From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Sep 14 14:58:50 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D71DF3E64C;
Tue, 14 Sep 2010 14:58:50 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8EIwoce022064;
Tue, 14 Sep 2010 14:58:50 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8DHdY0S025917
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o8DHbuND027308
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
X-AuditID: 12074424-b7b2bae000005b3f-85-4c8e61bb7009
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with
SMTP id 42.ED.23359.BB16E8C4; Mon, 13 Sep 2010 13:39:07 -0400 (EDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o8DHdWpi028647
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:33 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o8DHdV1O031600
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:32 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o8DHdV1D028016
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:31 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o8DHdV3c028015;
Mon, 13 Sep 2010 13:39:31 -0400
Date: Mon, 13 Sep 2010 13:39:31 -0400
Message-Id: <201009131739.o8DHdV3c028015@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: pkinit client cert matching can be disrupted by one of the candidate
certs
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 14 Sep 2010 14:58:48 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
X509_get_ext_by_NID() is unsigned, so without a cast or changing its
type, the comparison to -1 will always succeed.
If the attempt to parse the SAN value then fails because the extension
is not present, then crypto_retrieve_X509_sans(),
crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
will all return EINVAL, pkinit_cert_matching() will fail, and
pkinit_identity_initialize() will fail. As a result, the presence one
candidate certificate which doesn't contain any SAN values will cause
the client to fail to locate its certificate.
reproduced using multiple certificates in files, so long as at least one
of the certificates being considered is lacking a subjectAltName
extension.
Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24305)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (working copy)
@@ -1787,7 +1787,7 @@
buf, sizeof(buf));
pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+ if (((int)(i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1))) >= 0) {
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *ialt = NULL;
GENERAL_NAME *gen = NULL;
@@ -1896,6 +1896,8 @@
}
}
sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
+ } else {
+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
}
retval = 0;
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D71DF3E64C;
Tue, 14 Sep 2010 14:58:50 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8EIwoce022064;
Tue, 14 Sep 2010 14:58:50 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o8DHdY0S025917
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o8DHbuND027308
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:34 -0400
X-AuditID: 12074424-b7b2bae000005b3f-85-4c8e61bb7009
Received: from mx1.redhat.com ( [209.132.183.28])
by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with
SMTP id 42.ED.23359.BB16E8C4; Mon, 13 Sep 2010 13:39:07 -0400 (EDT)
Received: from int-mx03.intmail.prod.int.phx2.redhat.com
(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.16])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o8DHdWpi028647
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:33 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o8DHdV1O031600
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:32 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o8DHdV1D028016
for <krb5-bugs@mit.edu>; Mon, 13 Sep 2010 13:39:31 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o8DHdV3c028015;
Mon, 13 Sep 2010 13:39:31 -0400
Date: Mon, 13 Sep 2010 13:39:31 -0400
Message-Id: <201009131739.o8DHdV3c028015@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: pkinit client cert matching can be disrupted by one of the candidate
certs
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.16
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Tue, 14 Sep 2010 14:58:48 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: pkinit client cert matching can be disrupted by one of the candidate certs
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8.2
>Environment:
>Originator:
>Organization:
>Confidential: no
>Synopsis: pkinit client cert matching can be disrupted by one of the candidate certs
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.8.2
>Environment:
System: Linux blade.bos.redhat.com 2.6.34-43.fc14.x86_64 #1 SMP Thu Jun 17 10:32:12 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
In crypto_retrieve_X509_sans(), the "i" used to hold the result ofX509_get_ext_by_NID() is unsigned, so without a cast or changing its
type, the comparison to -1 will always succeed.
If the attempt to parse the SAN value then fails because the extension
is not present, then crypto_retrieve_X509_sans(),
crypto_cert_get_matching_data(), and obtain_all_cert_matching_data()
will all return EINVAL, pkinit_cert_matching() will fail, and
pkinit_identity_initialize() will fail. As a result, the presence one
candidate certificate which doesn't contain any SAN values will cause
the client to fail to locate its certificate.
Show quoted text
>How-To-Repeat:
We're testing with a PKCS11 smart card here, but I expect it can bereproduced using multiple certificates in files, so long as at least one
of the certificates being considered is lacking a subjectAltName
extension.
Show quoted text
>Fix:
Here's one possible patch:Index: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (revision 24305)
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c (working copy)
@@ -1787,7 +1787,7 @@
buf, sizeof(buf));
pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
- if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+ if (((int)(i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1))) >= 0) {
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *ialt = NULL;
GENERAL_NAME *gen = NULL;
@@ -1896,6 +1896,8 @@
}
}
sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
+ } else {
+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
}
retval = 0;