|
 |
fab64b |
From 54c5bec8deb2d4e972795e37273ad17a0b1e2f4f Mon Sep 17 00:00:00 2001
|
|
|
fab64b |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
fab64b |
Date: Wed, 4 Jan 2017 11:33:57 -0500
|
|
|
fab64b |
Subject: [PATCH] Deindent crypto_retrieve_X509_sans()
|
|
|
fab64b |
|
|
|
fab64b |
Fix some long lines in crypto_retrieve_X509_sans() by returning early
|
|
|
fab64b |
if X509_get_ext_by_NID() returns a negative result. Also ensure that
|
|
|
fab64b |
return parameters are always initialized.
|
|
|
fab64b |
|
|
|
fab64b |
(cherry picked from commit c6b772523db9d7791ee1c56eb512c4626556a4e7)
|
|
|
fab64b |
(cherry picked from commit 23086ac768a32db1e40a9b63684dbcfd76aba033)
|
|
|
fab64b |
---
|
|
|
665228 |
.../preauth/pkinit/pkinit_crypto_openssl.c | 224 +++++++++---------
|
|
|
fab64b |
1 file changed, 114 insertions(+), 110 deletions(-)
|
|
|
fab64b |
|
|
|
fab64b |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
fab64b |
index bc6e7662e..8def8c542 100644
|
|
|
fab64b |
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
fab64b |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
fab64b |
@@ -2101,11 +2101,21 @@ crypto_retrieve_X509_sans(krb5_context context,
|
|
|
fab64b |
{
|
|
|
fab64b |
krb5_error_code retval = EINVAL;
|
|
|
fab64b |
char buf[DN_BUF_LEN];
|
|
|
fab64b |
- int p = 0, u = 0, d = 0, l;
|
|
|
fab64b |
+ int p = 0, u = 0, d = 0, ret = 0, l;
|
|
|
fab64b |
krb5_principal *princs = NULL;
|
|
|
fab64b |
krb5_principal *upns = NULL;
|
|
|
fab64b |
unsigned char **dnss = NULL;
|
|
|
fab64b |
- unsigned int i, num_found = 0;
|
|
|
fab64b |
+ unsigned int i, num_found = 0, num_sans = 0;
|
|
|
fab64b |
+ X509_EXTENSION *ext = NULL;
|
|
|
fab64b |
+ GENERAL_NAMES *ialt = NULL;
|
|
|
fab64b |
+ GENERAL_NAME *gen = NULL;
|
|
|
fab64b |
+
|
|
|
fab64b |
+ if (princs_ret != NULL)
|
|
|
fab64b |
+ *princs_ret = NULL;
|
|
|
fab64b |
+ if (upn_ret != NULL)
|
|
|
fab64b |
+ *upn_ret = NULL;
|
|
|
fab64b |
+ if (dns_ret != NULL)
|
|
|
fab64b |
+ *dns_ret = NULL;
|
|
|
fab64b |
|
|
|
fab64b |
if (princs_ret == NULL && upn_ret == NULL && dns_ret == NULL) {
|
|
|
fab64b |
pkiDebug("%s: nowhere to return any values!\n", __FUNCTION__);
|
|
|
fab64b |
@@ -2121,118 +2131,112 @@ crypto_retrieve_X509_sans(krb5_context context,
|
|
|
fab64b |
buf, sizeof(buf));
|
|
|
fab64b |
pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
|
|
|
fab64b |
|
|
|
fab64b |
- if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
|
|
|
fab64b |
- X509_EXTENSION *ext = NULL;
|
|
|
fab64b |
- GENERAL_NAMES *ialt = NULL;
|
|
|
fab64b |
- GENERAL_NAME *gen = NULL;
|
|
|
fab64b |
- int ret = 0;
|
|
|
fab64b |
- unsigned int num_sans = 0;
|
|
|
fab64b |
+ l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
|
|
|
fab64b |
+ if (l < 0)
|
|
|
fab64b |
+ return 0;
|
|
|
fab64b |
|
|
|
fab64b |
- if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
|
|
|
fab64b |
- pkiDebug("%s: found no subject alt name extensions\n",
|
|
|
fab64b |
- __FUNCTION__);
|
|
|
fab64b |
+ if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
|
|
|
fab64b |
+ pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__);
|
|
|
fab64b |
+ goto cleanup;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ num_sans = sk_GENERAL_NAME_num(ialt);
|
|
|
fab64b |
+
|
|
|
fab64b |
+ pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__,
|
|
|
fab64b |
+ num_sans);
|
|
|
fab64b |
+
|
|
|
fab64b |
+ /* OK, we're likely returning something. Allocate return values */
|
|
|
fab64b |
+ if (princs_ret != NULL) {
|
|
|
fab64b |
+ princs = calloc(num_sans + 1, sizeof(krb5_principal));
|
|
|
fab64b |
+ if (princs == NULL) {
|
|
|
fab64b |
+ retval = ENOMEM;
|
|
|
fab64b |
goto cleanup;
|
|
|
fab64b |
}
|
|
|
fab64b |
- num_sans = sk_GENERAL_NAME_num(ialt);
|
|
|
fab64b |
-
|
|
|
fab64b |
- pkiDebug("%s: found %d subject alt name extension(s)\n",
|
|
|
fab64b |
- __FUNCTION__, num_sans);
|
|
|
fab64b |
-
|
|
|
fab64b |
- /* OK, we're likely returning something. Allocate return values */
|
|
|
fab64b |
- if (princs_ret != NULL) {
|
|
|
fab64b |
- princs = calloc(num_sans + 1, sizeof(krb5_principal));
|
|
|
fab64b |
- if (princs == NULL) {
|
|
|
fab64b |
- retval = ENOMEM;
|
|
|
fab64b |
- goto cleanup;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- }
|
|
|
fab64b |
- if (upn_ret != NULL) {
|
|
|
fab64b |
- upns = calloc(num_sans + 1, sizeof(krb5_principal));
|
|
|
fab64b |
- if (upns == NULL) {
|
|
|
fab64b |
- retval = ENOMEM;
|
|
|
fab64b |
- goto cleanup;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- }
|
|
|
fab64b |
- if (dns_ret != NULL) {
|
|
|
fab64b |
- dnss = calloc(num_sans + 1, sizeof(*dnss));
|
|
|
fab64b |
- if (dnss == NULL) {
|
|
|
fab64b |
- retval = ENOMEM;
|
|
|
fab64b |
- goto cleanup;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- }
|
|
|
fab64b |
-
|
|
|
fab64b |
- for (i = 0; i < num_sans; i++) {
|
|
|
fab64b |
- krb5_data name = { 0, 0, NULL };
|
|
|
fab64b |
-
|
|
|
fab64b |
- gen = sk_GENERAL_NAME_value(ialt, i);
|
|
|
fab64b |
- switch (gen->type) {
|
|
|
fab64b |
- case GEN_OTHERNAME:
|
|
|
fab64b |
- name.length = gen->d.otherName->value->value.sequence->length;
|
|
|
fab64b |
- name.data = (char *)gen->d.otherName->value->value.sequence->data;
|
|
|
fab64b |
- if (princs != NULL
|
|
|
fab64b |
- && OBJ_cmp(plgctx->id_pkinit_san,
|
|
|
fab64b |
- gen->d.otherName->type_id) == 0) {
|
|
|
fab64b |
-#ifdef DEBUG_ASN1
|
|
|
fab64b |
- print_buffer_bin((unsigned char *)name.data, name.length,
|
|
|
fab64b |
- "/tmp/pkinit_san");
|
|
|
fab64b |
-#endif
|
|
|
fab64b |
- ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
|
|
|
fab64b |
- if (ret) {
|
|
|
fab64b |
- pkiDebug("%s: failed decoding pkinit san value\n",
|
|
|
fab64b |
- __FUNCTION__);
|
|
|
fab64b |
- } else {
|
|
|
fab64b |
- p++;
|
|
|
fab64b |
- num_found++;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- } else if (upns != NULL
|
|
|
fab64b |
- && OBJ_cmp(plgctx->id_ms_san_upn,
|
|
|
fab64b |
- gen->d.otherName->type_id) == 0) {
|
|
|
fab64b |
- /* Prevent abuse of embedded null characters. */
|
|
|
fab64b |
- if (memchr(name.data, '\0', name.length))
|
|
|
fab64b |
- break;
|
|
|
fab64b |
- ret = krb5_parse_name_flags(context, name.data,
|
|
|
fab64b |
- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
|
|
|
fab64b |
- &upns[u]);
|
|
|
fab64b |
- if (ret) {
|
|
|
fab64b |
- pkiDebug("%s: failed parsing ms-upn san value\n",
|
|
|
fab64b |
- __FUNCTION__);
|
|
|
fab64b |
- } else {
|
|
|
fab64b |
- u++;
|
|
|
fab64b |
- num_found++;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- } else {
|
|
|
fab64b |
- pkiDebug("%s: unrecognized othername oid in SAN\n",
|
|
|
fab64b |
- __FUNCTION__);
|
|
|
fab64b |
- continue;
|
|
|
fab64b |
- }
|
|
|
fab64b |
-
|
|
|
fab64b |
- break;
|
|
|
fab64b |
- case GEN_DNS:
|
|
|
fab64b |
- if (dnss != NULL) {
|
|
|
fab64b |
- /* Prevent abuse of embedded null characters. */
|
|
|
fab64b |
- if (memchr(gen->d.dNSName->data, '\0',
|
|
|
fab64b |
- gen->d.dNSName->length))
|
|
|
fab64b |
- break;
|
|
|
fab64b |
- pkiDebug("%s: found dns name = %s\n",
|
|
|
fab64b |
- __FUNCTION__, gen->d.dNSName->data);
|
|
|
fab64b |
- dnss[d] = (unsigned char *)
|
|
|
fab64b |
- strdup((char *)gen->d.dNSName->data);
|
|
|
fab64b |
- if (dnss[d] == NULL) {
|
|
|
fab64b |
- pkiDebug("%s: failed to duplicate dns name\n",
|
|
|
fab64b |
- __FUNCTION__);
|
|
|
fab64b |
- } else {
|
|
|
fab64b |
- d++;
|
|
|
fab64b |
- num_found++;
|
|
|
fab64b |
- }
|
|
|
fab64b |
- }
|
|
|
fab64b |
- break;
|
|
|
fab64b |
- default:
|
|
|
fab64b |
- pkiDebug("%s: SAN type = %d expecting %d\n",
|
|
|
fab64b |
- __FUNCTION__, gen->type, GEN_OTHERNAME);
|
|
|
fab64b |
- }
|
|
|
fab64b |
- }
|
|
|
fab64b |
- sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
|
|
|
fab64b |
}
|
|
|
fab64b |
+ if (upn_ret != NULL) {
|
|
|
fab64b |
+ upns = calloc(num_sans + 1, sizeof(krb5_principal));
|
|
|
fab64b |
+ if (upns == NULL) {
|
|
|
fab64b |
+ retval = ENOMEM;
|
|
|
fab64b |
+ goto cleanup;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ if (dns_ret != NULL) {
|
|
|
fab64b |
+ dnss = calloc(num_sans + 1, sizeof(*dnss));
|
|
|
fab64b |
+ if (dnss == NULL) {
|
|
|
fab64b |
+ retval = ENOMEM;
|
|
|
fab64b |
+ goto cleanup;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+
|
|
|
fab64b |
+ for (i = 0; i < num_sans; i++) {
|
|
|
fab64b |
+ krb5_data name = { 0, 0, NULL };
|
|
|
fab64b |
+
|
|
|
fab64b |
+ gen = sk_GENERAL_NAME_value(ialt, i);
|
|
|
fab64b |
+ switch (gen->type) {
|
|
|
fab64b |
+ case GEN_OTHERNAME:
|
|
|
fab64b |
+ name.length = gen->d.otherName->value->value.sequence->length;
|
|
|
fab64b |
+ name.data = (char *)gen->d.otherName->value->value.sequence->data;
|
|
|
fab64b |
+ if (princs != NULL &&
|
|
|
fab64b |
+ OBJ_cmp(plgctx->id_pkinit_san,
|
|
|
fab64b |
+ gen->d.otherName->type_id) == 0) {
|
|
|
fab64b |
+#ifdef DEBUG_ASN1
|
|
|
fab64b |
+ print_buffer_bin((unsigned char *)name.data, name.length,
|
|
|
fab64b |
+ "/tmp/pkinit_san");
|
|
|
fab64b |
+#endif
|
|
|
fab64b |
+ ret = k5int_decode_krb5_principal_name(&name, &princs[p]);
|
|
|
fab64b |
+ if (ret) {
|
|
|
fab64b |
+ pkiDebug("%s: failed decoding pkinit san value\n",
|
|
|
fab64b |
+ __FUNCTION__);
|
|
|
fab64b |
+ } else {
|
|
|
fab64b |
+ p++;
|
|
|
fab64b |
+ num_found++;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ } else if (upns != NULL &&
|
|
|
fab64b |
+ OBJ_cmp(plgctx->id_ms_san_upn,
|
|
|
fab64b |
+ gen->d.otherName->type_id) == 0) {
|
|
|
fab64b |
+ /* Prevent abuse of embedded null characters. */
|
|
|
fab64b |
+ if (memchr(name.data, '\0', name.length))
|
|
|
fab64b |
+ break;
|
|
|
fab64b |
+ ret = krb5_parse_name_flags(context, name.data,
|
|
|
fab64b |
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE,
|
|
|
fab64b |
+ &upns[u]);
|
|
|
fab64b |
+ if (ret) {
|
|
|
fab64b |
+ pkiDebug("%s: failed parsing ms-upn san value\n",
|
|
|
fab64b |
+ __FUNCTION__);
|
|
|
fab64b |
+ } else {
|
|
|
fab64b |
+ u++;
|
|
|
fab64b |
+ num_found++;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ } else {
|
|
|
fab64b |
+ pkiDebug("%s: unrecognized othername oid in SAN\n",
|
|
|
fab64b |
+ __FUNCTION__);
|
|
|
fab64b |
+ continue;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+
|
|
|
fab64b |
+ break;
|
|
|
fab64b |
+ case GEN_DNS:
|
|
|
fab64b |
+ if (dnss != NULL) {
|
|
|
fab64b |
+ /* Prevent abuse of embedded null characters. */
|
|
|
fab64b |
+ if (memchr(gen->d.dNSName->data, '\0', gen->d.dNSName->length))
|
|
|
fab64b |
+ break;
|
|
|
fab64b |
+ pkiDebug("%s: found dns name = %s\n", __FUNCTION__,
|
|
|
fab64b |
+ gen->d.dNSName->data);
|
|
|
fab64b |
+ dnss[d] = (unsigned char *)
|
|
|
fab64b |
+ strdup((char *)gen->d.dNSName->data);
|
|
|
fab64b |
+ if (dnss[d] == NULL) {
|
|
|
fab64b |
+ pkiDebug("%s: failed to duplicate dns name\n",
|
|
|
fab64b |
+ __FUNCTION__);
|
|
|
fab64b |
+ } else {
|
|
|
fab64b |
+ d++;
|
|
|
fab64b |
+ num_found++;
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ break;
|
|
|
fab64b |
+ default:
|
|
|
fab64b |
+ pkiDebug("%s: SAN type = %d expecting %d\n", __FUNCTION__,
|
|
|
fab64b |
+ gen->type, GEN_OTHERNAME);
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ }
|
|
|
fab64b |
+ sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free);
|
|
|
fab64b |
|
|
|
fab64b |
retval = 0;
|
|
|
fab64b |
if (princs)
|