rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/0010-Update-error-checking-for-OpenSSL-CMS_verify.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   d1ad9f0e33886c56ed78a784929d353526229cf5
  2.   SOURCES
  3.   0010-Update-error-checking-for-OpenSSL-CMS_verify.patch
Blob History Raw
d1ad9f 
From 75f71ace74449a6e5154314229bfa61960cd326c Mon Sep 17 00:00:00 2001
d1ad9f 
From: Julien Rische <jrische@redhat.com>
d1ad9f 
Date: Thu, 28 Jul 2022 15:20:12 +0200
d1ad9f 
Subject: [PATCH] Update error checking for OpenSSL CMS_verify
d1ad9f
d1ad9f 
The code for CMS data verification was initially written for OpenSSL's
d1ad9f 
PKCS7_verify() function.  It now uses CMS_verify(), but error handling
d1ad9f 
is still done using PKCS7_verify() error identifiers.  Update the
d1ad9f 
recognized error codes so that the KDC generates
d1ad9f 
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
d1ad9f 
Use ERR_peek_last_error() to observe the error generated closest to
d1ad9f 
the API surface.
d1ad9f
d1ad9f 
[ghudson@mit.edu: edited commit message]
d1ad9f
d1ad9f 
ticket: 9069 (new)
d1ad9f 
tags: pullup
d1ad9f 
target_version: 1.20-next
d1ad9f 
---
d1ad9f 
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
d1ad9f 
 1 file changed, 6 insertions(+), 3 deletions(-)
d1ad9f
d1ad9f 
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
index 1c2aa02827..16edf15cb2 100644
d1ad9f 
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
d1ad9f 
@@ -2102,12 +2102,15 @@ cms_signeddata_verify(krb5_context context,
d1ad9f 
             goto cleanup;
d1ad9f 
         out = BIO_new(BIO_s_mem());
d1ad9f 
         if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) {
d1ad9f 
-            unsigned long err = ERR_peek_error();
d1ad9f 
+            unsigned long err = ERR_peek_last_error();
d1ad9f 
             switch(ERR_GET_REASON(err)) {
d1ad9f 
-            case PKCS7_R_DIGEST_FAILURE:
d1ad9f 
+            case RSA_R_DIGEST_NOT_ALLOWED:
d1ad9f 
+            case CMS_R_UNKNOWN_DIGEST_ALGORITHM:
d1ad9f 
+            case CMS_R_NO_MATCHING_DIGEST:
d1ad9f 
+            case CMS_R_NO_MATCHING_SIGNATURE:
d1ad9f 
                 retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED;
d1ad9f 
                 break;
d1ad9f 
-            case PKCS7_R_SIGNATURE_FAILURE:
d1ad9f 
+            case CMS_R_VERIFICATION_FAILURE:
d1ad9f 
             default:
d1ad9f 
                 retval = KRB5KDC_ERR_INVALID_SIG;
d1ad9f 
             }
d1ad9f 
--
d1ad9f 
2.38.1
d1ad9f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation