svn rev #23504: branches/anonymous/src/plugins/preauth/pkinit/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Dec 23 16:10:30 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23504
Commit By: hartmans
Log Message:
Subject: pkinit authentication only works for TGT
ticket: 6605
Pkinit's verification of the KDC SAN requires that the certificate
have a SAN for the server principal. That's not correct according to
RFC 4556. The KDC should have a SAN for the TGS principal; that's
independent of whether the TGS principal is actually the server.
Fix to build the TGS principal explicitly.
Changed Files:
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_clnt.c
Modified: branches/anonymous/src/plugins/preauth/pkinit/pkinit_clnt.c
===================================================================
--- branches/anonymous/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-12-23 21:10:26 UTC (rev 23503)
+++ branches/anonymous/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-12-23 21:10:30 UTC (rev 23504)
@@ -649,6 +649,7 @@
krb5_data *encoded_request)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
+ krb5_principal kdc_princ = NULL;
krb5_pa_pk_as_rep *kdc_reply = NULL;
krb5_kdc_dh_key_info *kdc_dh = NULL;
krb5_reply_key_pack *key_pack = NULL;
@@ -709,8 +710,16 @@
retval = -1;
goto cleanup;
}
-
- retval = verify_kdc_san(context, plgctx, reqctx, request->server,
+ retval = krb5_build_principal_ext(context, &kdc_princ,
+ request->server->realm.length,
+ request->server->realm.data,
+ strlen(KRB5_TGS_NAME), KRB5_TGS_NAME,
+ request->server->realm.length,
+ request->server->realm.data,
+ 0);
+ if (retval)
+ goto cleanup;
+ retval = verify_kdc_san(context, plgctx, reqctx, kdc_princ,
&valid_san, &need_eku_checking);
if (retval)
goto cleanup;
@@ -859,6 +868,7 @@
cleanup:
free(dh_data.data);
+ krb5_free_principal(context, kdc_princ);
free(client_key);
free_krb5_kdc_dh_key_info(&kdc_dh);
free_krb5_pa_pk_as_rep(&kdc_reply);
More information about the cvs-krb5
mailing list