[krb5/f14/master] - fix reading of keyUsage extensions when attempting to select pkinit client certs (part of #62902

Nalin Dahyabhai nalin at fedoraproject.org
Tue Oct 5 19:30:48 UTC 2010 

commit aa6906082a7f5896d3bf5b4b2c513ffd7e8d3a70
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Oct 5 11:16:37 2010 -0400

    - fix reading of keyUsage extensions when attempting to select pkinit client
      certs (part of #629022, RT#6775)
    - fix selection of pkinit client certs when one or more don't include a
      subjectAltName extension (part of #629022, RT#6774)

 krb5-trunk-key_usage.patch |   25 +++++++++++++++++++++++++
 krb5-trunk-signed.patch    |   42 ++++++++++++++++++++++++++++++++++++++++++
 krb5.spec                  |    8 ++++++++
 3 files changed, 75 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-key_usage.patch b/krb5-trunk-key_usage.patch
new file mode 100644
index 0000000..f45db69
--- /dev/null
+++ b/krb5-trunk-key_usage.patch
@@ -0,0 +1,25 @@
+Reading the NID_key_usage extension doesn't ensure that the ex_flags and
+ex_kusage fields that the ku_reject() macro checks.  It'd probably be
+better to check the usage string directly, but calling X509_check_ca()
+makes the right things happen.  RT#6775, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24312)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24313)
+@@ -2005,6 +2005,7 @@
+             pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__);
+ 
+             /* check that digitalSignature KeyUsage is present */
++            X509_check_ca(reqctx->received_cert);
+             if ((usage = X509_get_ext_d2i(reqctx->received_cert,
+                                           NID_key_usage, NULL, NULL))) {
+ 
+@@ -4551,6 +4552,7 @@
+     }
+ 
+     /* Make sure usage exists before checking bits */
++    X509_check_ca(x);
+     usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL);
+     if (usage) {
+         if (!ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch
new file mode 100644
index 0000000..c8be88e
--- /dev/null
+++ b/krb5-trunk-signed.patch
@@ -0,0 +1,42 @@
+In crypto_retrieve_X509_sans(), the "i" used to hold the result of
+X509_get_ext_by_NID() is unsigned, so without a cast or changing its
+type, the comparison to -1 will always succeed.
+
+If the attempt to parse the SAN value then fails because the extension
+is not present, then crypto_retrieve_X509_sans(),
+crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
+will all return EINVAL, pkinit_cert_matching() will fail, and
+pkinit_identity_initialize() will fail.  As a result, the presence one
+candidate certificate which doesn't contain any SAN values will cause
+the client to fail to locate its certificate.  RT#6774, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24322)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	(revision 24323)
+@@ -1767,7 +1767,7 @@
+ {
+     krb5_error_code retval = EINVAL;
+     char buf[DN_BUF_LEN];
+-    int p = 0, u = 0, d = 0;
++    int p = 0, u = 0, d = 0, l;
+     krb5_principal *princs = NULL;
+     krb5_principal *upns = NULL;
+     unsigned char **dnss = NULL;
+@@ -1787,14 +1787,14 @@
+                       buf, sizeof(buf));
+     pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
+ 
+-    if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
++    if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+         X509_EXTENSION *ext = NULL;
+         GENERAL_NAMES *ialt = NULL;
+         GENERAL_NAME *gen = NULL;
+         int ret = 0;
+         unsigned int num_sans = 0;
+ 
+-        if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
++        if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+             pkiDebug("%s: found no subject alt name extensions\n",
+                      __FUNCTION__);
+             goto cleanup;
diff --git a/krb5.spec b/krb5.spec
index ba2c49e..389af98 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -51,6 +51,8 @@ Patch72: krb5-1.7.1-24139.patch
 Patch73: krb5-1-8-gss-noexp.patch
 Patch74: krb5-1.8.2-getoptP.patch
 Patch75: krb5-trunk-explife.patch
+Patch76: krb5-trunk-key_usage.patch
+Patch77: krb5-trunk-signed.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -192,6 +194,8 @@ ln -s NOTICE LICENSE
 %patch73 -p0 -b .gss-noexp
 %patch74 -p1 -b .getoptP
 %patch75 -p0 -b .explife
+%patch76 -p0 -b .key_usage
+%patch77 -p0 -b .signed
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -644,6 +648,10 @@ exit 0
 
 %changelog
 * Tue Oct  5 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.2-5
+- fix reading of keyUsage extensions when attempting to select pkinit client
+  certs (part of #629022, RT#6775)
+- fix selection of pkinit client certs when one or more don't include a
+  subjectAltName extension (part of #629022, RT#6774)
 - also link binaries with -Wl,-z,relro,-z,now (part of #629950)
 - build with -fstack-protector-all instead of the default -fstack-protector,
   so that we add checking to more functions (i.e., all of them) (#629950)

More information about the scm-commits mailing list