Blame SOURCES/Fix-certauth-built-in-module-returns.patch

e58a44
From 41b9111b48e53bf7864ed1f134e0433b070fa900 Mon Sep 17 00:00:00 2001
e58a44
From: Greg Hudson <ghudson@mit.edu>
e58a44
Date: Thu, 24 Aug 2017 11:11:46 -0400
e58a44
Subject: [PATCH] Fix certauth built-in module returns
e58a44
e58a44
The PKINIT certauth eku module should never authoritatively authorize
e58a44
a certificate, because an extended key usage does not establish a
e58a44
relationship between the certificate and any specific user; it only
e58a44
establishes that the certificate was created for PKINIT client
e58a44
authentication.  Therefore, pkinit_eku_authorize() should return
e58a44
KRB5_PLUGIN_NO_HANDLE on success, not 0.
e58a44
e58a44
The certauth san module should pass if it does not find any SANs of
e58a44
the types it can match against; the presence of other types of SANs
e58a44
should not cause it to explicitly deny a certificate.  Check for an
e58a44
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
e58a44
instead of returning ENOENT from crypto_retrieve_cert_sans() when
e58a44
there are no SANs at all.
e58a44
e58a44
ticket: 8561
e58a44
(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
e58a44
---
665228
 .../preauth/pkinit/pkinit_crypto_openssl.c    | 39 +++++++++----------
665228
 src/plugins/preauth/pkinit/pkinit_srv.c       | 14 ++++---
e58a44
 2 files changed, 27 insertions(+), 26 deletions(-)
e58a44
e58a44
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
e58a44
index 70e230ec2..7fa2efd21 100644
e58a44
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
e58a44
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
e58a44
@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,
e58a44
 
e58a44
     if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
e58a44
         pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
e58a44
-        retval = ENOENT;
e58a44
         goto cleanup;
e58a44
     }
e58a44
     num_sans = sk_GENERAL_NAME_num(ialt);
e58a44
@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,
e58a44
     sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
e58a44
 
e58a44
     retval = 0;
e58a44
-    if (princs)
e58a44
+    if (princs != NULL && *princs != NULL) {
e58a44
         *princs_ret = princs;
e58a44
-    if (upns)
e58a44
+        princs = NULL;
e58a44
+    }
e58a44
+    if (upns != NULL && *upns != NULL) {
e58a44
         *upn_ret = upns;
e58a44
-    if (dnss)
e58a44
+        upns = NULL;
e58a44
+    }
e58a44
+    if (dnss != NULL && *dnss != NULL) {
e58a44
         *dns_ret = dnss;
e58a44
+        dnss = NULL;
e58a44
+    }
e58a44
 
e58a44
 cleanup:
e58a44
-    if (retval) {
e58a44
-        if (princs != NULL) {
e58a44
-            for (i = 0; princs[i] != NULL; i++)
e58a44
-                krb5_free_principal(context, princs[i]);
e58a44
-            free(princs);
e58a44
-        }
e58a44
-        if (upns != NULL) {
e58a44
-            for (i = 0; upns[i] != NULL; i++)
e58a44
-                krb5_free_principal(context, upns[i]);
e58a44
-            free(upns);
e58a44
-        }
e58a44
-        if (dnss != NULL) {
e58a44
-            for (i = 0; dnss[i] != NULL; i++)
e58a44
-                free(dnss[i]);
e58a44
-            free(dnss);
e58a44
-        }
e58a44
-    }
e58a44
+    for (i = 0; princs != NULL && princs[i] != NULL; i++)
e58a44
+        krb5_free_principal(context, princs[i]);
e58a44
+    free(princs);
e58a44
+    for (i = 0; upns != NULL && upns[i] != NULL; i++)
e58a44
+        krb5_free_principal(context, upns[i]);
e58a44
+    free(upns);
e58a44
+    for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
e58a44
+        free(dnss[i]);
e58a44
+    free(dnss);
e58a44
     return retval;
e58a44
 }
e58a44
 
e58a44
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
e58a44
index 9c6e96c9e..8e77606f8 100644
e58a44
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
e58a44
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
e58a44
@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,
e58a44
                                        &princs,
e58a44
                                        plgctx->opts->allow_upn ? &upns : NULL,
e58a44
                                        NULL);
e58a44
-    if (retval == ENOENT) {
e58a44
-        TRACE_PKINIT_SERVER_NO_SAN(context);
e58a44
-        goto out;
e58a44
-    } else if (retval) {
e58a44
+    if (retval) {
e58a44
         pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
e58a44
         retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
e58a44
         goto out;
e58a44
     }
e58a44
+
e58a44
+    if (princs == NULL && upns == NULL) {
e58a44
+        TRACE_PKINIT_SERVER_NO_SAN(context);
e58a44
+        retval = ENOENT;
e58a44
+        goto out;
e58a44
+    }
e58a44
+
e58a44
     /* XXX Verify this is consistent with client side XXX */
e58a44
 #if 0
e58a44
     retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
e58a44
@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
e58a44
         return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
e58a44
     }
e58a44
 
e58a44
-    return 0;
e58a44
+    return KRB5_PLUGIN_NO_HANDLE;
e58a44
 }
e58a44
 
e58a44
 static krb5_error_code