Backport certauth eku security fix
This commit is contained in:
parent
95b80fb0b9
commit
8f0349dc3e
31
Make-certauth-eku-module-restrictive-only.patch
Normal file
31
Make-certauth-eku-module-restrictive-only.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 2b1a91087b668ab1021f1ca461b8210e7e015c8a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Thu, 24 Aug 2017 11:11:46 -0400
|
||||||
|
Subject: [PATCH] Make certauth eku module restrictive-only
|
||||||
|
|
||||||
|
The PKINIT certauth eku module should never authoritatively authorize
|
||||||
|
a certificate, because an extended key usage does not establish a
|
||||||
|
relationship between the certificate and any specific user; it only
|
||||||
|
establishes that the certificate was created for PKINIT client
|
||||||
|
authentication. Therefore, pkinit_eku_authorize() should return
|
||||||
|
KRB5_PLUGIN_NO_HANDLE on success, not 0.
|
||||||
|
|
||||||
|
ticket: 8561
|
||||||
|
(cherry picked from commit aca6fd6bc07934a90a18a70116ea3b620228950a)
|
||||||
|
---
|
||||||
|
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
index 32ca122f2..d7a604c80 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||||
|
@@ -1495,7 +1495,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
|
||||||
|
return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ return KRB5_PLUGIN_NO_HANDLE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static krb5_error_code
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
|||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.15.1
|
Version: 1.15.1
|
||||||
# for prerelease, should be e.g., 0.3.beta2%{?dist}
|
# for prerelease, should be e.g., 0.3.beta2%{?dist}
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||||
# - The sources below are stored in a lookaside cache. Upload with
|
# - The sources below are stored in a lookaside cache. Upload with
|
||||||
@ -91,6 +91,7 @@ Patch62: Fix-more-time-manipulations-for-y2038.patch
|
|||||||
Patch63: Use-krb5_timestamp-where-appropriate.patch
|
Patch63: Use-krb5_timestamp-where-appropriate.patch
|
||||||
Patch64: Add-KDC-policy-pluggable-interface.patch
|
Patch64: Add-KDC-policy-pluggable-interface.patch
|
||||||
Patch65: Fix-bugs-in-kdcpolicy-commit.patch
|
Patch65: Fix-bugs-in-kdcpolicy-commit.patch
|
||||||
|
Patch66: Make-certauth-eku-module-restrictive-only.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -742,6 +743,9 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 25 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-25
|
||||||
|
- Backport certauth eku security fix
|
||||||
|
|
||||||
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-24
|
* Mon Aug 21 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-24
|
||||||
- Backport kdc policy plugin, but this time with dependencies
|
- Backport kdc policy plugin, but this time with dependencies
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user