Ticket History #9069: Update error checking for OpenSSL CMS

# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 840B

Update error checking for OpenSSL CMS_verify

The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[ghudson@mit.edu: edited commit message]

https://github.com/krb5/krb5/commit/70f61d417261ca17efe3d60d180033bea2da60b0
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 70f61d417261ca17efe3d60d180033bea2da60b0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Target_Version 1.20-next added

# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Fri Jan 13 16:50:46 2023 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 826B

Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

https://github.com/krb5/krb5/commit/e48e2e56a05a47fd932a941ac82c1131ceed47d0
Author: Greg Hudson <ghudson@mit.edu>
Commit: e48e2e56a05a47fd932a941ac82c1131ceed47d0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)

Ticket History #9069: Update error checking for OpenSSL CMS_verify