diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-05-22 19:18:34 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-05-24 11:18:30 -0400 |
| commit | ac406bac3d73a7e4efcc74adbb90c722457da969 (patch) | |
| tree | f63f7f11c0fb736a23e81cc748e7ad4aec485063 /src/plugins/preauth | |
| parent | 0bf18fd4363f9f1244688daac224bd456bf52e7f (diff) | |
| download | krb5-ac406bac3d73a7e4efcc74adbb90c722457da969.tar.gz krb5-ac406bac3d73a7e4efcc74adbb90c722457da969.tar.xz krb5-ac406bac3d73a7e4efcc74adbb90c722457da969.zip | |
Don't blindly use PKCS11 slot IDs in PKINIT
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
ticket: 7916
target_version: 1.12.2
tags: pullup
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 6133f093e..109de23f9 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -3760,23 +3760,22 @@ pkinit_open_session(krb5_context context, } /* Get the list of available slots */ - if (cctx->slotid != PK_NOSLOT) { - /* A slot was specified, so that's the only one in the list */ - count = 1; - slotlist = malloc(sizeof(CK_SLOT_ID)); - slotlist[0] = cctx->slotid; - } else { - if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK) - return KRB5KDC_ERR_PREAUTH_FAILED; - if (count == 0) - return KRB5KDC_ERR_PREAUTH_FAILED; - slotlist = malloc(count * sizeof (CK_SLOT_ID)); - if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) - return KRB5KDC_ERR_PREAUTH_FAILED; - } + if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK) + return KRB5KDC_ERR_PREAUTH_FAILED; + if (count == 0) + return KRB5KDC_ERR_PREAUTH_FAILED; + slotlist = calloc(count, sizeof(CK_SLOT_ID)); + if (slotlist == NULL) + return ENOMEM; + if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) + return KRB5KDC_ERR_PREAUTH_FAILED; /* Look for the given token label, or if none given take the first one */ for (i = 0; i < count; i++) { + /* Skip slots that don't match the specified slotid, if given. */ + if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i]) + continue; + /* Open session */ if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION, NULL, NULL, &cctx->session)) != CKR_OK) { |