[krb5] - fix selection of pkinit client certs when one or more don't include a subjectAltName extension (pa
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Sep 16 23:33:09 UTC 2010
commit 188111911c2a6bdc2c8982c06a59a742450113e7
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Sep 16 19:31:40 2010 -0400
- fix selection of pkinit client certs when one or more don't include a subjectAltName extension (part of #629022, RT#6774)
krb5-trunk-signed.patch | 42 ++++++++++++++++++++++++++++++++++++++++++
1 files changed, 42 insertions(+), 0 deletions(-)
---
diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch
new file mode 100644
index 0000000..c8be88e
--- /dev/null
+++ b/krb5-trunk-signed.patch
@@ -0,0 +1,42 @@
+In crypto_retrieve_X509_sans(), the "i" used to hold the result of
+X509_get_ext_by_NID() is unsigned, so without a cast or changing its
+type, the comparison to -1 will always succeed.
+
+If the attempt to parse the SAN value then fails because the extension
+is not present, then crypto_retrieve_X509_sans(),
+crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
+will all return EINVAL, pkinit_cert_matching() will fail, and
+pkinit_identity_initialize() will fail. As a result, the presence one
+candidate certificate which doesn't contain any SAN values will cause
+the client to fail to locate its certificate. RT#6774, part of #629022.
+
+Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+===================================================================
+--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322)
++++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323)
+@@ -1767,7 +1767,7 @@
+ {
+ krb5_error_code retval = EINVAL;
+ char buf[DN_BUF_LEN];
+- int p = 0, u = 0, d = 0;
++ int p = 0, u = 0, d = 0, l;
+ krb5_principal *princs = NULL;
+ krb5_principal *upns = NULL;
+ unsigned char **dnss = NULL;
+@@ -1787,14 +1787,14 @@
+ buf, sizeof(buf));
+ pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
+
+- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
++ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+ X509_EXTENSION *ext = NULL;
+ GENERAL_NAMES *ialt = NULL;
+ GENERAL_NAME *gen = NULL;
+ int ret = 0;
+ unsigned int num_sans = 0;
+
+- if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
++ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
+ pkiDebug("%s: found no subject alt name extensions\n",
+ __FUNCTION__);
+ goto cleanup;
More information about the scm-commits
mailing list