[prev in list] [next in list] [prev in thread] [next in thread]
List: krb5-bugs
Subject: [krbdev.mit.edu #6774] pkinit client cert matching can be disrupted
From: "The RT System itself via RT" <rt-comment () krbdev ! mit ! edu>
Date: 2010-09-14 18:58:51
Message-ID: rt-6774-33136.7.20215339290256 () krbdev ! mit ! edu
[Download RAW message or body]
> From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Sep 14 14:58:50 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D71DF3E64C;
Tue, 14 Sep 2010 14:58:50 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8EIwoce022064;
Tue, 14 Sep 2010 14:58:50 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8DHdY0S025917
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o8DHbuND027308
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
X-AuditID: 12074424-b7b2bae000005b3f-85-4c8e61bb7009
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with
SMTP id 42.ED.23359.BB16E8C4; Mon, 13 Sep 2010 13:39:07 -0400 (EDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o8DHdWpi028647
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:33 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o8DHdV1O031600
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:32 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o8DHdV1D028016
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:31 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o8DHdV3c028015;
Mon, 13 Sep 2010 13:39:31 -0400
Date: Mon, 13 Sep 2010 13:39:31 -0400
Message-Id: <201009131739.o8DHdV3c028015@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: pkinit client cert matching can be disrupted by one of the candidate
certs
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 14 Sep 2010 14:58:48 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
> Submitter-Id: net
> Originator:
> Organization:
> Confidential: no
> Synopsis: pkinit client cert matching can be disrupted by one of the candidate \
> certs
> Severity: non-critical
> Priority: medium
> Category: krb5-libs
> Class: sw-bug
> Release: 1.8.2
> Environment:
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 \
UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
> Description:
In crypto_retrieve_X509_sans(), the "i" used to hold the result of
X509_get_ext_by_NID() is unsigned, so without a cast or changing its
type, the comparison to -1 will always succeed.
If the attempt to parse the SAN value then fails because the extension
is not present, then crypto_retrieve_X509_sans(),
crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
will all return EINVAL, pkinit_cert_matching() will fail, and
pkinit_identity_initialize() will fail. As a result, the presence one
candidate certificate which doesn't contain any SAN values will cause
the client to fail to locate its certificate.
> How-To-Repeat:
We're testing with a PKCS11 smart card here, but I expect it can be
reproduced using multiple certificates in files, so long as at least one
of the certificates being considered is lacking a subjectAltName
extension.
> Fix:
Here's one possible patch:
Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24305)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (working copy)
@@ -1787,7 +1787,7 @@
buf, sizeof(buf));
pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+ if (((int)(i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1))) >= 0) {
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *ialt = NULL;
GENERAL_NAME *gen = NULL;
@@ -1896,6 +1896,8 @@
}
}
sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
+ } else {
+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
}
retval = 0;
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic