From 8f0349dc3ebd1e307b37ab0fe0f6e065bfe8291e Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Fri, 25 Aug 2017 16:43:43 +0000 Subject: Backport certauth eku security fix --- Make-certauth-eku-module-restrictive-only.patch | 31 +++++++++++++++++++++++++ krb5.spec | 6 ++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 Make-certauth-eku-module-restrictive-only.patch diff --git a/Make-certauth-eku-module-restrictive-only.patch b/Make-certauth-eku-module-restrictive-only.patch new file mode 100644 index 0000000..40c008d --- /dev/null +++ b/Make-certauth-eku-module-restrictive-only.patch @@ -0,0 +1,31 @@ +From 2b1a91087b668ab1021f1ca461b8210e7e015c8a Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 24 Aug 2017 11:11:46 -0400 +Subject: [PATCH] Make certauth eku module restrictive-only + +The PKINIT certauth eku module should never authoritatively authorize +a certificate, because an extended key usage does not establish a +relationship between the certificate and any specific user; it only +establishes that the certificate was created for PKINIT client +authentication. Therefore, pkinit_eku_authorize() should return +KRB5_PLUGIN_NO_HANDLE on success, not 0. + +ticket: 8561 +(cherry picked from commit aca6fd6bc07934a90a18a70116ea3b620228950a) +--- + src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 32ca122f2..d7a604c80 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1495,7 +1495,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + +- return 0; ++ return KRB5_PLUGIN_NO_HANDLE; + } + + static krb5_error_code diff --git a/krb5.spec b/krb5.spec index 8d110be..f990581 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 # for prerelease, should be e.g., 0.3.beta2%{?dist} -Release: 24%{?dist} +Release: 25%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -91,6 +91,7 @@ Patch62: Fix-more-time-manipulations-for-y2038.patch Patch63: Use-krb5_timestamp-where-appropriate.patch Patch64: Add-KDC-policy-pluggable-interface.patch Patch65: Fix-bugs-in-kdcpolicy-commit.patch +Patch66: Make-certauth-eku-module-restrictive-only.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -742,6 +743,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Aug 25 2017 Robbie Harwood - 1.15.1-25 +- Backport certauth eku security fix + * Mon Aug 21 2017 Robbie Harwood - 1.15.1-24 - Backport kdc policy plugin, but this time with dependencies -- cgit