Merge remote-tracking branch 'origin/master' into f17krb5-1.10.2-3.fc17

2 files changed, 48 insertions, 1 deletions

diff --git a/krb5-trunk-pkinit-anchorsign.patch b/krb5-trunk-pkinit-anchorsign.patch
new file mode 100644
index 0000000..508bb5b
--- /dev/null
+++ b/krb5-trunk-pkinit-anchorsign.patch
@@ -0,0 +1,40 @@
+commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Thu Jun 21 17:20:29 2012 -0400
+
+    Handle PKINIT DH replies with no certs
+    
+    If a PKINIT Diffie-Hellman reply contains no certificates in the
+    SignedData object, that may be because the signer certificate was a
+    trust anchor as transmitted to the KDC.  Heimdal's KDC, for instance,
+    filters client trust anchors out of the returned set of certificates.
+    Match against idctx->trustedCAs and idctx->intermediateCAs to handle
+    this case.  This fix only works with OpenSSL 1.0 or later; when built
+    against OpenSSL 0.9.x, the client will still require a cert in the
+    reply.
+    
+    Code changes suggested by nalin@redhat.com.
+    
+    ticket: 7183
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 0136d4f..7120ecf 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
+         X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
+     X509_STORE_set_flags(store, vflags);
+ 
+-    /* get the signer's information from the CMS message */
++    /*
++     * Get the signer's information from the CMS message.  Match signer ID
++     * against anchors and intermediate CAs in case no certs are present in the
++     * SignedData.  If we start sending kdcPkId values in requests, we'll need
++     * to match against the source of that information too.
++     */
+     CMS_set1_signers_certs(cms, NULL, 0);
++    CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
++    CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
+     if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
+         ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
+         /* Not actually signed; anonymous case */
diff --git a/krb5.spec b/krb5.spec
index 3da0936..0562792 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -68,6 +68,7 @@ Patch102: krb5-trunk-7048.patch
 Patch103: krb5-1.10-gcc47.patch
 Patch105: krb5-kvno-230379.patch
 Patch106: krb5-1.10.2-keytab-etype.patch
+Patch107: krb5-trunk-pkinit-anchorsign.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -245,6 +246,7 @@ ln -s NOTICE LICENSE
 %patch103 -p0 -b .gcc47
 %patch105 -p1 -b .kvno
 %patch106 -p1 -b .keytab-etype
+%patch107 -p1 -b .pkinit-anchorsign
 rm src/lib/krb5/krb/deltat.c
 
 gzip doc/*.ps
@@ -753,6 +755,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Fri Jun 22 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-3
+- backport a fix to allow a PKINIT client to handle SignedData from a KDC
+  that's signed with a certificate that isn't in the SignedData, but which
+  is available as an anchor or intermediate on the client (RT#7183)
+
 * Tue Jun  5 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-2
 - back out this labeling change (dwalsh):
   - when building the new label for a file we're about to create, also mix