[krb5/f14/master] - fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #62902
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Oct 5 19:30:48 UTC 2010
commit aa6906082a7f5896d3bf5b4b2c513ffd7e8d3a70
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Oct 5 11:16:37 2010 -0400
- fix reading of keyUsage extensions when attempting to select pkinit client
certs (part of #629022, RT#6775)
- fix selection of pkinit client certs when one or more don't include a
subjectAltName extension (part of #629022, RT#6774)
krb5-trunk-key_usage.patch | 25 +++++++++++++++++++++++++
krb5-trunk-signed.patch | 42 ++++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 ++++++++
3 files changed, 75 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch
new file mode 100644
index 0000000..f45db69
--- /dev/null
+++ b/krb5-trunk-key_usage.patch
@@ -0,0 +1,25 @@
+Reading the NID_key_usage extension doesn't ensure that the ex_flags and
+ex_kusage fields that the ku_reject() macro checks. It'd probably be
+better to check the usage string directly, but calling X509_check_ca()
+makes the right things happen. RT#6775, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24312)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24313)
+@@ -2005,6 +2005,7 @@
+ pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
+
+ /* check that digitalSignature KeyUsage is present */
++ X509_check_ca(reqctx->received_cert);
+ if ((usage = X509_get_ext_d2i(reqctx->received_cert,
+ NID_key_usage, NULL, NULL))) {
+
+@@ -4551,6 +4552,7 @@
+ }
+
+ /* Make sure usage exists before checking bits */
++ X509_check_ca(x);
+ usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
+ if (usage) {
+ if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch
new file mode 100644
index 0000000..c8be88e
--- /dev/null
+++ b/krb5-trunk-signed.patch
@@ -0,0 +1,42 @@
+In crypto_retrieve_X509_sans(), the "i" used to hold the result of
+X509_get_ext_by_NID() is unsigned, so without a cast or changing its
+type, the comparison to -1 will always succeed.
+
+If the attempt to parse the SAN value then fails because the extension
+is not present, then crypto_retrieve_X509_sans(),
+crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
+will all return EINVAL, pkinit_cert_matching() will fail, and
+pkinit_identity_initialize() will fail. As a result, the presence one
+candidate certificate which doesn't contain any SAN values will cause
+the client to fail to locate its certificate. RT#6774, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323)
+@@ -1767,7 +1767,7 @@
+ {
+ krb5_error_code retval = EINVAL;
+ char buf[DN_BUF_LEN];
+- int p = 0, u = 0, d = 0;
++ int p = 0, u = 0, d = 0, l;
+ krb5_principal *princs = NULL;
+ krb5_principal *upns = NULL;
+ unsigned char **dnss = NULL;
+@@ -1787,14 +1787,14 @@
+ buf, sizeof(buf));
+ pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
+
+- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
++ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+ X509_EXTENSION *ext = NULL;
+ GENERAL_NAMES *ialt = NULL;
+ GENERAL_NAME *gen = NULL;
+ int ret = 0;
+ unsigned int num_sans = 0;
+
+- if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
++ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+ pkiDebug("%s: found no subject alt name extensions\n",
+ __FUNCTION__);
+ goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index ba2c49e..389af98 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -51,6 +51,8 @@ Patch72: krb5-1.7.1-24139.patch
Patch73: krb5-1-8-gss-noexp.patch
Patch74: krb5-1.8.2-getoptP.patch
Patch75: krb5-trunk-explife.patch
+Patch76: krb5-trunk-key_usage.patch
+Patch77: krb5-trunk-signed.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -192,6 +194,8 @@ ln -s NOTICE LICENSE
%patch73 -p0 -b .gss-noexp
%patch74 -p1 -b .getoptP
%patch75 -p0 -b .explife
+%patch76 -p0 -b .key_usage
+%patch77 -p0 -b .signed
gzip doc/*.ps
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -644,6 +648,10 @@ exit 0
%changelog
* Tue Oct 5 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.2-5
+- fix reading of keyUsage extensions when attempting to select pkinit client
+ certs (part of #629022, RT#6775)
+- fix selection of pkinit client certs when one or more don't include a
+ subjectAltName extension (part of #629022, RT#6774)
- also link binaries with -Wl,-z,relro,-z,now (part of #629950)
- build with -fstack-protector-all instead of the default -fstack-protector,
so that we add checking to more functions (i.e., all of them) (#629950)
More information about the scm-commits
mailing list