Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Update error checking for OpenSSL CMS_verify

The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[ghudson@mit.edu: edited commit message]

https://github.com/krb5/krb5/commit/70f61d417261ca17efe3d60d180033bea2da60b0
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 70f61d417261ca17efe3d60d180033bea2da60b0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
Subject: git commit
From: ghudson@mit.edu

Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

https://github.com/krb5/krb5/commit/e48e2e56a05a47fd932a941ac82c1131ceed47d0
Author: Greg Hudson <ghudson@mit.edu>
Commit: e48e2e56a05a47fd932a941ac82c1131ceed47d0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
Subject: git commit
From: ghudson@mit.edu

Update error checking for OpenSSL CMS_verify

The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[ghudson@mit.edu: edited commit message]

(cherry picked from commit 70f61d417261ca17efe3d60d180033bea2da60b0)

https://github.com/krb5/krb5/commit/9a2051998c9446f56ba40a29e56c625b83e38467
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9a2051998c9446f56ba40a29e56c625b83e38467
Branch: krb5-1.20
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

(cherry picked from commit e48e2e56a05a47fd932a941ac82c1131ceed47d0)

https://github.com/krb5/krb5/commit/a6971d269577afa68584d6076bd90f84c2099f93
Author: Greg Hudson <ghudson@mit.edu>
Commit: a6971d269577afa68584d6076bd90f84c2099f93
Branch: krb5-1.20
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)