[krbdev.mit.edu #8561] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Aug 29 19:36:32 EDT 2017
Fix certauth built-in module returns
The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication. Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.
The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate. Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.
https://github.com/krb5/krb5/commit/07243f85a760fb37f0622d7ff0177db3f19ab025
Author: Greg Hudson <ghudson at mit.edu>
Commit: 07243f85a760fb37f0622d7ff0177db3f19ab025
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 +++++++++-----------
src/plugins/preauth/pkinit/pkinit_srv.c | 14 +++++---
2 files changed, 27 insertions(+), 26 deletions(-)
More information about the krb5-bugs
mailing list