[28343] in CVS-changelog-for-Kerberos-V5
krb5 commit: Don't blindly use PKCS11 slot IDs in PKINIT
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat May 24 11:19:11 2014
Date: Sat, 24 May 2014 11:19:07 -0400
From: Greg Hudson <ghudson@MIT.EDU>
Message-Id: <201405241519.s4OFJ73t021502@drugstore.mit.edu>
To: cvs-krb5@MIT.EDU
Reply-To: krbdev@MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@MIT.EDU
https://github.com/krb5/krb5/commit/ac406bac3d73a7e4efcc74adbb90c722457da969
commit ac406bac3d73a7e4efcc74adbb90c722457da969
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu May 22 19:18:34 2014 -0400
Don't blindly use PKCS11 slot IDs in PKINIT
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
ticket: 7916
target_version: 1.12.2
tags: pullup
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 +++++++++----------
1 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 6133f09..109de23 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3760,23 +3760,22 @@ pkinit_open_session(krb5_context context,
}
/* Get the list of available slots */
- if (cctx->slotid != PK_NOSLOT) {
- /* A slot was specified, so that's the only one in the list */
- count = 1;
- slotlist = malloc(sizeof(CK_SLOT_ID));
- slotlist[0] = cctx->slotid;
- } else {
- if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- if (count == 0)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- slotlist = malloc(count * sizeof (CK_SLOT_ID));
- if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
+ if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ if (count == 0)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ slotlist = calloc(count, sizeof(CK_SLOT_ID));
+ if (slotlist == NULL)
+ return ENOMEM;
+ if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
/* Look for the given token label, or if none given take the first one */
for (i = 0; i < count; i++) {
+ /* Skip slots that don't match the specified slotid, if given. */
+ if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i])
+ continue;
+
/* Open session */
if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
NULL, NULL, &cctx->session)) != CKR_OK) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
