diff options
author | Greg Hudson <ghudson@mit.edu> | 2022-12-13 13:15:28 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-01-13 13:23:27 -0500 |
commit | e48e2e56a05a47fd932a941ac82c1131ceed47d0 (patch) | |
tree | b6af8d00853490c16ac610f79693786eb8537420 | |
parent | 650fe8423a47c52b4b347b47cb41259e04e90092 (diff) | |
download | krb5-e48e2e56a05a47fd932a941ac82c1131ceed47d0.tar.gz |
Fix PKINIT CMS error checking for older OpenSSL
Commit 70f61d417261ca17efe3d60d180033bea2da60b0 updated the
CMS_verify() error code checks, using two error codes new to OpenSSL
3.0 (RSA_R_DIGEST_NOT_ALLOWED and CMS_R_UNKNOWN_DIGEST_ALGORITHM).
This change broke the build for OpenSSL 1.0 and 1.1.
Instead of looking for codes indicating an algorithm issue and
assuming that everything else is an invalid signature, check for the
code indicating an invalid signature and assume that everything else
is an algorithm issue.
ticket: 9069
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 14 |
1 files changed, 3 insertions, 11 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 461135940..6ae6425d8 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2061,18 +2061,10 @@ cms_signeddata_verify(krb5_context context, goto cleanup; out = BIO_new(BIO_s_mem()); if (CMS_verify(cms, NULL, store, NULL, out, flags) == 0) { - unsigned long err = ERR_peek_last_error(); - switch(ERR_GET_REASON(err)) { - case RSA_R_DIGEST_NOT_ALLOWED: - case CMS_R_UNKNOWN_DIGEST_ALGORITHM: - case CMS_R_NO_MATCHING_DIGEST: - case CMS_R_NO_MATCHING_SIGNATURE: - retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; - break; - case CMS_R_VERIFICATION_FAILURE: - default: + if (ERR_peek_last_error() == CMS_R_VERIFICATION_FAILURE) retval = KRB5KDC_ERR_INVALID_SIG; - } + else + retval = KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED; (void)oerr(context, retval, _("Failed to verify CMS message")); goto cleanup; } |