krb5/Fix-PKINIT-cert-matching-data-construction.patch

From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 24 Oct 2017 15:09:57 -0400
Subject: [PATCH] Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
---
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
 1 file changed, 19 insertions(+), 42 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index f7640baf1..9fa20a8b2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5002,33 +5002,23 @@ out:
     return retval;
 }
 
-/*
- * Return a string format of an X509_NAME in buf where
- * size is an in/out parameter.  On input it is the size
- * of the buffer, and on output it is the actual length
- * of the name.
- * If buf is NULL, returns the length req'd to hold name
- */
-static char *
-X509_NAME_oneline_ex(X509_NAME * a,
-                     char *buf,
-                     unsigned int *size,
-                     unsigned long flag)
+static krb5_error_code
+rfc2253_name(X509_NAME *name, char **str_out)
 {
-    BIO *out = NULL;
+    BIO *b = NULL;
+    char *str;
 
-    out = BIO_new(BIO_s_mem ());
-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
-            memset(buf, 0, *size);
-            BIO_read(out, buf, (int) BIO_number_written(out));
-        }
-        else {
-            *size = BIO_number_written(out);
-        }
-    }
-    BIO_free(out);
-    return (buf);
+    *str_out = NULL;
+    b = BIO_new(BIO_s_mem());
+    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
+        return ENOMEM;
+    str = calloc(BIO_number_written(b) + 1, 1);
+    if (str == NULL)
+        return ENOMEM;
+    BIO_read(b, str, BIO_number_written(b));
+    BIO_free(b);
+    *str_out = str;
+    return 0;
 }
 
 /*
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
     pkinit_cert_matching_data *md = NULL;
     krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
     size_t i, j;
-    char buf[DN_BUF_LEN];
-    unsigned int bufsize = sizeof(buf);
 
     *md_out = NULL;
 
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
     if (md == NULL)
         goto cleanup;
 
-    /* Get the subject name (in rfc2253 format). */
-    X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
-                         XN_FLAG_SEP_COMMA_PLUS);
-    md->subject_dn = strdup(buf);
-    if (md->subject_dn == NULL) {
-        ret = ENOMEM;
+    ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
+    if (ret)
         goto cleanup;
-    }
-
-    /* Get the issuer name (in rfc2253 format). */
-    X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
-                         XN_FLAG_SEP_COMMA_PLUS);
-    md->issuer_dn = strdup(buf);
-    if (md->issuer_dn == NULL) {
-        ret = ENOMEM;
+    ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
+    if (ret)
         goto cleanup;
-    }
 
     /* Get the SAN data. */
     ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
Fix CVE-2017-15088 (Buffer overflow in get_matching_data()) 2017-10-24 19:18:59 +00:00			`From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001`
			`From: Greg Hudson <ghudson@mit.edu>`
			`Date: Tue, 24 Oct 2017 15:09:57 -0400`
			`Subject: [PATCH] Fix PKINIT cert matching data construction`

			`Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic`
			`allocation and to perform proper error checking.`

			`(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)`
			`---`
			`src/plugins/preauth/pkinit/pkinit_crypto_openssl.c \| 61 +++++++---------------`
			`1 file changed, 19 insertions(+), 42 deletions(-)`

			`diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`index f7640baf1..9fa20a8b2 100644`
			`--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c`
			`@@ -5002,33 +5002,23 @@ out:`
			`return retval;`
			`}`

			`-/*`
			`- * Return a string format of an X509_NAME in buf where`
			`- * size is an in/out parameter. On input it is the size`
			`- * of the buffer, and on output it is the actual length`
			`- * of the name.`
			`- * If buf is NULL, returns the length req'd to hold name`
			`- */`
			`-static char *`
			`-X509_NAME_oneline_ex(X509_NAME * a,`
			`- char *buf,`
			`- unsigned int *size,`
			`- unsigned long flag)`
			`+static krb5_error_code`
			`+rfc2253_name(X509_NAME name, char *str_out)`
			`{`
			`- BIO *out = NULL;`
			`+ BIO *b = NULL;`
			`+ char *str;`

			`- out = BIO_new(BIO_s_mem ());`
			`- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {`
			`- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {`
			`- memset(buf, 0, *size);`
			`- BIO_read(out, buf, (int) BIO_number_written(out));`
			`- }`
			`- else {`
			`- *size = BIO_number_written(out);`
			`- }`
			`- }`
			`- BIO_free(out);`
			`- return (buf);`
			`+ *str_out = NULL;`
			`+ b = BIO_new(BIO_s_mem());`
			`+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)`
			`+ return ENOMEM;`
			`+ str = calloc(BIO_number_written(b) + 1, 1);`
			`+ if (str == NULL)`
			`+ return ENOMEM;`
			`+ BIO_read(b, str, BIO_number_written(b));`
			`+ BIO_free(b);`
			`+ *str_out = str;`
			`+ return 0;`
			`}`

			`/*`
			`@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,`
			`pkinit_cert_matching_data *md = NULL;`
			`krb5_principal pkinit_sans = NULL, upn_sans = NULL;`
			`size_t i, j;`
			`- char buf[DN_BUF_LEN];`
			`- unsigned int bufsize = sizeof(buf);`

			`*md_out = NULL;`

			`@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,`
			`if (md == NULL)`
			`goto cleanup;`

			`- /* Get the subject name (in rfc2253 format). */`
			`- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,`
			`- XN_FLAG_SEP_COMMA_PLUS);`
			`- md->subject_dn = strdup(buf);`
			`- if (md->subject_dn == NULL) {`
			`- ret = ENOMEM;`
			`+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);`
			`+ if (ret)`
			`goto cleanup;`
			`- }`
			`-`
			`- /* Get the issuer name (in rfc2253 format). */`
			`- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,`
			`- XN_FLAG_SEP_COMMA_PLUS);`
			`- md->issuer_dn = strdup(buf);`
			`- if (md->issuer_dn == NULL) {`
			`- ret = ENOMEM;`
			`+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);`
			`+ if (ret)`
			`goto cleanup;`
			`- }`

			`/* Get the SAN data. */`
			`ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,`