[37143] in Kerberos
Bug in pkinit_clnt.c?
daemon@ATHENA.MIT.EDU (=?UTF-8?B?RGFuaWVsIERlcHR1xYJh?=)
Fri Jul 3 12:43:54 2015
Message-ID: <5596BB9E.2060409@gmail.com>
Date: Fri, 03 Jul 2015 18:43:10 +0200
From: =?UTF-8?B?RGFuaWVsIERlcHR1xYJh?= <daniel.deptula@gmail.com>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I compiled version 1.13.2 with pkinit with NSS crypto implementation and
configured it to use an external PKCS11 library for smart card
authentication. It is segfaulting during kinit. The problem is at line
499 in pkinit_clnt.c. I figured out that the "princs" is not initialized
by the NSS version of function "crypto_retrieve_cert_sans". When OpenSSL
crypto implementation is used, "princs" is initialized and its first
element points to NULL so it is properly handled by the loop (segfault
doesn't happen). I'm wondering if something in
"crypto_retrieve_cert_sans" in pkinit_crypto_nss.c should be amended or
if the simple patch which works fine for me is enough:
--- pkinit_clnt.c-org 2015-05-09 01:27:02.000000000 +0200
+++ pkinit_clnt.c 2015-07-03 18:33:44.040593720 +0200
@@ -496,8 +496,10 @@
retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
goto out;
}
- for (princptr = princs; *princptr != NULL; princptr++)
- TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ if (princs != NULL) {
+ for (princptr = princs; *princptr != NULL; princptr++)
+ TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ }
if (certhosts != NULL) {
for (hostptr = certhosts; *hostptr != NULL; hostptr++)
TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr);
Could you please review and comment?
Daniel
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
