From f60e9ef28c1c736e2eed7b815d67029c4857af4c Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 22 Jun 2012 14:07:46 -0400 Subject: [PATCH] backport RT#7183 - backport a fix to allow a PKINIT client to handle SignedData from a KDC that's signed with a certificate that isn't in the SignedData, but which is available as an anchor or intermediate on the client (RT#7183) --- krb5-trunk-pkinit-anchorsign.patch | 40 ++++++++++++++++++++++++++++++ krb5.spec | 9 ++++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 krb5-trunk-pkinit-anchorsign.patch diff --git a/krb5-trunk-pkinit-anchorsign.patch b/krb5-trunk-pkinit-anchorsign.patch new file mode 100644 index 0000000..508bb5b --- /dev/null +++ b/krb5-trunk-pkinit-anchorsign.patch @@ -0,0 +1,40 @@ +commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d +Author: Greg Hudson +Date: Thu Jun 21 17:20:29 2012 -0400 + + Handle PKINIT DH replies with no certs + + If a PKINIT Diffie-Hellman reply contains no certificates in the + SignedData object, that may be because the signer certificate was a + trust anchor as transmitted to the KDC. Heimdal's KDC, for instance, + filters client trust anchors out of the returned set of certificates. + Match against idctx->trustedCAs and idctx->intermediateCAs to handle + this case. This fix only works with OpenSSL 1.0 or later; when built + against OpenSSL 0.9.x, the client will still require a cert in the + reply. + + Code changes suggested by nalin@redhat.com. + + ticket: 7183 + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 0136d4f..7120ecf 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context, + X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); + X509_STORE_set_flags(store, vflags); + +- /* get the signer's information from the CMS message */ ++ /* ++ * Get the signer's information from the CMS message. Match signer ID ++ * against anchors and intermediate CAs in case no certs are present in the ++ * SignedData. If we start sending kdcPkId values in requests, we'll need ++ * to match against the source of that information too. ++ */ + CMS_set1_signers_certs(cms, NULL, 0); ++ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN); ++ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN); + if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) || + ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) { + /* Not actually signed; anonymous case */ diff --git a/krb5.spec b/krb5.spec index 3da0936..0562792 100644 --- a/krb5.spec +++ b/krb5.spec @@ -20,7 +20,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.10.2 -Release: 2%{?dist} +Release: 3%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -68,6 +68,7 @@ Patch102: krb5-trunk-7048.patch Patch103: krb5-1.10-gcc47.patch Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10.2-keytab-etype.patch +Patch107: krb5-trunk-pkinit-anchorsign.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -245,6 +246,7 @@ ln -s NOTICE LICENSE %patch103 -p0 -b .gcc47 %patch105 -p1 -b .kvno %patch106 -p1 -b .keytab-etype +%patch107 -p1 -b .pkinit-anchorsign rm src/lib/krb5/krb/deltat.c gzip doc/*.ps @@ -753,6 +755,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Jun 22 2012 Nalin Dahyabhai 1.10.2-3 +- backport a fix to allow a PKINIT client to handle SignedData from a KDC + that's signed with a certificate that isn't in the SignedData, but which + is available as an anchor or intermediate on the client (RT#7183) + * Tue Jun 5 2012 Nalin Dahyabhai 1.10.2-2 - back out this labeling change (dwalsh): - when building the new label for a file we're about to create, also mix