diff --git a/Fix-hex-conversion-of-PKINIT-certid-strings.patch b/Fix-hex-conversion-of-PKINIT-certid-strings.patch new file mode 100644 index 0000000..6acb007 --- /dev/null +++ b/Fix-hex-conversion-of-PKINIT-certid-strings.patch @@ -0,0 +1,92 @@ +From 46fada3b8a7ad21adf6831cf86c38a822a38748e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 26 Jan 2018 11:47:50 -0500 +Subject: [PATCH] Fix hex conversion of PKINIT certid strings + +When parsing a PKCS11 token specification, correctly convert from hex +to binary instead of using OpenSSL bignum functions (which would strip +leading zeros). + +[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote +commit message] + +ticket: 8636 +(cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0) +--- + src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++++----- + 1 file changed, 44 insertions(+), 11 deletions(-) + +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index ac107c2c1..4f21f90d2 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -4623,6 +4623,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts) + return ret; + } + ++static int ++hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out) ++{ ++ size_t str_len, i; ++ CK_BYTE *bin; ++ char *endptr, tmp[3] = { '\0', '\0', '\0' }; ++ long val; ++ ++ *bin_len_out = 0; ++ *bin_out = NULL; ++ ++ str_len = strlen(str); ++ if (str_len % 2 != 0) ++ return EINVAL; ++ bin = malloc(str_len / 2); ++ if (bin == NULL) ++ return ENOMEM; ++ ++ errno = 0; ++ for (i = 0; i < str_len / 2; i++) { ++ tmp[0] = str[i * 2]; ++ tmp[1] = str[i * 2 + 1]; ++ ++ val = strtol(tmp, &endptr, 16); ++ if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) { ++ free(bin); ++ return EINVAL; ++ } ++ ++ bin[i] = (CK_BYTE)val; ++ } ++ ++ *bin_len_out = str_len / 2; ++ *bin_out = bin; ++ return 0; ++} ++ + static krb5_error_code + pkinit_get_certs_pkcs11(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, +@@ -4665,18 +4702,14 @@ pkinit_get_certs_pkcs11(krb5_context context, + } + /* Convert the ascii cert_id string into a binary blob */ + if (idopts->cert_id_string != NULL) { +- BIGNUM *bn = NULL; +- BN_hex2bn(&bn, idopts->cert_id_string); +- if (bn == NULL) +- return ENOMEM; +- id_cryptoctx->cert_id_len = BN_num_bytes(bn); +- id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len); +- if (id_cryptoctx->cert_id == NULL) { +- BN_free(bn); +- return ENOMEM; ++ r = hex_string_to_bin(idopts->cert_id_string, ++ &id_cryptoctx->cert_id_len, ++ &id_cryptoctx->cert_id); ++ if (r != 0) { ++ pkiDebug("Failed to convert certid string [%s]\n", ++ idopts->cert_id_string); ++ return r; + } +- BN_bn2bin(bn, id_cryptoctx->cert_id); +- BN_free(bn); + } + id_cryptoctx->slotid = idopts->slotid; + id_cryptoctx->pkcs11_method = 1; diff --git a/krb5.spec b/krb5.spec index 293caff..ea4bbfc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.16 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 8%{?dist} +Release: 9%{?dist} # lookaside-cached sources; two downloads and a build artifact Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz @@ -63,6 +63,7 @@ Patch36: krb5-1.11-kpasswdtest.patch Patch37: Process-included-directories-in-alphabetical-order.patch Patch38: Fix-flaws-in-LDAP-DN-checking.patch Patch39: Fix-capaths-.-values-on-client.patch +Patch40: Fix-hex-conversion-of-PKINIT-certid-strings.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -712,6 +713,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Mar 13 2018 Robbie Harwood - 1.16-9 +- Fix hex conversion of PKINIT certid strings + * Wed Mar 07 2018 Robbie Harwood - 1.16-8 - Fix capaths "." values on client - Resolves: 1551099