From 1bde0be47ab0c6f94b474c0a3b1d03ec32db1293 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 17 Oct 2017 18:50:15 -0400 Subject: [PATCH] Fix PKINIT cert matching data construction Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic allocation and to perform proper error checking. ticket: 8617 target_version: 1.16 target_version: 1.15-next target_version: 1.14-next tags: pullup (cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4) --- .../preauth/pkinit/pkinit_crypto_openssl.c | 67 +++++++------------ 1 file changed, 25 insertions(+), 42 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index b243dca30..1eb273808 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -5052,33 +5052,29 @@ out: return retval; } -/* - * Return a string format of an X509_NAME in buf where - * size is an in/out parameter. On input it is the size - * of the buffer, and on output it is the actual length - * of the name. - * If buf is NULL, returns the length req'd to hold name - */ -static char * -X509_NAME_oneline_ex(X509_NAME * a, - char *buf, - unsigned int *size, - unsigned long flag) +static krb5_error_code +rfc2253_name(X509_NAME *name, char **str_out) { - BIO *out = NULL; + BIO *b = NULL; + char *str; - out = BIO_new(BIO_s_mem ()); - if (X509_NAME_print_ex(out, a, 0, flag) > 0) { - if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { - memset(buf, 0, *size); - BIO_read(out, buf, (int) BIO_number_written(out)); - } - else { - *size = BIO_number_written(out); - } - } - BIO_free(out); - return (buf); + *str_out = NULL; + b = BIO_new(BIO_s_mem()); + if (b == NULL) + return ENOMEM; + if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) + goto error; + str = calloc(BIO_number_written(b) + 1, 1); + if (str == NULL) + goto error; + BIO_read(b, str, BIO_number_written(b)); + BIO_free(b); + *str_out = str; + return 0; + +error: + BIO_free(b); + return ENOMEM; } /* @@ -5144,8 +5140,6 @@ get_matching_data(krb5_context context, pkinit_cert_matching_data *md = NULL; krb5_principal *pkinit_sans = NULL, *upn_sans = NULL; size_t i, j; - char buf[DN_BUF_LEN]; - unsigned int bufsize = sizeof(buf); *md_out = NULL; @@ -5153,23 +5147,12 @@ get_matching_data(krb5_context context, if (md == NULL) goto cleanup; - /* Get the subject name (in rfc2253 format). */ - X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize, - XN_FLAG_SEP_COMMA_PLUS); - md->subject_dn = strdup(buf); - if (md->subject_dn == NULL) { - ret = ENOMEM; + ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn); + if (ret) goto cleanup; - } - - /* Get the issuer name (in rfc2253 format). */ - X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize, - XN_FLAG_SEP_COMMA_PLUS); - md->issuer_dn = strdup(buf); - if (md->issuer_dn == NULL) { - ret = ENOMEM; + ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn); + if (ret) goto cleanup; - } /* Get the SAN data. */ ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,