[27499] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.10]: Handle PKINIT DH replies with no certs
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jan 11 16:03:54 2013
Date: Fri, 11 Jan 2013 16:03:51 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201301112103.r0BL3pUg017716@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/9bbf3649867f444674716941b787f6699885c803
commit 9bbf3649867f444674716941b787f6699885c803
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jun 21 17:20:29 2012 -0400
Handle PKINIT DH replies with no certs
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Code changes suggested by nalin@redhat.com.
(cherry picked from commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d)
ticket: 7544 (new)
version_fixed: 1.10.4
status: resolved
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 571e309..41847a1 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1397,8 +1397,15 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the CMS message */
+ /*
+ * Get the signer's information from the CMS message. Match signer ID
+ * against anchors and intermediate CAs in case no certs are present in the
+ * SignedData. If we start sending kdcPkId values in requests, we'll need
+ * to match against the source of that information too.
+ */
CMS_set1_signers_certs(cms, NULL, 0);
+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
/* Not actually signed; anonymous case */
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
