[krb5] backport RT#7183
Nalin Dahyabhai
nalin at fedoraproject.org
Fri Jun 22 18:08:06 UTC 2012
commit f60e9ef28c1c736e2eed7b815d67029c4857af4c
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Fri Jun 22 14:07:46 2012 -0400
backport RT#7183
- backport a fix to allow a PKINIT client to handle SignedData from a KDC
that's signed with a certificate that isn't in the SignedData, but which
is available as an anchor or intermediate on the client (RT#7183)
krb5-trunk-pkinit-anchorsign.patch | 40 ++++++++++++++++++++++++++++++++++++
krb5.spec | 9 +++++++-
2 files changed, 48 insertions(+), 1 deletions(-)
---
diff --git a/krb5-trunk-pkinit-anchorsign.patch b/krb5-trunk-pkinit-anchorsign.patch
new file mode 100644
index 0000000..508bb5b
--- /dev/null
+++ b/krb5-trunk-pkinit-anchorsign.patch
@@ -0,0 +1,40 @@
+commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Thu Jun 21 17:20:29 2012 -0400
+
+ Handle PKINIT DH replies with no certs
+
+ If a PKINIT Diffie-Hellman reply contains no certificates in the
+ SignedData object, that may be because the signer certificate was a
+ trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
+ filters client trust anchors out of the returned set of certificates.
+ Match against idctx->trustedCAs and idctx->intermediateCAs to handle
+ this case. This fix only works with OpenSSL 1.0 or later; when built
+ against OpenSSL 0.9.x, the client will still require a cert in the
+ reply.
+
+ Code changes suggested by nalin at redhat.com.
+
+ ticket: 7183
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 0136d4f..7120ecf 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
+ X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
+ X509_STORE_set_flags(store, vflags);
+
+- /* get the signer's information from the CMS message */
++ /*
++ * Get the signer's information from the CMS message. Match signer ID
++ * against anchors and intermediate CAs in case no certs are present in the
++ * SignedData. If we start sending kdcPkId values in requests, we'll need
++ * to match against the source of that information too.
++ */
+ CMS_set1_signers_certs(cms, NULL, 0);
++ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
++ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
+ if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
+ ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
+ /* Not actually signed; anonymous case */
diff --git a/krb5.spec b/krb5.spec
index 3da0936..0562792 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.2
-Release: 2%{?dist}
+Release: 3%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -68,6 +68,7 @@ Patch102: krb5-trunk-7048.patch
Patch103: krb5-1.10-gcc47.patch
Patch105: krb5-kvno-230379.patch
Patch106: krb5-1.10.2-keytab-etype.patch
+Patch107: krb5-trunk-pkinit-anchorsign.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -245,6 +246,7 @@ ln -s NOTICE LICENSE
%patch103 -p0 -b .gcc47
%patch105 -p1 -b .kvno
%patch106 -p1 -b .keytab-etype
+%patch107 -p1 -b .pkinit-anchorsign
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -753,6 +755,11 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Fri Jun 22 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-3
+- backport a fix to allow a PKINIT client to handle SignedData from a KDC
+ that's signed with a certificate that isn't in the SignedData, but which
+ is available as an anchor or intermediate on the client (RT#7183)
+
* Tue Jun 5 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-2
- back out this labeling change (dwalsh):
- when building the new label for a file we're about to create, also mix
More information about the scm-commits
mailing list