Skip Menu |
 

History Show all quoted textShow full headers
# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Ticket created
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 840B

Update error checking for OpenSSL CMS_verify

The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[ghudson@mit.edu: edited commit message]

https://github.com/krb5/krb5/commit/70f61d417261ca17efe3d60d180033bea2da60b0
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 70f61d417261ca17efe3d60d180033bea2da60b0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added
# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'
# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Target_Version 1.20-next added
# Thu Aug 18 19:14:08 2022 ghudson@mit.edu (Greg Hudson) - Tags pullup added
# Fri Jan 13 16:50:46 2023 ghudson@mit.edu (Greg Hudson) - Correspondence added
Subject: git commit
From: ghudson@mit.edu
Download (untitled) / with headers
text/plain 826B

Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

https://github.com/krb5/krb5/commit/e48e2e56a05a47fd932a941ac82c1131ceed47d0
Author: Greg Hudson <ghudson@mit.edu>
Commit: e48e2e56a05a47fd932a941ac82c1131ceed47d0
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
# Wed Apr 12 16:55:40 2023 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.21 added
# Tue Jul 11 18:56:07 2023 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.20.2 added
# Tue Jul 11 18:56:07 2023 ghudson@mit.edu (Greg Hudson) - Correspondence added
Subject: git commit
From: ghudson@mit.edu
Download (untitled) / with headers
text/plain 913B

Update error checking for OpenSSL CMS_verify

The code for CMS data verification was initially written for OpenSSL's
PKCS7_verify() function. It now uses CMS_verify(), but error handling
is still done using PKCS7_verify() error identifiers. Update the
recognized error codes so that the KDC generates
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED errors when appropriate.
Use ERR_peek_last_error() to observe the error generated closest to
the API surface.

[ghudson@mit.edu: edited commit message]

(cherry picked from commit 70f61d417261ca17efe3d60d180033bea2da60b0)

https://github.com/krb5/krb5/commit/9a2051998c9446f56ba40a29e56c625b83e38467
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 9a2051998c9446f56ba40a29e56c625b83e38467
Branch: krb5-1.20
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
# Tue Jul 11 18:56:15 2023 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 899B

Fix PKINIT CMS error checking for older OpenSSL

Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.

Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.

(cherry picked from commit e48e2e56a05a47fd932a941ac82c1131ceed47d0)

https://github.com/krb5/krb5/commit/a6971d269577afa68584d6076bd90f84c2099f93
Author: Greg Hudson <ghudson@mit.edu>
Commit: a6971d269577afa68584d6076bd90f84c2099f93
Branch: krb5-1.20
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
# Tue Jul 11 19:10:31 2023 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted