diff --git a/krb5-trunk-pkinit-anchorsign.patch b/krb5-trunk-pkinit-anchorsign.patch deleted file mode 100644 index 508bb5b..0000000 --- a/krb5-trunk-pkinit-anchorsign.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d -Author: Greg Hudson -Date: Thu Jun 21 17:20:29 2012 -0400 - - Handle PKINIT DH replies with no certs - - If a PKINIT Diffie-Hellman reply contains no certificates in the - SignedData object, that may be because the signer certificate was a - trust anchor as transmitted to the KDC. Heimdal's KDC, for instance, - filters client trust anchors out of the returned set of certificates. - Match against idctx->trustedCAs and idctx->intermediateCAs to handle - this case. This fix only works with OpenSSL 1.0 or later; when built - against OpenSSL 0.9.x, the client will still require a cert in the - reply. - - Code changes suggested by nalin@redhat.com. - - ticket: 7183 - -diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 0136d4f..7120ecf 100644 ---- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context, - X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls); - X509_STORE_set_flags(store, vflags); - -- /* get the signer's information from the CMS message */ -+ /* -+ * Get the signer's information from the CMS message. Match signer ID -+ * against anchors and intermediate CAs in case no certs are present in the -+ * SignedData. If we start sending kdcPkId values in requests, we'll need -+ * to match against the source of that information too. -+ */ - CMS_set1_signers_certs(cms, NULL, 0); -+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN); -+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN); - if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) || - ((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) { - /* Not actually signed; anonymous case */ diff --git a/krb5.spec b/krb5.spec index b7503d5..ee4036f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -72,7 +72,6 @@ Patch75: krb5-pkinit-debug.patch Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch Patch106: krb5-1.10.2-keytab-etype.patch -Patch107: krb5-trunk-pkinit-anchorsign.patch Patch109: krb5-1.10.3-as_rep_skew.patch Patch110: krb5-1.10.3-keytab-etype-corners-prep.patch Patch111: krb5-1.10.3-keytab-etype-corners.patch @@ -265,7 +264,6 @@ ln -s NOTICE LICENSE %patch86 -p0 -b .debuginfo %patch105 -p1 -b .kvno %patch106 -p1 -b .keytab-etype -%patch107 -p1 -b .pkinit-anchorsign %patch109 -p1 -b .as_rep_skew %patch110 -p1 -b .keytab-etype-corners-prep %patch111 -p1 -b .keytab-etype-corners @@ -830,6 +828,10 @@ exit 0 warning flags and the current gcc - drop backported fix for disabling use of a replay cache when verifying initial credentials + - drop backported fix for teaching PKINIT clients which trust the KDC's + certificate directly to verify signed-data messages that are signed with + the KDC's certificate, when the blobs don't include a copy of the KDC's + certificate * Wed Oct 17 2012 Nalin Dahyabhai 1.10.3-7 - tag a couple of other patches which we still need to be applied during