krb5 commit [krb5-1.12]: Properly handle PKCS11 label in PKINIT

Fri Jun 27 12:34:55 EDT 2014

https://github.com/krb5/krb5/commit/acb07eae351434ca1058634270e5a9674ea064c5
commit acb07eae351434ca1058634270e5a9674ea064c5
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu May 22 22:31:26 2014 -0400

    Properly handle PKCS11 label in PKINIT
    
    The CK_TOKEN_INFO label field is defined to be zero-filled, but it may
    not be zero-terminated if all bytes of the field are used.  Use only
    length-counted operations to process it.  Also avoid underrunning the
    buffer pointer if the label is empty or contains only whitespace.
    
    (cherry picked from commit f8b42ef541a463f56720ec9358dd07716b04c5e2)
    
    ticket: 7917
    version_fixed: 1.12.2
    status: resolved

 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |   28 ++++++++++++-------
 1 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 651d5e8..e00bd73 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3779,6 +3779,7 @@ pkinit_open_session(krb5_context context,
 {
     CK_ULONG i, r;
     unsigned char *cp;
+    size_t label_len;
     CK_ULONG count = 0;
     CK_SLOT_ID_PTR slotlist;
     CK_TOKEN_INFO tinfo;
@@ -3829,13 +3830,20 @@ pkinit_open_session(krb5_context context,
             pkiDebug("C_GetTokenInfo: %s\n", pkinit_pkcs11_code_to_text(r));
             return KRB5KDC_ERR_PREAUTH_FAILED;
         }
-        for (cp = tinfo.label + sizeof (tinfo.label) - 1;
-             *cp == '\0' || *cp == ' '; cp--)
-            *cp = '\0';
-        pkiDebug("open_session: slotid %d token \"%s\"\n",
-                 (int) slotlist[i], tinfo.label);
+
+        /* tinfo.label is zero-filled but not necessarily zero-terminated.
+         * Find the length, ignoring any trailing spaces. */
+        for (cp = tinfo.label + sizeof(tinfo.label); cp > tinfo.label; cp--) {
+            if (cp[-1] != '\0' && cp[-1] != ' ')
+                break;
+        }
+        label_len = cp - tinfo.label;
+
+        pkiDebug("open_session: slotid %d token \"%.*s\"\n",
+                 (int)slotlist[i], (int)label_len, tinfo.label);
         if (cctx->token_label == NULL ||
-            !strcmp((char *) cctx->token_label, (char *) tinfo.label))
+            (strlen(cctx->token_label) == label_len &&
+             memcmp(cctx->token_label, tinfo.label, label_len) == 0))
             break;
         cctx->p11->C_CloseSession(cctx->session);
     }
@@ -3854,15 +3862,15 @@ pkinit_open_session(krb5_context context,
         if (cctx->p11_module_name != NULL) {
             if (cctx->slotid != PK_NOSLOT) {
                 if (asprintf(&p11name,
-                             "PKCS11:module_name=%s:slotid=%ld:token=%s",
+                             "PKCS11:module_name=%s:slotid=%ld:token=%.*s",
                              cctx->p11_module_name, (long)cctx->slotid,
-                             tinfo.label) < 0)
+                             (int)label_len, tinfo.label) < 0)
                     p11name = NULL;
             } else {
                 if (asprintf(&p11name,
-                             "PKCS11:module_name=%s,token=%s",
+                             "PKCS11:module_name=%s,token=%.*s",
                              cctx->p11_module_name,
-                             tinfo.label) < 0)
+                             (int)label_len, tinfo.label) < 0)
                     p11name = NULL;
             }
         } else {
