Fix hex conversion of PKINIT certid strings

This commit is contained in:
Robbie Harwood 2018-03-13 17:45:47 -04:00
parent 4b5cd8c1f8
commit 5f3f6ef19b
2 changed files with 97 additions and 1 deletions

View File

@ -0,0 +1,92 @@
From 46fada3b8a7ad21adf6831cf86c38a822a38748e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 26 Jan 2018 11:47:50 -0500
Subject: [PATCH] Fix hex conversion of PKINIT certid strings
When parsing a PKCS11 token specification, correctly convert from hex
to binary instead of using OpenSSL bignum functions (which would strip
leading zeros).
[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
commit message]
ticket: 8636
(cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0)
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++++-----
1 file changed, 44 insertions(+), 11 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ac107c2c1..4f21f90d2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4623,6 +4623,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
return ret;
}
+static int
+hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out)
+{
+ size_t str_len, i;
+ CK_BYTE *bin;
+ char *endptr, tmp[3] = { '\0', '\0', '\0' };
+ long val;
+
+ *bin_len_out = 0;
+ *bin_out = NULL;
+
+ str_len = strlen(str);
+ if (str_len % 2 != 0)
+ return EINVAL;
+ bin = malloc(str_len / 2);
+ if (bin == NULL)
+ return ENOMEM;
+
+ errno = 0;
+ for (i = 0; i < str_len / 2; i++) {
+ tmp[0] = str[i * 2];
+ tmp[1] = str[i * 2 + 1];
+
+ val = strtol(tmp, &endptr, 16);
+ if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) {
+ free(bin);
+ return EINVAL;
+ }
+
+ bin[i] = (CK_BYTE)val;
+ }
+
+ *bin_len_out = str_len / 2;
+ *bin_out = bin;
+ return 0;
+}
+
static krb5_error_code
pkinit_get_certs_pkcs11(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
@@ -4665,18 +4702,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
}
/* Convert the ascii cert_id string into a binary blob */
if (idopts->cert_id_string != NULL) {
- BIGNUM *bn = NULL;
- BN_hex2bn(&bn, idopts->cert_id_string);
- if (bn == NULL)
- return ENOMEM;
- id_cryptoctx->cert_id_len = BN_num_bytes(bn);
- id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len);
- if (id_cryptoctx->cert_id == NULL) {
- BN_free(bn);
- return ENOMEM;
+ r = hex_string_to_bin(idopts->cert_id_string,
+ &id_cryptoctx->cert_id_len,
+ &id_cryptoctx->cert_id);
+ if (r != 0) {
+ pkiDebug("Failed to convert certid string [%s]\n",
+ idopts->cert_id_string);
+ return r;
}
- BN_bn2bin(bn, id_cryptoctx->cert_id);
- BN_free(bn);
}
id_cryptoctx->slotid = idopts->slotid;
id_cryptoctx->pkcs11_method = 1;

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.16 Version: 1.16
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 8%{?dist} Release: 9%{?dist}
# lookaside-cached sources; two downloads and a build artifact # lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -63,6 +63,7 @@ Patch36: krb5-1.11-kpasswdtest.patch
Patch37: Process-included-directories-in-alphabetical-order.patch Patch37: Process-included-directories-in-alphabetical-order.patch
Patch38: Fix-flaws-in-LDAP-DN-checking.patch Patch38: Fix-flaws-in-LDAP-DN-checking.patch
Patch39: Fix-capaths-.-values-on-client.patch Patch39: Fix-capaths-.-values-on-client.patch
Patch40: Fix-hex-conversion-of-PKINIT-certid-strings.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -712,6 +713,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Tue Mar 13 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-9
- Fix hex conversion of PKINIT certid strings
* Wed Mar 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-8 * Wed Mar 07 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-8
- Fix capaths "." values on client - Fix capaths "." values on client
- Resolves: 1551099 - Resolves: 1551099