[krb5/f16] backport RT#7183

Fri Jun 22 21:12:53 UTC 2012

commit 4c6323b0c574033cbeb6913131c99fa07da9b212
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Fri Jun 22 17:12:23 2012 -0400

    backport RT#7183
    
    - backport a fix to allow a PKINIT client to handle SignedData from a KDC
      that's signed with a certificate that isn't in the SignedData, but which
      is available as an anchor or intermediate on the client (RT#7183)

 krb5-1.9-pkinit-anchorsign.patch |   42 ++++++++++++++++++++++++++++++++++++++
 1 files changed, 42 insertions(+), 0 deletions(-)
---

diff --git a/krb5-1.9-pkinit-anchorsign.patch b/krb5-1.9-pkinit-anchorsign.patch
new file mode 100644
index 0000000..7e81e4d
--- /dev/null
+++ b/krb5-1.9-pkinit-anchorsign.patch
@@ -0,0 +1,42 @@
+
+
+commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
+Author: Greg Hudson <ghudson at mit.edu>
+Date:   Thu Jun 21 17:20:29 2012 -0400
+
+    Handle PKINIT DH replies with no certs
+    
+    If a PKINIT Diffie-Hellman reply contains no certificates in the
+    SignedData object, that may be because the signer certificate was a
+    trust anchor as transmitted to the KDC.  Heimdal's KDC, for instance,
+    filters client trust anchors out of the returned set of certificates.
+    Match against idctx->trustedCAs and idctx->intermediateCAs to handle
+    this case.  This fix only works with OpenSSL 1.0 or later; when built
+    against OpenSSL 0.9.x, the client will still require a cert in the
+    reply.
+    
+    Code changes suggested by nalin at redhat.com.
+    
+    ticket: 7183
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 0136d4f..7120ecf 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
+         X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
+     X509_STORE_set_flags(store, vflags);
+ 
+-    /* get the signer's information from the CMS message */
++    /*
++     * Get the signer's information from the CMS message.  Match signer ID
++     * against anchors and intermediate CAs in case no certs are present in the
++     * SignedData.  If we start sending kdcPkId values in requests, we'll need
++     * to match against the source of that information too.
++     */
+     CMS_set1_signers_certs(cms, NULL, 0);
++    CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
++    CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
+     if ((si_sk = CMS_get0_SignerInfos(cms)) == NULL)
+         goto cleanup;
+     if ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)
