From: Sam Hartman Date: Wed, 23 Dec 2009 21:10:30 +0000 (+0000) Subject: pkinit authentication only works for TGT X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e95ea8f8428041134a835890033d1eef8dca2a06;p=thirdparty%2Fkrb5.git pkinit authentication only works for TGT Pkinit's verification of the KDC SAN requires that the certificate have a SAN for the server principal. That's not correct according to RFC 4556. The KDC should have a SAN for the TGS principal; that's independent of whether the TGS principal is actually the server. Fix to build the TGS principal explicitly. ticket: 6605 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23504 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 46ca022b7e..80c55c9447 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -649,6 +649,7 @@ pkinit_as_rep_parse(krb5_context context, krb5_data *encoded_request) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_principal kdc_princ = NULL; krb5_pa_pk_as_rep *kdc_reply = NULL; krb5_kdc_dh_key_info *kdc_dh = NULL; krb5_reply_key_pack *key_pack = NULL; @@ -709,8 +710,16 @@ pkinit_as_rep_parse(krb5_context context, retval = -1; goto cleanup; } - - retval = verify_kdc_san(context, plgctx, reqctx, request->server, + retval = krb5_build_principal_ext(context, &kdc_princ, + request->server->realm.length, + request->server->realm.data, + strlen(KRB5_TGS_NAME), KRB5_TGS_NAME, + request->server->realm.length, + request->server->realm.data, + 0); + if (retval) + goto cleanup; + retval = verify_kdc_san(context, plgctx, reqctx, kdc_princ, &valid_san, &need_eku_checking); if (retval) goto cleanup; @@ -859,6 +868,7 @@ pkinit_as_rep_parse(krb5_context context, cleanup: free(dh_data.data); + krb5_free_principal(context, kdc_princ); free(client_key); free_krb5_kdc_dh_key_info(&kdc_dh); free_krb5_pa_pk_as_rep(&kdc_reply);