drop backported PKINIT fix: directly-trusted KDCs
- drop backported fix for teaching PKINIT clients which trust the KDC's certificate directly to verify signed-data messages that are signed with the KDC's certificate, when the blobs don't include a copy of the KDC's certificate
This commit is contained in:
Nalin Dahyabhai
parent
f1f0baeb82
commit
b47c708afc
@ -1,40 +0,0 @@
|
||||
commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu Jun 21 17:20:29 2012 -0400
|
||||
|
||||
Handle PKINIT DH replies with no certs
|
||||
|
||||
If a PKINIT Diffie-Hellman reply contains no certificates in the
|
||||
SignedData object, that may be because the signer certificate was a
|
||||
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
|
||||
filters client trust anchors out of the returned set of certificates.
|
||||
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
|
||||
this case. This fix only works with OpenSSL 1.0 or later; when built
|
||||
against OpenSSL 0.9.x, the client will still require a cert in the
|
||||
reply.
|
||||
|
||||
Code changes suggested by nalin@redhat.com.
|
||||
|
||||
ticket: 7183
|
||||
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 0136d4f..7120ecf 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
|
||||
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
|
||||
X509_STORE_set_flags(store, vflags);
|
||||
|
||||
- /* get the signer's information from the CMS message */
|
||||
+ /*
|
||||
+ * Get the signer's information from the CMS message. Match signer ID
|
||||
+ * against anchors and intermediate CAs in case no certs are present in the
|
||||
+ * SignedData. If we start sending kdcPkId values in requests, we'll need
|
||||
+ * to match against the source of that information too.
|
||||
+ */
|
||||
CMS_set1_signers_certs(cms, NULL, 0);
|
||||
+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
|
||||
+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
|
||||
if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
|
||||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
|
||||
/* Not actually signed; anonymous case */
|
||||
@ -72,7 +72,6 @@ Patch75: krb5-pkinit-debug.patch
|
||||
Patch86: krb5-1.9-debuginfo.patch
|
||||
Patch105: krb5-kvno-230379.patch
|
||||
Patch106: krb5-1.10.2-keytab-etype.patch
|
||||
Patch107: krb5-trunk-pkinit-anchorsign.patch
|
||||
Patch109: krb5-1.10.3-as_rep_skew.patch
|
||||
Patch110: krb5-1.10.3-keytab-etype-corners-prep.patch
|
||||
Patch111: krb5-1.10.3-keytab-etype-corners.patch
|
||||
@ -265,7 +264,6 @@ ln -s NOTICE LICENSE
|
||||
%patch86 -p0 -b .debuginfo
|
||||
%patch105 -p1 -b .kvno
|
||||
%patch106 -p1 -b .keytab-etype
|
||||
%patch107 -p1 -b .pkinit-anchorsign
|
||||
%patch109 -p1 -b .as_rep_skew
|
||||
%patch110 -p1 -b .keytab-etype-corners-prep
|
||||
%patch111 -p1 -b .keytab-etype-corners
|
||||
@ -830,6 +828,10 @@ exit 0
|
||||
warning flags and the current gcc
|
||||
- drop backported fix for disabling use of a replay cache when verifying
|
||||
initial credentials
|
||||
- drop backported fix for teaching PKINIT clients which trust the KDC's
|
||||
certificate directly to verify signed-data messages that are signed with
|
||||
the KDC's certificate, when the blobs don't include a copy of the KDC's
|
||||
certificate
|
||||
|
||||
* Wed Oct 17 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.3-7
|
||||
- tag a couple of other patches which we still need to be applied during
|
||||
|
||||
Loading…
Reference in New Issue
Block a user