[16886] in Kerberos-V5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #9069] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Jul 11 18:56:23 2023

From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-2254325-1689116175-1962.9069-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9069":;
Date: Tue, 11 Jul 2023 18:56:15 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9069 >


Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

(cherry picked from commit e48e2e56a05a47fd932a941ac82c1131ceed47d0)

https://github.com/krb5/krb5/commit/a6971d269577afa68584d6076bd90f84c2099f93
Author: Greg Hudson <ghudson@mit.edu>
Commit: a6971d269577afa68584d6076bd90f84c2099f93
Branch: krb5-1.20
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post