diff options
author | Robbie Harwood <rharwood@redhat.com> | 2017-04-19 17:39:28 +0000 |
---|---|---|
committer | Robbie Harwood <rharwood@redhat.com> | 2017-04-19 17:49:45 +0000 |
commit | 21848ec3e1a0d4a00ed0f4ff467c3b37ec97d395 (patch) | |
tree | 3b55b87910c4a134b8187da3998092641e17af4a /Add-certauth-pluggable-interface.patch | |
parent | 291b968871e72c24382a700453618ec50abc25b3 (diff) | |
download | krb5-21848ec3e1a0d4a00ed0f4ff467c3b37ec97d395.tar.gz krb5-21848ec3e1a0d4a00ed0f4ff467c3b37ec97d395.tar.xz krb5-21848ec3e1a0d4a00ed0f4ff467c3b37ec97d395.zip |
Update backports of certauth and corresponding test
Diffstat (limited to 'Add-certauth-pluggable-interface.patch')
-rw-r--r-- | Add-certauth-pluggable-interface.patch | 89 |
1 files changed, 46 insertions, 43 deletions
diff --git a/Add-certauth-pluggable-interface.patch b/Add-certauth-pluggable-interface.patch index d946c2f..49450d1 100644 --- a/Add-certauth-pluggable-interface.patch +++ b/Add-certauth-pluggable-interface.patch @@ -1,4 +1,4 @@ -From ee26c1e3f7e98ed656b154c212bd5a335e87f312 Mon Sep 17 00:00:00 2001 +From bb76ee06b88ebfc1a2abc95fc096299bda8946e9 Mon Sep 17 00:00:00 2001 From: Matt Rogers <mrogers@redhat.com> Date: Tue, 28 Feb 2017 15:55:24 -0500 Subject: [PATCH] Add certauth pluggable interface @@ -21,7 +21,7 @@ doc/plugindev/certauth.rst and doc/admin/krb5_conf.rst. [ghudson@mit.edu: simplified code, edited docs] ticket: 8561 (new) -(cherry picked from commit 6a48b95e3ad65605a657020385b34875677e8b75) +(cherry picked from commit b619ce84470519bea65470be3263cd85fba94f57) --- doc/admin/conf_files/krb5_conf.rst | 21 ++ doc/plugindev/certauth.rst | 27 ++ @@ -37,12 +37,12 @@ ticket: 8561 (new) src/plugins/certauth/test/deps | 14 + src/plugins/certauth/test/main.c | 209 +++++++++++++ src/plugins/preauth/pkinit/pkinit_crypto.h | 4 + - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 26 ++ - src/plugins/preauth/pkinit/pkinit_srv.c | 340 ++++++++++++++++++--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 30 ++ + src/plugins/preauth/pkinit/pkinit_srv.c | 335 ++++++++++++++++++--- src/plugins/preauth/pkinit/pkinit_trace.h | 5 + src/tests/Makefile.in | 1 + - src/tests/t_certauth.py | 43 +++ - 19 files changed, 783 insertions(+), 42 deletions(-) + src/tests/t_certauth.py | 47 +++ + 19 files changed, 786 insertions(+), 42 deletions(-) create mode 100644 doc/plugindev/certauth.rst create mode 100644 src/include/krb5/certauth_plugin.h create mode 100644 src/plugins/certauth/test/Makefile.in @@ -52,7 +52,7 @@ ticket: 8561 (new) create mode 100644 src/tests/t_certauth.py diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst -index 653aad613..ac89e3b52 100644 +index 653aad613..c0e4349c0 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -858,6 +858,27 @@ built-in modules exist for this interface: @@ -76,8 +76,8 @@ index 653aad613..ac89e3b52 100644 + is set to true for the realm. + +**pkinit_eku** -+ This module rejects the certificate if it does not contain the -+ PKINIT Extended Key Usage attribute consistent with the ++ This module rejects the certificate if it does not contain an ++ Extended Key Usage attribute consistent with the + **pkinit_eku_checking** value for the realm. + @@ -85,11 +85,11 @@ index 653aad613..ac89e3b52 100644 -------------- diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst new file mode 100644 -index 000000000..8b0360327 +index 000000000..8a7f7c5eb --- /dev/null +++ b/doc/plugindev/certauth.rst @@ -0,0 +1,27 @@ -+.. _certauth: ++.. _certauth_plugin: + +PKINIT certificate authorization interface (certauth) +===================================================== @@ -583,7 +583,7 @@ index b483affed..49b96b8ee 100644 + #endif /* _PKINIT_CRYPTO_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 8def8c542..c1276521b 100644 +index 8def8c542..a5b010b26 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2137,6 +2137,7 @@ crypto_retrieve_X509_sans(krb5_context context, @@ -594,7 +594,7 @@ index 8def8c542..c1276521b 100644 goto cleanup; } num_sans = sk_GENERAL_NAME_num(ialt); -@@ -6176,3 +6177,28 @@ crypto_get_deferred_ids(krb5_context context, +@@ -6176,3 +6177,32 @@ crypto_get_deferred_ids(krb5_context context, ret = (const pkinit_deferred_id *)deferred; return ret; } @@ -605,7 +605,7 @@ index 8def8c542..c1276521b 100644 + uint8_t **der_out, size_t *der_len) +{ + int len; -+ unsigned char *p; ++ unsigned char *der, *p; + + *der_out = NULL; + *der_len = 0; @@ -616,15 +616,19 @@ index 8def8c542..c1276521b 100644 + len = i2d_X509(reqctx->received_cert, NULL); + if (len <= 0) + return EINVAL; -+ p = malloc(len); ++ p = der = malloc(len); + if (p == NULL) + return ENOMEM; -+ *der_out = p; ++ if (i2d_X509(reqctx->received_cert, &p) <= 0) { ++ free(p); ++ return EINVAL; ++ } ++ *der_out = der; + *der_len = len; + return 0; +} diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c -index b5638a367..23826c5e8 100644 +index b5638a367..731d14eb8 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -31,6 +31,25 @@ @@ -653,7 +657,7 @@ index b5638a367..23826c5e8 100644 static krb5_error_code pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); -@@ -51,6 +70,36 @@ pkinit_find_realm_context(krb5_context context, +@@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context, krb5_kdcpreauth_moddata moddata, krb5_principal princ); @@ -674,14 +678,12 @@ index b5638a367..23826c5e8 100644 +free_certauth_handles(krb5_context context, certauth_handle *list) +{ + int i; -+ certauth_handle h; + + if (list == NULL) + return; + for (i = 0; list[i] != NULL; i++) { -+ h = list[i]; -+ if (h->vt.fini != NULL) -+ h->vt.fini(context, h->moddata); ++ if (list[i]->vt.fini != NULL) ++ list[i]->vt.fini(context, list[i]->moddata); + free(list[i]); + } + free(list); @@ -690,7 +692,7 @@ index b5638a367..23826c5e8 100644 static krb5_error_code pkinit_create_edata(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, -@@ -123,7 +172,7 @@ verify_client_san(krb5_context context, +@@ -123,7 +170,7 @@ verify_client_san(krb5_context context, pkinit_kdc_req_context reqctx, krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, @@ -699,7 +701,7 @@ index b5638a367..23826c5e8 100644 int *valid_san) { krb5_error_code retval; -@@ -134,12 +183,15 @@ verify_client_san(krb5_context context, +@@ -134,12 +181,15 @@ verify_client_san(krb5_context context, char *client_string = NULL, *san_string; #endif @@ -716,7 +718,7 @@ index b5638a367..23826c5e8 100644 pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__); retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; goto out; -@@ -273,6 +325,76 @@ out: +@@ -273,6 +323,73 @@ out: return retval; } @@ -730,7 +732,7 @@ index b5638a367..23826c5e8 100644 + krb5_principal client) +{ + krb5_error_code ret; -+ certauth_handle hd; ++ certauth_handle h; + struct certauth_req_opts opts; + krb5_boolean accepted = FALSE; + uint8_t *cert; @@ -739,7 +741,7 @@ index b5638a367..23826c5e8 100644 + char **ais = NULL, **ai = NULL; + + /* Re-encode the received certificate into DER, which is extra work, but -+ * avoids creating a crypto dependency on the interface. */ ++ * avoids creating an X.509 library dependency in the interface. */ + ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len); + if (ret) + goto cleanup; @@ -760,12 +762,9 @@ index b5638a367..23826c5e8 100644 + */ + ret = KRB5_PLUGIN_NO_HANDLE; + for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { -+ hd = certauth_modules[i]; -+ if (hd->vt.authorize == NULL) -+ continue; -+ -+ ret = hd->vt.authorize(context, hd->moddata, cert, cert_len, client, -+ &opts, db_ent, &ais); ++ h = certauth_modules[i]; ++ ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, ++ &opts, db_ent, &ais); + if (ret == 0) + accepted = TRUE; + else if (ret != KRB5_PLUGIN_NO_HANDLE) @@ -778,7 +777,7 @@ index b5638a367..23826c5e8 100644 + if (ret) + goto cleanup; + } -+ hd->vt.free_ind(context, hd->moddata, ais); ++ h->vt.free_ind(context, h->moddata, ais); + ais = NULL; + } + } @@ -793,7 +792,7 @@ index b5638a367..23826c5e8 100644 static void pkinit_server_verify_padata(krb5_context context, krb5_data *req_pkt, -@@ -295,7 +417,6 @@ pkinit_server_verify_padata(krb5_context context, +@@ -295,7 +412,6 @@ pkinit_server_verify_padata(krb5_context context, pkinit_kdc_req_context reqctx = NULL; krb5_checksum cksum = {0, 0, 0, NULL}; krb5_data *der_req = NULL; @@ -801,7 +800,7 @@ index b5638a367..23826c5e8 100644 krb5_data k5data; int is_signed = 1; krb5_pa_data **e_data = NULL; -@@ -388,27 +509,11 @@ pkinit_server_verify_padata(krb5_context context, +@@ -388,27 +504,11 @@ pkinit_server_verify_padata(krb5_context context, goto cleanup; } if (is_signed) { @@ -831,7 +830,7 @@ index b5638a367..23826c5e8 100644 } else { /* !is_signed */ if (!krb5_principal_compare(context, request->client, krb5_anonymous_principal())) { -@@ -1245,11 +1350,15 @@ pkinit_find_realm_context(krb5_context context, +@@ -1245,11 +1345,15 @@ pkinit_find_realm_context(krb5_context context, krb5_principal princ) { int i; @@ -848,7 +847,7 @@ index b5638a367..23826c5e8 100644 for (i = 0; realm_contexts[i] != NULL; i++) { pkinit_kdc_context p = realm_contexts[i]; -@@ -1331,6 +1440,155 @@ errout: +@@ -1331,6 +1435,155 @@ errout: return retval; } @@ -1004,7 +1003,7 @@ index b5638a367..23826c5e8 100644 static int pkinit_server_plugin_init(krb5_context context, krb5_kdcpreauth_moddata *moddata_out, -@@ -1338,6 +1596,8 @@ pkinit_server_plugin_init(krb5_context context, +@@ -1338,6 +1591,8 @@ pkinit_server_plugin_init(krb5_context context, { krb5_error_code retval = ENOMEM; pkinit_kdc_context plgctx, *realm_contexts = NULL; @@ -1013,7 +1012,7 @@ index b5638a367..23826c5e8 100644 size_t i, j; size_t numrealms; -@@ -1368,16 +1628,22 @@ pkinit_server_plugin_init(krb5_context context, +@@ -1368,16 +1623,22 @@ pkinit_server_plugin_init(krb5_context context, goto errout; } @@ -1044,7 +1043,7 @@ index b5638a367..23826c5e8 100644 return retval; } -@@ -1405,17 +1671,11 @@ static void +@@ -1405,17 +1666,11 @@ static void pkinit_server_plugin_fini(krb5_context context, krb5_kdcpreauth_moddata moddata) { @@ -1094,13 +1093,17 @@ index b55469146..0e93d6b59 100644 $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py new file mode 100644 -index 000000000..ca7df2b42 +index 000000000..e64a57b0d --- /dev/null +++ b/src/tests/t_certauth.py -@@ -0,0 +1,43 @@ +@@ -0,0 +1,47 @@ +#!/usr/bin/python +from k5test import * + ++# Skip this test if pkinit wasn't built. ++if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): ++ skip_rest('certauth tests', 'PKINIT module not built') ++ +certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') +ca_pem = os.path.join(certs, 'ca.pem') +kdc_pem = os.path.join(certs, 'kdc.pem') |