backport RT#7183
- backport a fix to allow a PKINIT client to handle SignedData from a KDC that's signed with a certificate that isn't in the SignedData, but which is available as an anchor or intermediate on the client (RT#7183)
This commit is contained in:
parent
16a5c7affc
commit
f60e9ef28c
40
krb5-trunk-pkinit-anchorsign.patch
Normal file
40
krb5-trunk-pkinit-anchorsign.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
|
||||||
|
Author: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Thu Jun 21 17:20:29 2012 -0400
|
||||||
|
|
||||||
|
Handle PKINIT DH replies with no certs
|
||||||
|
|
||||||
|
If a PKINIT Diffie-Hellman reply contains no certificates in the
|
||||||
|
SignedData object, that may be because the signer certificate was a
|
||||||
|
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
|
||||||
|
filters client trust anchors out of the returned set of certificates.
|
||||||
|
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
|
||||||
|
this case. This fix only works with OpenSSL 1.0 or later; when built
|
||||||
|
against OpenSSL 0.9.x, the client will still require a cert in the
|
||||||
|
reply.
|
||||||
|
|
||||||
|
Code changes suggested by nalin@redhat.com.
|
||||||
|
|
||||||
|
ticket: 7183
|
||||||
|
|
||||||
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
index 0136d4f..7120ecf 100644
|
||||||
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
|
@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
|
||||||
|
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
|
||||||
|
X509_STORE_set_flags(store, vflags);
|
||||||
|
|
||||||
|
- /* get the signer's information from the CMS message */
|
||||||
|
+ /*
|
||||||
|
+ * Get the signer's information from the CMS message. Match signer ID
|
||||||
|
+ * against anchors and intermediate CAs in case no certs are present in the
|
||||||
|
+ * SignedData. If we start sending kdcPkId values in requests, we'll need
|
||||||
|
+ * to match against the source of that information too.
|
||||||
|
+ */
|
||||||
|
CMS_set1_signers_certs(cms, NULL, 0);
|
||||||
|
+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
|
||||||
|
+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
|
||||||
|
if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
|
||||||
|
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
|
||||||
|
/* Not actually signed; anonymous case */
|
@ -20,7 +20,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.10.2
|
Version: 1.10.2
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
|
||||||
Source0: krb5-%{version}.tar.gz
|
Source0: krb5-%{version}.tar.gz
|
||||||
@ -68,6 +68,7 @@ Patch102: krb5-trunk-7048.patch
|
|||||||
Patch103: krb5-1.10-gcc47.patch
|
Patch103: krb5-1.10-gcc47.patch
|
||||||
Patch105: krb5-kvno-230379.patch
|
Patch105: krb5-kvno-230379.patch
|
||||||
Patch106: krb5-1.10.2-keytab-etype.patch
|
Patch106: krb5-1.10.2-keytab-etype.patch
|
||||||
|
Patch107: krb5-trunk-pkinit-anchorsign.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -245,6 +246,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch103 -p0 -b .gcc47
|
%patch103 -p0 -b .gcc47
|
||||||
%patch105 -p1 -b .kvno
|
%patch105 -p1 -b .kvno
|
||||||
%patch106 -p1 -b .keytab-etype
|
%patch106 -p1 -b .keytab-etype
|
||||||
|
%patch107 -p1 -b .pkinit-anchorsign
|
||||||
rm src/lib/krb5/krb/deltat.c
|
rm src/lib/krb5/krb/deltat.c
|
||||||
|
|
||||||
gzip doc/*.ps
|
gzip doc/*.ps
|
||||||
@ -753,6 +755,11 @@ exit 0
|
|||||||
%{_sbindir}/uuserver
|
%{_sbindir}/uuserver
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jun 22 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-3
|
||||||
|
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
|
||||||
|
that's signed with a certificate that isn't in the SignedData, but which
|
||||||
|
is available as an anchor or intermediate on the client (RT#7183)
|
||||||
|
|
||||||
* Tue Jun 5 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-2
|
* Tue Jun 5 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-2
|
||||||
- back out this labeling change (dwalsh):
|
- back out this labeling change (dwalsh):
|
||||||
- when building the new label for a file we're about to create, also mix
|
- when building the new label for a file we're about to create, also mix
|
||||||
|
Loading…
Reference in New Issue
Block a user