From 1bde0be47ab0c6f94b474c0a3b1d03ec32db1293 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Tue, 17 Oct 2017 18:50:15 -0400

Subject: [PATCH] Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic

allocation and to perform proper error checking.

ticket: 8617

target_version: 1.16

target_version: 1.15-next

target_version: 1.14-next

tags: pullup

(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4)

---

 .../preauth/pkinit/pkinit_crypto_openssl.c    | 67 +++++++------------

 1 file changed, 25 insertions(+), 42 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index b243dca30..1eb273808 100644

--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

@@ -5052,33 +5052,29 @@ out:

     return retval;

 }

-/*

- * Return a string format of an X509_NAME in buf where

- * size is an in/out parameter.  On input it is the size

- * of the buffer, and on output it is the actual length

- * of the name.

- * If buf is NULL, returns the length req'd to hold name

- */

-static char *

-X509_NAME_oneline_ex(X509_NAME * a,

-                     char *buf,

-                     unsigned int *size,

-                     unsigned long flag)

+static krb5_error_code

+rfc2253_name(X509_NAME *name, char **str_out)

 {

-    BIO *out = NULL;

+    BIO *b = NULL;

+    char *str;

-    out = BIO_new(BIO_s_mem ());

-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {

-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {

-            memset(buf, 0, *size);

-            BIO_read(out, buf, (int) BIO_number_written(out));

-        }

-        else {

-            *size = BIO_number_written(out);

-        }

-    }

-    BIO_free(out);

-    return (buf);

+    *str_out = NULL;

+    b = BIO_new(BIO_s_mem());

+    if (b == NULL)

+        return ENOMEM;

+    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)

+        goto error;

+    str = calloc(BIO_number_written(b) + 1, 1);

+    if (str == NULL)

+        goto error;

+    BIO_read(b, str, BIO_number_written(b));

+    BIO_free(b);

+    *str_out = str;

+    return 0;

+

+error:

+    BIO_free(b);

+    return ENOMEM;

 }

 /*

@@ -5144,8 +5140,6 @@ get_matching_data(krb5_context context,

     pkinit_cert_matching_data *md = NULL;

     krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;

     size_t i, j;

-    char buf[DN_BUF_LEN];

-    unsigned int bufsize = sizeof(buf);

     *md_out = NULL;

@@ -5153,23 +5147,12 @@ get_matching_data(krb5_context context,

     if (md == NULL)

         goto cleanup;

-    /* Get the subject name (in rfc2253 format). */

-    X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,

-                         XN_FLAG_SEP_COMMA_PLUS);

-    md->subject_dn = strdup(buf);

-    if (md->subject_dn == NULL) {

-        ret = ENOMEM;

+    ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);

+    if (ret)

         goto cleanup;

-    }

-

-    /* Get the issuer name (in rfc2253 format). */

-    X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,

-                         XN_FLAG_SEP_COMMA_PLUS);

-    md->issuer_dn = strdup(buf);

-    if (md->issuer_dn == NULL) {

-        ret = ENOMEM;

+    ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);

+    if (ret)

         goto cleanup;

-    }

     /* Get the SAN data. */

     ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,