Update error checking for OpenSSL CMS_verify

author Julien Rische <jrische@redhat.com>

Thu, 28 Jul 2022 13:20:12 +0000 (15:20 +0200)

committer Greg Hudson <ghudson@mit.edu>

Thu, 6 Jul 2023 21:10:06 +0000 (17:10 -0400)
author Julien Rische <jrische@redhat.com>
Thu, 28 Jul 2022 13:20:12 +0000 (15:20 +0200)
committer Greg Hudson <ghudson@mit.edu>
Thu, 6 Jul 2023 21:10:06 +0000 (17:10 -0400)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index d500455dec79ad3773942a35acae76012fecd83c..4f295109b4d8d71626b68c6d03055bc96283787d 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,
              goto cleanup;
          out = BIO_new(BIO_s_mem());
          if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
-            unsigned long err = ERR_peek_error();
+            unsigned long err = ERR_peek_last_error();
              switch(ERR_GET_REASON(err)) {
-            case PKCS7_R_DIGEST_FAILURE:
+            case RSA_R_DIGEST_NOT_ALLOWED:
+            case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
+            case CMS_R_NO_MATCHING_DIGEST:
+            case CMS_R_NO_MATCHING_SIGNATURE:
                  retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
                  break;
-            case PKCS7_R_SIGNATURE_FAILURE:
+            case CMS_R_VERIFICATION_FAILURE:
              default:
                  retval = KRB5KDC_ERR_INVALID_SIG;
              }
author	Julien Rische <jrische@redhat.com>
	Thu, 28 Jul 2022 13:20:12 +0000 (15:20 +0200)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 6 Jul 2023 21:10:06 +0000 (17:10 -0400)