[31248] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.20]: Fix PKINIT CMS error checking for older

daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Jul 11 18:56:33 2023

From: ghudson@mit.edu
To: <cvs-krb5@mit.edu>
Message-ID: <20230711225608.59C3A102D28@krbdev.mit.edu>
Date: Tue, 11 Jul 2023 18:56:08 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/a6971d269577afa68584d6076bd90f84c2099f93
commit a6971d269577afa68584d6076bd90f84c2099f93
Author: Greg Hudson <ghudson@mit.edu>
Date:   Tue Dec 13 13:15:28 2022 -0500

    Fix PKINIT CMS error checking for older OpenSSL
    
    Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
    CMS_verify() error code checks, using two error codes new to OpenSSL
    3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
    This change broke the build for OpenSSL 1.0 and 1.1.
    
    Instead of looking for codes indicating an algorithm issue and
    assuming that everything else is an invalid signature, check for the
    code indicating an invalid signature and assume that everything else
    is an algorithm issue.
    
    (cherry picked from commit e48e2e56a05a47fd932a941ac82c1131ceed47d0)
    
    ticket: 9069
    version_fixed: 1.20.2

 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 4f295109b..a3afbc553 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2102,18 +2102,10 @@ cms_signeddata_verify(krb5_context context,
             goto cleanup;
         out = BIO_new(BIO_s_mem());
         if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
-            unsigned long err = ERR_peek_last_error();
-            switch(ERR_GET_REASON(err)) {
-            case RSA_R_DIGEST_NOT_ALLOWED:
-            case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
-            case CMS_R_NO_MATCHING_DIGEST:
-            case CMS_R_NO_MATCHING_SIGNATURE:
-                retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
-                break;
-            case CMS_R_VERIFICATION_FAILURE:
-            default:
+            if (ERR_peek_last_error() == CMS_R_VERIFICATION_FAILURE)
                 retval = KRB5KDC_ERR_INVALID_SIG;
-            }
+            else
+                retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
             (void)oerr(context, retval, _("Failed to verify CMS message"));
             goto cleanup;
         }
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post