Check for null characters in pkinit cert fields

When processing DNS names or MS UPNs in pkinit certs, disallow
embedded null characters.

ticket: 6542
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22516 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 7 insertions, 0 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index c402e2ee10..6e1a4b87a7 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1761,6 +1761,9 @@ crypto_retrieve_X509_sans(krb5_context context,
 		} else if (upns != NULL
 			   && OBJ_cmp(plgctx->id_ms_san_upn,
 				      gen->d.otherName->type_id) == 0) {
+		    /* Prevent abuse of embedded null characters. */
+		    if (memchr(name.data, '\0', name.length))
+			break;
 		    ret = krb5_parse_name(context, name.data, &upns[u]);
 		    if (ret) {
 			pkiDebug("%s: failed parsing ms-upn san value\n",
@@ -1778,6 +1781,10 @@ crypto_retrieve_X509_sans(krb5_context context,
 		break;
 	    case GEN_DNS:
 		if (dnss != NULL) {
+		    /* Prevent abuse of embedded null characters. */
+		    if (memchr(gen->d.dNSName->data, '\0',
+			       gen->d.dNSName->length))
+			break;
 		    pkiDebug("%s: found dns name = %s\n",
 			     __FUNCTION__, gen->d.dNSName->data);
 		    dnss[d] = (unsigned char *)