diff options
author | David Kupka <dkupka@redhat.com> | 2017-03-31 21:31:23 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-04-03 10:43:07 +0200 |
commit | 5231ba679402eeb0705a3ecd41f97fdd67d42a69 (patch) | |
tree | 70ddc3d7a20a6800b52e2988d9b8b34684342c67 /src/util | |
parent | dc186bfe90665c13d589b3b4efd9009293e62c46 (diff) | |
download | sssd-5231ba679402eeb0705a3ecd41f97fdd67d42a69.tar.gz sssd-5231ba679402eeb0705a3ecd41f97fdd67d42a69.tar.xz sssd-5231ba679402eeb0705a3ecd41f97fdd67d42a69.zip |
libsss_certmap: Accept certificate with data before header
According to RFC 7468 parser must not fail when some data are present
before the encapsulation boundary. sss_cert_pem_to_der didn't respect
this and refused valid input. Changing it's code to first locate
the certificate header fixes the issue.
Resolves:
https://pagure.io/SSSD/sssd/issue/3354
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/cert/nss/cert.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c index 9d31cfe9b..93d4e0422 100644 --- a/src/util/cert/nss/cert.c +++ b/src/util/cert/nss/cert.c @@ -147,16 +147,17 @@ errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, return EINVAL; } + if ((pem = strstr(pem, NS_CERT_HEADER)) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing PEM header."); + return EINVAL; + } + pem_len = strlen(pem); if (pem_len <= NS_CERT_HEADER_LEN + NS_CERT_TRAILER_LEN) { DEBUG(SSSDBG_CRIT_FAILURE, "PEM data too short.\n"); return EINVAL; } - if (strncmp(pem, NS_CERT_HEADER, NS_CERT_HEADER_LEN) != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Wrong PEM header.\n"); - return EINVAL; - } if (pem[NS_CERT_HEADER_LEN] != '\n') { DEBUG(SSSDBG_CRIT_FAILURE, "Missing newline in PEM data.\n"); return EINVAL; |