|
 |
167778 |
From 38692624d6e2f23309f6652c98dd04b0af37308c Mon Sep 17 00:00:00 2001
|
|
|
167778 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
167778 |
Date: Thu, 22 Mar 2018 19:46:22 -0400
|
|
|
167778 |
Subject: [PATCH] Save SANs separately and unparse them with NO_REALM
|
|
|
167778 |
|
|
|
167778 |
(cherry picked from commit 23ea8d6a9617d17ae5a529c23174d77adac39055)
|
|
|
167778 |
---
|
|
|
167778 |
src/plugins/preauth/pkinit/pkinit_crypto.h | 4 +-
|
|
|
167778 |
.../preauth/pkinit/pkinit_crypto_openssl.c | 37 ++-----------------
|
|
|
167778 |
src/plugins/preauth/pkinit/pkinit_matching.c | 30 +++++++++++----
|
|
|
167778 |
3 files changed, 28 insertions(+), 43 deletions(-)
|
|
|
167778 |
|
|
|
167778 |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
|
167778 |
index a0176acad..c14f4456a 100644
|
|
|
167778 |
--- a/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
|
167778 |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto.h
|
|
|
167778 |
@@ -100,8 +100,8 @@ typedef struct _pkinit_cert_matching_data {
|
|
|
167778 |
char *issuer_dn; /* rfc2253-style issuer name string */
|
|
|
167778 |
unsigned int ku_bits; /* key usage information */
|
|
|
167778 |
unsigned int eku_bits; /* extended key usage information */
|
|
|
167778 |
- krb5_principal *sans; /* Null-terminated array of subject alternative
|
|
|
167778 |
- name info (pkinit and ms-upn) */
|
|
|
167778 |
+ krb5_principal *sans; /* Null-terminated array of PKINIT SANs */
|
|
|
167778 |
+ krb5_principal *upns; /* Null-terimnated array of UPN SANs */
|
|
|
167778 |
} pkinit_cert_matching_data;
|
|
|
167778 |
|
|
|
167778 |
/*
|
|
|
167778 |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
167778 |
index 1eb273808..a38738f45 100644
|
|
|
167778 |
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
167778 |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
167778 |
@@ -5110,6 +5110,9 @@ crypto_cert_free_matching_data(krb5_context context,
|
|
|
167778 |
for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++)
|
|
|
167778 |
krb5_free_principal(context, md->sans[i]);
|
|
|
167778 |
free(md->sans);
|
|
|
167778 |
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++)
|
|
|
167778 |
+ krb5_free_principal(context, md->upns[i]);
|
|
|
167778 |
+ free(md->upns);
|
|
|
167778 |
free(md);
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
@@ -5138,8 +5141,6 @@ get_matching_data(krb5_context context,
|
|
|
167778 |
{
|
|
|
167778 |
krb5_error_code ret = ENOMEM;
|
|
|
167778 |
pkinit_cert_matching_data *md = NULL;
|
|
|
167778 |
- krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
|
|
|
167778 |
- size_t i, j;
|
|
|
167778 |
|
|
|
167778 |
*md_out = NULL;
|
|
|
167778 |
|
|
|
167778 |
@@ -5156,40 +5157,10 @@ get_matching_data(krb5_context context,
|
|
|
167778 |
|
|
|
167778 |
/* Get the SAN data. */
|
|
|
167778 |
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
|
|
167778 |
- cert, &pkinit_sans, &upn_sans, NULL);
|
|
|
167778 |
+ cert, &md->sans, &md->upns, NULL);
|
|
|
167778 |
if (ret)
|
|
|
167778 |
goto cleanup;
|
|
|
167778 |
|
|
|
167778 |
- j = 0;
|
|
|
167778 |
- if (pkinit_sans != NULL) {
|
|
|
167778 |
- for (i = 0; pkinit_sans[i] != NULL; i++)
|
|
|
167778 |
- j++;
|
|
|
167778 |
- }
|
|
|
167778 |
- if (upn_sans != NULL) {
|
|
|
167778 |
- for (i = 0; upn_sans[i] != NULL; i++)
|
|
|
167778 |
- j++;
|
|
|
167778 |
- }
|
|
|
167778 |
- if (j != 0) {
|
|
|
167778 |
- md->sans = calloc((size_t)j+1, sizeof(*md->sans));
|
|
|
167778 |
- if (md->sans == NULL) {
|
|
|
167778 |
- ret = ENOMEM;
|
|
|
167778 |
- goto cleanup;
|
|
|
167778 |
- }
|
|
|
167778 |
- j = 0;
|
|
|
167778 |
- if (pkinit_sans != NULL) {
|
|
|
167778 |
- for (i = 0; pkinit_sans[i] != NULL; i++)
|
|
|
167778 |
- md->sans[j++] = pkinit_sans[i];
|
|
|
167778 |
- free(pkinit_sans);
|
|
|
167778 |
- }
|
|
|
167778 |
- if (upn_sans != NULL) {
|
|
|
167778 |
- for (i = 0; upn_sans[i] != NULL; i++)
|
|
|
167778 |
- md->sans[j++] = upn_sans[i];
|
|
|
167778 |
- free(upn_sans);
|
|
|
167778 |
- }
|
|
|
167778 |
- md->sans[j] = NULL;
|
|
|
167778 |
- } else
|
|
|
167778 |
- md->sans = NULL;
|
|
|
167778 |
-
|
|
|
167778 |
/* Get the KU and EKU data. */
|
|
|
167778 |
ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx,
|
|
|
167778 |
req_cryptoctx, cert, &md->ku_bits,
|
|
|
167778 |
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
|
|
|
167778 |
index d6775dc4f..fe1e0f386 100644
|
|
|
167778 |
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
|
|
|
167778 |
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
|
|
|
167778 |
@@ -470,7 +470,6 @@ component_match(krb5_context context,
|
|
|
167778 |
{
|
|
|
167778 |
int match = 0;
|
|
|
167778 |
int i;
|
|
|
167778 |
- krb5_principal p;
|
|
|
167778 |
char *princ_string;
|
|
|
167778 |
|
|
|
167778 |
switch (rc->kwval_type) {
|
|
|
167778 |
@@ -483,10 +482,17 @@ component_match(krb5_context context,
|
|
|
167778 |
match = regexp_match(context, rc, md->issuer_dn);
|
|
|
167778 |
break;
|
|
|
167778 |
case kw_san:
|
|
|
167778 |
- if (md->sans == NULL)
|
|
|
167778 |
- break;
|
|
|
167778 |
- for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) {
|
|
|
167778 |
- krb5_unparse_name(context, p, &princ_string);
|
|
|
167778 |
+ for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) {
|
|
|
167778 |
+ krb5_unparse_name(context, md->sans[i], &princ_string);
|
|
|
167778 |
+ match = regexp_match(context, rc, princ_string);
|
|
|
167778 |
+ krb5_free_unparsed_name(context, princ_string);
|
|
|
167778 |
+ if (match)
|
|
|
167778 |
+ break;
|
|
|
167778 |
+ }
|
|
|
167778 |
+ for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) {
|
|
|
167778 |
+ krb5_unparse_name_flags(context, md->upns[i],
|
|
|
167778 |
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
|
|
167778 |
+ &princ_string);
|
|
|
167778 |
match = regexp_match(context, rc, princ_string);
|
|
|
167778 |
krb5_free_unparsed_name(context, princ_string);
|
|
|
167778 |
if (match)
|
|
|
167778 |
@@ -572,10 +578,18 @@ check_all_certs(krb5_context context,
|
|
|
167778 |
pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn);
|
|
|
167778 |
#if 0
|
|
|
167778 |
pkiDebug("%s: issuer: '%s'\n", __FUNCTION__, md->subject_dn);
|
|
|
167778 |
- for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) {
|
|
|
167778 |
+ for (j = 0; md->sans != NULL && md->sans[j] != NULL; j++) {
|
|
|
167778 |
char *san_string;
|
|
|
167778 |
- krb5_unparse_name(context, p, &san_string);
|
|
|
167778 |
- pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string);
|
|
|
167778 |
+ krb5_unparse_name(context, md->sans[j], &san_string);
|
|
|
167778 |
+ pkiDebug("%s: PKINIT san: '%s'\n", __FUNCTION__, san_string);
|
|
|
167778 |
+ krb5_free_unparsed_name(context, san_string);
|
|
|
167778 |
+ }
|
|
|
167778 |
+ for (j = 0; md->upns != NULL && md->upns[j] != NULL; j++) {
|
|
|
167778 |
+ char *san_string;
|
|
|
167778 |
+ krb5_unparse_name_flags(context, md->upns[j],
|
|
|
167778 |
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
|
|
|
167778 |
+ &san_string);
|
|
|
167778 |
+ pkiDebug("%s: UPN san: '%s'\n", __FUNCTION__, san_string);
|
|
|
167778 |
krb5_free_unparsed_name(context, san_string);
|
|
|
167778 |
}
|
|
|
167778 |
#endif
|