diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch deleted file mode 100644 index c8be88e..0000000 --- a/krb5-trunk-signed.patch +++ /dev/null @@ -1,42 +0,0 @@ -In crypto_retrieve_X509_sans(), the "i" used to hold the result of -X509_get_ext_by_NID() is unsigned, so without a cast or changing its -type, the comparison to -1 will always succeed. - -If the attempt to parse the SAN value then fails because the extension -is not present, then crypto_retrieve_X509_sans(), -crypto_cert_get_matching_data(), and obtain_all_cert_matching_data() -will all return EINVAL, pkinit_cert_matching() will fail, and -pkinit_identity_initialize() will fail. As a result, the presence one -candidate certificate which doesn't contain any SAN values will cause -the client to fail to locate its certificate. RT#6774, part of #629022. - -Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -=================================================================== ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322) -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323) -@@ -1767,7 +1767,7 @@ - { - krb5_error_code retval = EINVAL; - char buf[DN_BUF_LEN]; -- int p = 0, u = 0, d = 0; -+ int p = 0, u = 0, d = 0, l; - krb5_principal *princs = NULL; - krb5_principal *upns = NULL; - unsigned char **dnss = NULL; -@@ -1787,14 +1787,14 @@ - buf, sizeof(buf)); - pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf); - -- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { -+ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { - X509_EXTENSION *ext = NULL; - GENERAL_NAMES *ialt = NULL; - GENERAL_NAME *gen = NULL; - int ret = 0; - unsigned int num_sans = 0; - -- if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) { -+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", - __FUNCTION__); - goto cleanup;