krb5 commit [krb5-1.12]: Don't blindly use PKCS11 slot IDs in PKINIT
Tom Yu
tlyu at MIT.EDU
Fri Jun 27 12:34:54 EDT 2014
https://github.com/krb5/krb5/commit/2e56aa65e8d362b2ffe90c61e377594c822e893d
commit 2e56aa65e8d362b2ffe90c61e377594c822e893d
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu May 22 19:18:34 2014 -0400
Don't blindly use PKCS11 slot IDs in PKINIT
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
(cherry picked from commit ac406bac3d73a7e4efcc74adbb90c722457da969)
ticket: 7916
version_fixed: 1.12.2
status: resolved
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 +++++++++----------
1 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index b661320..651d5e8 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3801,23 +3801,22 @@ pkinit_open_session(krb5_context context,
}
/* Get the list of available slots */
- if (cctx->slotid != PK_NOSLOT) {
- /* A slot was specified, so that's the only one in the list */
- count = 1;
- slotlist = malloc(sizeof(CK_SLOT_ID));
- slotlist[0] = cctx->slotid;
- } else {
- if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- if (count == 0)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- slotlist = malloc(count * sizeof (CK_SLOT_ID));
- if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK)
- return KRB5KDC_ERR_PREAUTH_FAILED;
- }
+ if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ if (count == 0)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ slotlist = calloc(count, sizeof(CK_SLOT_ID));
+ if (slotlist == NULL)
+ return ENOMEM;
+ if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK)
+ return KRB5KDC_ERR_PREAUTH_FAILED;
/* Look for the given token label, or if none given take the first one */
for (i = 0; i < count; i++) {
+ /* Skip slots that don't match the specified slotid, if given. */
+ if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i])
+ continue;
+
/* Open session */
if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
NULL, NULL, &cctx->session)) != CKR_OK) {
More information about the cvs-krb5
mailing list