|
|
749169 |
From 5fbdf62de3883be137ed9a1a2eff3985e4ca05ae Mon Sep 17 00:00:00 2001
|
|
|
e58a44 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
e58a44 |
Date: Thu, 24 Aug 2017 11:11:46 -0400
|
|
|
e58a44 |
Subject: [PATCH] Fix certauth built-in module returns
|
|
|
e58a44 |
|
|
|
e58a44 |
The PKINIT certauth eku module should never authoritatively authorize
|
|
|
e58a44 |
a certificate, because an extended key usage does not establish a
|
|
|
e58a44 |
relationship between the certificate and any specific user; it only
|
|
|
e58a44 |
establishes that the certificate was created for PKINIT client
|
|
|
e58a44 |
authentication. Therefore, pkinit_eku_authorize() should return
|
|
|
e58a44 |
KRB5_PLUGIN_NO_HANDLE on success, not 0.
|
|
|
e58a44 |
|
|
|
e58a44 |
The certauth san module should pass if it does not find any SANs of
|
|
|
e58a44 |
the types it can match against; the presence of other types of SANs
|
|
|
e58a44 |
should not cause it to explicitly deny a certificate. Check for an
|
|
|
e58a44 |
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
|
|
|
e58a44 |
instead of returning ENOENT from crypto_retrieve_cert_sans() when
|
|
|
e58a44 |
there are no SANs at all.
|
|
|
e58a44 |
|
|
|
e58a44 |
ticket: 8561
|
|
|
e58a44 |
(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
|
|
|
e58a44 |
---
|
|
|
665228 |
.../preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++----------
|
|
|
665228 |
src/plugins/preauth/pkinit/pkinit_srv.c | 14 ++++---
|
|
|
e58a44 |
2 files changed, 27 insertions(+), 26 deletions(-)
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
749169 |
index 792a2f771..85ca8885d 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
e58a44 |
@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,
|
|
|
e58a44 |
|
|
|
e58a44 |
if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
|
|
|
e58a44 |
pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
|
|
|
e58a44 |
- retval = ENOENT;
|
|
|
e58a44 |
goto cleanup;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
num_sans = sk_GENERAL_NAME_num(ialt);
|
|
|
e58a44 |
@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,
|
|
|
e58a44 |
sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
|
|
|
e58a44 |
|
|
|
e58a44 |
retval = 0;
|
|
|
e58a44 |
- if (princs)
|
|
|
e58a44 |
+ if (princs != NULL && *princs != NULL) {
|
|
|
e58a44 |
*princs_ret = princs;
|
|
|
e58a44 |
- if (upns)
|
|
|
e58a44 |
+ princs = NULL;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
+ if (upns != NULL && *upns != NULL) {
|
|
|
e58a44 |
*upn_ret = upns;
|
|
|
e58a44 |
- if (dnss)
|
|
|
e58a44 |
+ upns = NULL;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
+ if (dnss != NULL && *dnss != NULL) {
|
|
|
e58a44 |
*dns_ret = dnss;
|
|
|
e58a44 |
+ dnss = NULL;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
|
|
|
e58a44 |
cleanup:
|
|
|
e58a44 |
- if (retval) {
|
|
|
e58a44 |
- if (princs != NULL) {
|
|
|
e58a44 |
- for (i = 0; princs[i] != NULL; i++)
|
|
|
e58a44 |
- krb5_free_principal(context, princs[i]);
|
|
|
e58a44 |
- free(princs);
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
- if (upns != NULL) {
|
|
|
e58a44 |
- for (i = 0; upns[i] != NULL; i++)
|
|
|
e58a44 |
- krb5_free_principal(context, upns[i]);
|
|
|
e58a44 |
- free(upns);
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
- if (dnss != NULL) {
|
|
|
e58a44 |
- for (i = 0; dnss[i] != NULL; i++)
|
|
|
e58a44 |
- free(dnss[i]);
|
|
|
e58a44 |
- free(dnss);
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
- }
|
|
|
e58a44 |
+ for (i = 0; princs != NULL && princs[i] != NULL; i++)
|
|
|
e58a44 |
+ krb5_free_principal(context, princs[i]);
|
|
|
e58a44 |
+ free(princs);
|
|
|
e58a44 |
+ for (i = 0; upns != NULL && upns[i] != NULL; i++)
|
|
|
e58a44 |
+ krb5_free_principal(context, upns[i]);
|
|
|
e58a44 |
+ free(upns);
|
|
|
e58a44 |
+ for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
|
|
|
e58a44 |
+ free(dnss[i]);
|
|
|
e58a44 |
+ free(dnss);
|
|
|
e58a44 |
return retval;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
index 9c6e96c9e..8e77606f8 100644
|
|
|
e58a44 |
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
|
|
|
e58a44 |
@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,
|
|
|
e58a44 |
&princs,
|
|
|
e58a44 |
plgctx->opts->allow_upn ? &upns : NULL,
|
|
|
e58a44 |
NULL);
|
|
|
e58a44 |
- if (retval == ENOENT) {
|
|
|
e58a44 |
- TRACE_PKINIT_SERVER_NO_SAN(context);
|
|
|
e58a44 |
- goto out;
|
|
|
e58a44 |
- } else if (retval) {
|
|
|
e58a44 |
+ if (retval) {
|
|
|
e58a44 |
pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
|
|
|
e58a44 |
retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
|
|
|
e58a44 |
goto out;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
+
|
|
|
e58a44 |
+ if (princs == NULL && upns == NULL) {
|
|
|
e58a44 |
+ TRACE_PKINIT_SERVER_NO_SAN(context);
|
|
|
e58a44 |
+ retval = ENOENT;
|
|
|
e58a44 |
+ goto out;
|
|
|
e58a44 |
+ }
|
|
|
e58a44 |
+
|
|
|
e58a44 |
/* XXX Verify this is consistent with client side XXX */
|
|
|
e58a44 |
#if 0
|
|
|
e58a44 |
retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
|
|
|
e58a44 |
@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
|
|
|
e58a44 |
return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
- return 0;
|
|
|
e58a44 |
+ return KRB5_PLUGIN_NO_HANDLE;
|
|
|
e58a44 |
}
|
|
|
e58a44 |
|
|
|
e58a44 |
static krb5_error_code
|