1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
From 82854302309e2a513908cf85ed9321113ef26a08 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 24 Oct 2017 15:09:57 -0400
Subject: [PATCH] Fix PKINIT cert matching data construction
Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.
(cherry picked from commit 5a2faf2802480548ff6a7261552ee17efaed7be1)
---
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 61 +++++++---------------
1 file changed, 19 insertions(+), 42 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index f7640baf1..9fa20a8b2 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5002,33 +5002,23 @@ out:
return retval;
}
-/*
- * Return a string format of an X509_NAME in buf where
- * size is an in/out parameter. On input it is the size
- * of the buffer, and on output it is the actual length
- * of the name.
- * If buf is NULL, returns the length req'd to hold name
- */
-static char *
-X509_NAME_oneline_ex(X509_NAME * a,
- char *buf,
- unsigned int *size,
- unsigned long flag)
+static krb5_error_code
+rfc2253_name(X509_NAME *name, char **str_out)
{
- BIO *out = NULL;
+ BIO *b = NULL;
+ char *str;
- out = BIO_new(BIO_s_mem ());
- if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
- if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) {
- memset(buf, 0, *size);
- BIO_read(out, buf, (int) BIO_number_written(out));
- }
- else {
- *size = BIO_number_written(out);
- }
- }
- BIO_free(out);
- return (buf);
+ *str_out = NULL;
+ b = BIO_new(BIO_s_mem());
+ if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
+ return ENOMEM;
+ str = calloc(BIO_number_written(b) + 1, 1);
+ if (str == NULL)
+ return ENOMEM;
+ BIO_read(b, str, BIO_number_written(b));
+ BIO_free(b);
+ *str_out = str;
+ return 0;
}
/*
@@ -5094,8 +5084,6 @@ get_matching_data(krb5_context context,
pkinit_cert_matching_data *md = NULL;
krb5_principal *pkinit_sans = NULL, *upn_sans = NULL;
size_t i, j;
- char buf[DN_BUF_LEN];
- unsigned int bufsize = sizeof(buf);
*md_out = NULL;
@@ -5103,23 +5091,12 @@ get_matching_data(krb5_context context,
if (md == NULL)
goto cleanup;
- /* Get the subject name (in rfc2253 format). */
- X509_NAME_oneline_ex(X509_get_subject_name(cert), buf, &bufsize,
- XN_FLAG_SEP_COMMA_PLUS);
- md->subject_dn = strdup(buf);
- if (md->subject_dn == NULL) {
- ret = ENOMEM;
+ ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn);
+ if (ret)
goto cleanup;
- }
-
- /* Get the issuer name (in rfc2253 format). */
- X509_NAME_oneline_ex(X509_get_issuer_name(cert), buf, &bufsize,
- XN_FLAG_SEP_COMMA_PLUS);
- md->issuer_dn = strdup(buf);
- if (md->issuer_dn == NULL) {
- ret = ENOMEM;
+ ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn);
+ if (ret)
goto cleanup;
- }
/* Get the SAN data. */
ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx,
|
