) <= 0) {
- free(p);
+ free(der);
return EINVAL;
}
*der_out = der;

2
Use-the-canonical-client-principal-name-for-OTP.patch
View File

@ -1,4 +1,4 @@
From ca74a8a49f4a05c0b602c9dc473fd16fe71847fd Mon Sep 17 00:00:00 2001 From d697b2c12eb9a35732fed48d06c374a13f27f4e1 Mon Sep 17 00:00:00 2001
From: Matt Rogers <mrogers@redhat.com> From: Matt Rogers <mrogers@redhat.com>
Date: Wed, 5 Apr 2017 16:48:55 -0400 Date: Wed, 5 Apr 2017 16:48:55 -0400
Subject: [PATCH] Use the canonical client principal name for OTP Subject: [PATCH] Use the canonical client principal name for OTP

9
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.15.1 Version: 1.15.1
# for prerelease, should be e.g., 0.3.beta2%{?dist} # for prerelease, should be e.g., 0.3.beta2%{?dist}
Release: 6%{?dist} Release: 7%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -68,9 +68,11 @@ Patch17: Improve-PKINIT-UPN-SAN-matching.patch
Patch18: Add-test-cert-generation-to-make-certs.sh.patch Patch18: Add-test-cert-generation-to-make-certs.sh.patch
Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
Patch20: Deindent-crypto_retrieve_X509_sans.patch Patch20: Deindent-crypto_retrieve_X509_sans.patch
Patch21: Add-certauth-pluggable-interface.patch
Patch22: Add-the-client_name-kdcpreauth-callback.patch Patch22: Add-the-client_name-kdcpreauth-callback.patch
Patch23: Use-the-canonical-client-principal-name-for-OTP.patch Patch23: Use-the-canonical-client-principal-name-for-OTP.patch
Patch24: Add-certauth-pluggable-interface.patch
Patch25: Correct-error-handling-bug-in-prior-commit.patch
Patch26: Add-k5test-expected_msg-expected_trace.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -730,6 +732,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Wed Apr 19 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-7
- Update backports of certauth and corresponding test
* Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-6 * Thu Apr 13 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-6
- Include fixes for previous commit - Include fixes for previous commit
- Resolves: #1433083 - Resolves: #1433083