base/SOURCES/Fix-certauth-built-in-modul...

From 41b9111b48e53bf7864ed1f134e0433b070fa900 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 24 Aug 2017 11:11:46 -0400
Subject: [PATCH] Fix certauth built-in module returns

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.  Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate.  Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

ticket: 8561
(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)
---
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 39 ++++++++++------------
 src/plugins/preauth/pkinit/pkinit_srv.c            | 14 +++++---
 2 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 70e230ec2..7fa2efd21 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,

     if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
         pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
-        retval = ENOENT;
         goto cleanup;
     }
     num_sans = sk_GENERAL_NAME_num(ialt);
@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,
     sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);

     retval = 0;
-    if (princs)
+    if (princs != NULL && *princs != NULL) {
         *princs_ret = princs;
-    if (upns)
+        princs = NULL;
+    }
+    if (upns != NULL && *upns != NULL) {
         *upn_ret = upns;
-    if (dnss)
+        upns = NULL;
+    }
+    if (dnss != NULL && *dnss != NULL) {
         *dns_ret = dnss;
+        dnss = NULL;
+    }

 cleanup:
-    if (retval) {
-        if (princs != NULL) {
-            for (i = 0; princs[i] != NULL; i++)
-                krb5_free_principal(context, princs[i]);
-            free(princs);
-        }
-        if (upns != NULL) {
-            for (i = 0; upns[i] != NULL; i++)
-                krb5_free_principal(context, upns[i]);
-            free(upns);
-        }
-        if (dnss != NULL) {
-            for (i = 0; dnss[i] != NULL; i++)
-                free(dnss[i]);
-            free(dnss);
-        }
-    }
+    for (i = 0; princs != NULL && princs[i] != NULL; i++)
+        krb5_free_principal(context, princs[i]);
+    free(princs);
+    for (i = 0; upns != NULL && upns[i] != NULL; i++)
+        krb5_free_principal(context, upns[i]);
+    free(upns);
+    for (i = 0; dnss != NULL && dnss[i] != NULL; i++)
+        free(dnss[i]);
+    free(dnss);
     return retval;
 }

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 9c6e96c9e..8e77606f8 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,
                                        &princs,
                                        plgctx->opts->allow_upn ? &upns : NULL,
                                        NULL);
-    if (retval == ENOENT) {
-        TRACE_PKINIT_SERVER_NO_SAN(context);
-        goto out;
-    } else if (retval) {
+    if (retval) {
         pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);
         retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
         goto out;
     }
+
+    if (princs == NULL && upns == NULL) {
+        TRACE_PKINIT_SERVER_NO_SAN(context);
+        retval = ENOENT;
+        goto out;
+    }
+
     /* XXX Verify this is consistent with client side XXX */
 #if 0
     retval = call_san_checking_plugins(context, plgctx, reqctx, princs,
@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,
         return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;
     }

-    return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
 }

 static krb5_error_code
krb5 package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org> 7 years ago			`From 41b9111b48e53bf7864ed1f134e0433b070fa900 Mon Sep 17 00:00:00 2001`
			`From: Greg Hudson <ghudson@mit.edu>`
			`Date: Thu, 24 Aug 2017 11:11:46 -0400`
			`Subject: [PATCH] Fix certauth built-in module returns`

			`The PKINIT certauth eku module should never authoritatively authorize`
			`a certificate, because an extended key usage does not establish a`
			`relationship between the certificate and any specific user; it only`
			`establishes that the certificate was created for PKINIT client`
			`authentication. Therefore, pkinit_eku_authorize() should return`
			`KRB5_PLUGIN_NO_HANDLE on success, not 0.`

			`The certauth san module should pass if it does not find any SANs of`
			`the types it can match against; the presence of other types of SANs`
			`should not cause it to explicitly deny a certificate. Check for an`
			`empty result from crypto_retrieve_cert_sans() in verify_client_san(),`
			`instead of returning ENOENT from crypto_retrieve_cert_sans() when`
			`there are no SANs at all.`

			`ticket: 8561`
			`(cherry picked from commit 07243f85a760fb37f0622d7ff0177db3f19ab025)`
			`---`
			`src/plugins/preauth/pkinit/pkinit_crypto_openssl.c \| 39 ++++++++++------------`
			`src/plugins/preauth/pkinit/pkinit_srv.c \| 14 +++++---`
			`2 files changed, 27 insertions(+), 26 deletions(-)`

			`diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`index 70e230ec2..7fa2efd21 100644`
			`--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`@@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context,`

			`if (!(ext = X509_get_ext(cert, l)) \|\| !(ialt = X509V3_EXT_d2i(ext))) {`
			`pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);`
			`- retval = ENOENT;`
			`goto cleanup;`
			`}`
			`num_sans = sk_GENERAL_NAME_num(ialt);`
			`@@ -2240,31 +2239,29 @@ crypto_retrieve_X509_sans(krb5_context context,`
			`sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);`

			`retval = 0;`
			`- if (princs)`
			`+ if (princs != NULL && *princs != NULL) {`
			`*princs_ret = princs;`
			`- if (upns)`
			`+ princs = NULL;`
			`+ }`
			`+ if (upns != NULL && *upns != NULL) {`
			`*upn_ret = upns;`
			`- if (dnss)`
			`+ upns = NULL;`
			`+ }`
			`+ if (dnss != NULL && *dnss != NULL) {`
			`*dns_ret = dnss;`
			`+ dnss = NULL;`
			`+ }`

			`cleanup:`
			`- if (retval) {`
			`- if (princs != NULL) {`
			`- for (i = 0; princs[i] != NULL; i++)`
			`- krb5_free_principal(context, princs[i]);`
			`- free(princs);`
			`- }`
			`- if (upns != NULL) {`
			`- for (i = 0; upns[i] != NULL; i++)`
			`- krb5_free_principal(context, upns[i]);`
			`- free(upns);`
			`- }`
			`- if (dnss != NULL) {`
			`- for (i = 0; dnss[i] != NULL; i++)`
			`- free(dnss[i]);`
			`- free(dnss);`
			`- }`
			`- }`
			`+ for (i = 0; princs != NULL && princs[i] != NULL; i++)`
			`+ krb5_free_principal(context, princs[i]);`
			`+ free(princs);`
			`+ for (i = 0; upns != NULL && upns[i] != NULL; i++)`
			`+ krb5_free_principal(context, upns[i]);`
			`+ free(upns);`
			`+ for (i = 0; dnss != NULL && dnss[i] != NULL; i++)`
			`+ free(dnss[i]);`
			`+ free(dnss);`
			`return retval;`
			`}`

			`diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c`
			`index 9c6e96c9e..8e77606f8 100644`
			`--- a/src/plugins/preauth/pkinit/pkinit_srv.c`
			`+++ b/src/plugins/preauth/pkinit/pkinit_srv.c`
			`@@ -187,14 +187,18 @@ verify_client_san(krb5_context context,`
			`&princs,`
			`plgctx->opts->allow_upn ? &upns : NULL,`
			`NULL);`
			`- if (retval == ENOENT) {`
			`- TRACE_PKINIT_SERVER_NO_SAN(context);`
			`- goto out;`
			`- } else if (retval) {`
			`+ if (retval) {`
			`pkiDebug("%s: error from retrieve_certificate_sans()\n", __FUNCTION__);`
			`retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;`
			`goto out;`
			`}`
			`+`
			`+ if (princs == NULL && upns == NULL) {`
			`+ TRACE_PKINIT_SERVER_NO_SAN(context);`
			`+ retval = ENOENT;`
			`+ goto out;`
			`+ }`
			`+`
			`/* XXX Verify this is consistent with client side XXX */`
			`#if 0`
			`retval = call_san_checking_plugins(context, plgctx, reqctx, princs,`
			`@@ -1495,7 +1499,7 @@ pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata,`
			`return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE;`
			`}`

			`- return 0;`
			`+ return KRB5_PLUGIN_NO_HANDLE;`
			`}`

			`static krb5_error_code`