]>
Commit | Line | Data |
---|---|---|
6cf77d05 SS |
1 | commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d |
2 | Author: Greg Hudson <ghudson@mit.edu> | |
3 | Date: Thu Jun 21 17:20:29 2012 -0400 | |
4 | ||
5 | Handle PKINIT DH replies with no certs | |
6 | ||
7 | If a PKINIT Diffie-Hellman reply contains no certificates in the | |
8 | SignedData object, that may be because the signer certificate was a | |
9 | trust anchor as transmitted to the KDC. Heimdal's KDC, for instance, | |
10 | filters client trust anchors out of the returned set of certificates. | |
11 | Match against idctx->trustedCAs and idctx->intermediateCAs to handle | |
12 | this case. This fix only works with OpenSSL 1.0 or later; when built | |
13 | against OpenSSL 0.9.x, the client will still require a cert in the | |
14 | reply. | |
15 | ||
16 | Code changes suggested by nalin@redhat.com. | |
17 | ||
18 | ticket: 7183 | |
19 | ||
20 | diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | |
21 | index 0136d4f..7120ecf 100644 | |
22 | --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | |
23 | +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | |
24 | @@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context, | |
25 | X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); | |
26 | X509_STORE_set_flags(store, vflags); | |
27 | ||
28 | - /* get the signer's information from the CMS message */ | |
29 | + /* | |
30 | + * Get the signer's information from the CMS message. Match signer ID | |
31 | + * against anchors and intermediate CAs in case no certs are present in the | |
32 | + * SignedData. If we start sending kdcPkId values in requests, we'll need | |
33 | + * to match against the source of that information too. | |
34 | + */ | |
35 | CMS_set1_signers_certs(cms, NULL, 0); | |
36 | + CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN); | |
37 | + CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN); | |
38 | if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) || | |
39 | ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) { | |
40 | /* Not actually signed; anonymous case */ |