[krbdev.mit.edu #7544] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Jan 11 16:03:53 EST 2013
Handle PKINIT DH replies with no certs
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Code changes suggested by nalin at redhat.com.
(cherry picked from commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d)
https://github.com/krb5/krb5/commit/9bbf3649867f444674716941b787f6699885c803
Author: Greg Hudson <ghudson at mit.edu>
Committer: Tom Yu <tlyu at mit.edu>
Commit: 9bbf3649867f444674716941b787f6699885c803
Branch: krb5-1.10
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
More information about the krb5-bugs
mailing list