Blame SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch

665228
From 38692624d6e2f23309f6652c98dd04b0af37308c Mon Sep 17 00:00:00 2001
665228
From: Greg Hudson <ghudson@mit.edu>
665228
Date: Thu, 22 Mar 2018 19:46:22 -0400
665228
Subject: [PATCH] Save SANs separately and unparse them with NO_REALM
665228
665228
(cherry picked from commit 23ea8d6a9617d17ae5a529c23174d77adac39055)
665228
---
665228
 src/plugins/preauth/pkinit/pkinit_crypto.h    |  4 +-
665228
 .../preauth/pkinit/pkinit_crypto_openssl.c    | 37 ++-----------------
665228
 src/plugins/preauth/pkinit/pkinit_matching.c  | 30 +++++++++++----
665228
 3 files changed, 28 insertions(+), 43 deletions(-)
665228
665228
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
665228
index a0176acad..c14f4456a 100644
665228
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
665228
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
665228
@@ -100,8 +100,8 @@ typedef struct _pkinit_cert_matching_data {
665228
     char *issuer_dn;	    /* rfc2253-style issuer name string */
665228
     unsigned int ku_bits;   /* key usage information */
665228
     unsigned int eku_bits;  /* extended key usage information */
665228
-    krb5_principal *sans;   /* Null-terminated array of subject alternative
665228
-			       name info (pkinit and ms-upn) */
665228
+    krb5_principal *sans;   /* Null-terminated array of PKINIT SANs */
665228
+    krb5_principal *upns;   /* Null-terimnated array of UPN SANs */
665228
 } pkinit_cert_matching_data;
665228
 
665228
 /*
665228
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
665228
index 1eb273808..a38738f45 100644
665228
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
665228
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
665228
@@ -5110,6 +5110,9 @@ crypto_cert_free_matching_data(krb5_context context,
665228
     for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++)
665228
         krb5_free_principal(context, md->sans[i]);
665228
     free(md->sans);
665228
+    for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
665228
+        krb5_free_principal(context, md->upns[i]);
665228
+    free(md->upns);
665228
     free(md);
665228
 }
665228
 
665228
@@ -5138,8 +5141,6 @@ get_matching_data(krb5_context context,
665228
 {
665228
     krb5_error_code ret = ENOMEM;
665228
     pkinit_cert_matching_data *md = NULL;
665228
-    krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
665228
-    size_t i, j;
665228
 
665228
     *md_out = NULL;
665228
 
665228
@@ -5156,40 +5157,10 @@ get_matching_data(krb5_context context,
665228
 
665228
     /* Get the SAN data. */
665228
     ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
665228
-                                    cert, &pkinit_sans, &upn_sans, NULL);
665228
+                                    cert, &md->sans, &md->upns, NULL);
665228
     if (ret)
665228
         goto cleanup;
665228
 
665228
-    j = 0;
665228
-    if (pkinit_sans != NULL) {
665228
-        for (i = 0; pkinit_sans[i] != NULL; i++)
665228
-            j++;
665228
-    }
665228
-    if (upn_sans != NULL) {
665228
-        for (i = 0; upn_sans[i] != NULL; i++)
665228
-            j++;
665228
-    }
665228
-    if (j != 0) {
665228
-        md->sans = calloc((size_t)j+1, sizeof(*md->sans));
665228
-        if (md->sans == NULL) {
665228
-            ret = ENOMEM;
665228
-            goto cleanup;
665228
-        }
665228
-        j = 0;
665228
-        if (pkinit_sans != NULL) {
665228
-            for (i = 0; pkinit_sans[i] != NULL; i++)
665228
-                md->sans[j++] = pkinit_sans[i];
665228
-            free(pkinit_sans);
665228
-        }
665228
-        if (upn_sans != NULL) {
665228
-            for (i = 0; upn_sans[i] != NULL; i++)
665228
-                md->sans[j++] = upn_sans[i];
665228
-            free(upn_sans);
665228
-        }
665228
-        md->sans[j] = NULL;
665228
-    } else
665228
-        md->sans = NULL;
665228
-
665228
     /* Get the KU and EKU data. */
665228
     ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx,
665228
                                          req_cryptoctx, cert, &md->ku_bits,
665228
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
665228
index d6775dc4f..fe1e0f386 100644
665228
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
665228
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
665228
@@ -470,7 +470,6 @@ component_match(krb5_context context,
665228
 {
665228
     int match = 0;
665228
     int i;
665228
-    krb5_principal p;
665228
     char *princ_string;
665228
 
665228
     switch (rc->kwval_type) {
665228
@@ -483,10 +482,17 @@ component_match(krb5_context context,
665228
             match = regexp_match(context, rc, md->issuer_dn);
665228
             break;
665228
         case kw_san:
665228
-            if (md->sans == NULL)
665228
-                break;
665228
-            for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
665228
-                krb5_unparse_name(context, p, &princ_string);
665228
+            for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) {
665228
+                krb5_unparse_name(context, md->sans[i], &princ_string);
665228
+                match = regexp_match(context, rc, princ_string);
665228
+                krb5_free_unparsed_name(context, princ_string);
665228
+                if (match)
665228
+                    break;
665228
+            }
665228
+            for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
665228
+                krb5_unparse_name_flags(context, md->upns[i],
665228
+                                        KRB5_PRINCIPAL_UNPARSE_NO_REALM,
665228
+                                        &princ_string);
665228
                 match = regexp_match(context, rc, princ_string);
665228
                 krb5_free_unparsed_name(context, princ_string);
665228
                 if (match)
665228
@@ -572,10 +578,18 @@ check_all_certs(krb5_context context,
665228
         pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn);
665228
 #if 0
665228
         pkiDebug("%s: issuer:  '%s'\n", __FUNCTION__, md->subject_dn);
665228
-        for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) {
665228
+        for (j = 0; md->sans != NULL && md->sans[j] != NULL; j++) {
665228
             char *san_string;
665228
-            krb5_unparse_name(context, p, &san_string);
665228
-            pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string);
665228
+            krb5_unparse_name(context, md->sans[j], &san_string);
665228
+            pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
665228
+            krb5_free_unparsed_name(context, san_string);
665228
+        }
665228
+        for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
665228
+            char *san_string;
665228
+            krb5_unparse_name_flags(context, md->upns[j],
665228
+                                    KRB5_PRINCIPAL_UNPARSE_NO_REALM,
665228
+                                    &san_string);
665228
+            pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
665228
             krb5_free_unparsed_name(context, san_string);
665228
         }
665228
 #endif