|
|
665228 |
From e427a9c2027446f1d0883ced077caf3515116b10 Mon Sep 17 00:00:00 2001
|
|
|
665228 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
665228 |
Date: Fri, 26 Jan 2018 11:47:50 -0500
|
|
|
665228 |
Subject: [PATCH] Fix hex conversion of PKINIT certid strings
|
|
|
665228 |
|
|
|
665228 |
When parsing a PKCS11 token specification, correctly convert from hex
|
|
|
665228 |
to binary instead of using OpenSSL bignum functions (which would strip
|
|
|
665228 |
leading zeros).
|
|
|
665228 |
|
|
|
665228 |
[ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote
|
|
|
665228 |
commit message]
|
|
|
665228 |
|
|
|
665228 |
ticket: 8636
|
|
|
665228 |
(cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0)
|
|
|
665228 |
---
|
|
|
665228 |
.../preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++----
|
|
|
665228 |
1 file changed, 44 insertions(+), 11 deletions(-)
|
|
|
665228 |
|
|
|
665228 |
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
665228 |
index 7fa2efd21..6a95f8035 100644
|
|
|
665228 |
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
665228 |
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
|
665228 |
@@ -4640,6 +4640,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
|
|
|
665228 |
return ret;
|
|
|
665228 |
}
|
|
|
665228 |
|
|
|
665228 |
+static int
|
|
|
665228 |
+hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out)
|
|
|
665228 |
+{
|
|
|
665228 |
+ size_t str_len, i;
|
|
|
665228 |
+ CK_BYTE *bin;
|
|
|
665228 |
+ char *endptr, tmp[3] = { '\0', '\0', '\0' };
|
|
|
665228 |
+ long val;
|
|
|
665228 |
+
|
|
|
665228 |
+ *bin_len_out = 0;
|
|
|
665228 |
+ *bin_out = NULL;
|
|
|
665228 |
+
|
|
|
665228 |
+ str_len = strlen(str);
|
|
|
665228 |
+ if (str_len % 2 != 0)
|
|
|
665228 |
+ return EINVAL;
|
|
|
665228 |
+ bin = malloc(str_len / 2);
|
|
|
665228 |
+ if (bin == NULL)
|
|
|
665228 |
+ return ENOMEM;
|
|
|
665228 |
+
|
|
|
665228 |
+ errno = 0;
|
|
|
665228 |
+ for (i = 0; i < str_len / 2; i++) {
|
|
|
665228 |
+ tmp[0] = str[i * 2];
|
|
|
665228 |
+ tmp[1] = str[i * 2 + 1];
|
|
|
665228 |
+
|
|
|
665228 |
+ val = strtol(tmp, &endptr, 16);
|
|
|
665228 |
+ if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) {
|
|
|
665228 |
+ free(bin);
|
|
|
665228 |
+ return EINVAL;
|
|
|
665228 |
+ }
|
|
|
665228 |
+
|
|
|
665228 |
+ bin[i] = (CK_BYTE)val;
|
|
|
665228 |
+ }
|
|
|
665228 |
+
|
|
|
665228 |
+ *bin_len_out = str_len / 2;
|
|
|
665228 |
+ *bin_out = bin;
|
|
|
665228 |
+ return 0;
|
|
|
665228 |
+}
|
|
|
665228 |
+
|
|
|
665228 |
static krb5_error_code
|
|
|
665228 |
pkinit_get_certs_pkcs11(krb5_context context,
|
|
|
665228 |
pkinit_plg_crypto_context plg_cryptoctx,
|
|
|
665228 |
@@ -4682,18 +4719,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
|
|
|
665228 |
}
|
|
|
665228 |
/* Convert the ascii cert_id string into a binary blob */
|
|
|
665228 |
if (idopts->cert_id_string != NULL) {
|
|
|
665228 |
- BIGNUM *bn = NULL;
|
|
|
665228 |
- BN_hex2bn(&bn, idopts->cert_id_string);
|
|
|
665228 |
- if (bn == NULL)
|
|
|
665228 |
- return ENOMEM;
|
|
|
665228 |
- id_cryptoctx->cert_id_len = BN_num_bytes(bn);
|
|
|
665228 |
- id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len);
|
|
|
665228 |
- if (id_cryptoctx->cert_id == NULL) {
|
|
|
665228 |
- BN_free(bn);
|
|
|
665228 |
- return ENOMEM;
|
|
|
665228 |
+ r = hex_string_to_bin(idopts->cert_id_string,
|
|
|
665228 |
+ &id_cryptoctx->cert_id_len,
|
|
|
665228 |
+ &id_cryptoctx->cert_id);
|
|
|
665228 |
+ if (r != 0) {
|
|
|
665228 |
+ pkiDebug("Failed to convert certid string [%s]\n",
|
|
|
665228 |
+ idopts->cert_id_string);
|
|
|
665228 |
+ return r;
|
|
|
665228 |
}
|
|
|
665228 |
- BN_bn2bin(bn, id_cryptoctx->cert_id);
|
|
|
665228 |
- BN_free(bn);
|
|
|
665228 |
}
|
|
|
665228 |
id_cryptoctx->slotid = idopts->slotid;
|
|
|
665228 |
id_cryptoctx->pkcs11_method = 1;
|