diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2010-11-05 15:07:40 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@redhat.com> | 2010-11-05 15:07:40 -0400 |
| commit | c4fcdebf2560a7fc22b5932a107523b7eee7e2ad (patch) | |
| tree | 57d88fcd483d43810ea4f3e53ea19ba0ea7181b5 | |
| parent | 01711b78ff6ad177243d7aeb0f10b1d92c5eadf8 (diff) | |
- fix included in 1.9
| -rw-r--r-- | krb5-trunk-signed.patch | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/krb5-trunk-signed.patch b/krb5-trunk-signed.patch deleted file mode 100644 index c8be88e..0000000 --- a/krb5-trunk-signed.patch +++ /dev/null @@ -1,42 +0,0 @@ -In crypto_retrieve_X509_sans(), the "i" used to hold the result of -X509_get_ext_by_NID() is unsigned, so without a cast or changing its -type, the comparison to -1 will always succeed. - -If the attempt to parse the SAN value then fails because the extension -is not present, then crypto_retrieve_X509_sans(), -crypto_cert_get_matching_data(), and obtain_all_cert_matching_data() -will all return EINVAL, pkinit_cert_matching() will fail, and -pkinit_identity_initialize() will fail. As a result, the presence one -candidate certificate which doesn't contain any SAN values will cause -the client to fail to locate its certificate. RT#6774, part of #629022. - -Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -=================================================================== ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24322) -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24323) -@@ -1767,7 +1767,7 @@ - { - krb5_error_code retval = EINVAL; - char buf[DN_BUF_LEN]; -- int p = 0, u = 0, d = 0; -+ int p = 0, u = 0, d = 0, l; - krb5_principal *princs = NULL; - krb5_principal *upns = NULL; - unsigned char **dnss = NULL; -@@ -1787,14 +1787,14 @@ - buf, sizeof(buf)); - pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf); - -- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { -+ if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { - X509_EXTENSION *ext = NULL; - GENERAL_NAMES *ialt = NULL; - GENERAL_NAME *gen = NULL; - int ret = 0; - unsigned int num_sans = 0; - -- if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) { -+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", - __FUNCTION__); - goto cleanup; |