git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Thu, 24 Aug 2017 15:11:46 +0000 (11:11 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Tue, 29 Aug 2017 20:41:28 +0000 (16:41 -0400)
commit	07243f85a760fb37f0622d7ff0177db3f19ab025
tree	3297b3e3799b27d0d4c24616e574a18f8121f5d6	tree \| snapshot
parent	33d52a367f7ddaa843eec3a79f36adfbca6033a2	commit \| diff

Fix certauth built-in module returns

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

ticket: 8561

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_srv.c		diff \| blob \| blame \| history