Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
From: ghudson@mit.edu
Subject: git commit
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1159


Fix certauth built-in module returns

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.  Therefore, pkinit_eku_authorize() should return
KRB5_PLUGIN_NO_HANDLE on success, not 0.

The certauth san module should pass if it does not find any SANs of
the types it can match against; the presence of other types of SANs
should not cause it to explicitly deny a certificate.  Check for an
empty result from crypto_retrieve_cert_sans() in verify_client_san(),
instead of returning ENOENT from crypto_retrieve_cert_sans() when
there are no SANs at all.

https://github.com/krb5/krb5/commit/07243f85a760fb37f0622d7ff0177db3f19ab025
Author: Greg Hudson <ghudson@mit.edu>
Commit: 07243f85a760fb37f0622d7ff0177db3f19ab025
Branch: master
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   39 +++++++++-----------
 src/plugins/preauth/pkinit/pkinit_srv.c            |   14 +++++---
 2 files changed, 27 insertions(+), 26 deletions(-)