krb5 commit: Use anonymous OIDs in pkinit_crypto_openssl.c
Greg Hudson
ghudson at MIT.EDU
Tue Mar 25 18:06:53 EDT 2014
https://github.com/krb5/krb5/commit/6b9e570a7e98470b806a26c5119e53b2145e2586
commit 6b9e570a7e98470b806a26c5119e53b2145e2586
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Mar 24 22:42:02 2014 -0400
Use anonymous OIDs in pkinit_crypto_openssl.c
Stop adding OIDs to the global OpenSSL table. It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL. Instead, use anonymous OIDs
created with OBJ_txt2oid. Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.
ticket: 7889
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 96 +++++++++-----------
1 files changed, 43 insertions(+), 53 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 5732064..0237813 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -423,8 +423,6 @@ unsigned char pkinit_4096_dhprime[4096/8] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
-static int pkinit_oids_refs = 0;
-
krb5_error_code
pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx)
{
@@ -561,57 +559,43 @@ pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx)
static krb5_error_code
pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx)
{
- krb5_error_code retval = ENOMEM;
- int nid = 0;
-
- /*
- * If OpenSSL already knows about the OID, use the
- * existing definition. Otherwise, create an OID object.
- */
-#define CREATE_OBJ_IF_NEEDED(oid, vn, sn, ln) \
- nid = OBJ_txt2nid(oid); \
- if (nid == NID_undef) { \
- nid = OBJ_create(oid, sn, ln); \
- if (nid == NID_undef) { \
- pkiDebug("Error creating oid object for '%s'\n", oid); \
- goto out; \
- } \
- } \
- ctx->vn = OBJ_nid2obj(nid);
-
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.2", id_pkinit_san,
- "id-pkinit-san", "KRB5PrincipalName");
-
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.1", id_pkinit_authData,
- "id-pkinit-authdata", "PKINIT signedAuthPack");
+ ctx->id_pkinit_san = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
+ if (ctx->id_pkinit_san == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.2", id_pkinit_DHKeyData,
- "id-pkinit-DHKeyData", "PKINIT dhSignedData");
+ ctx->id_pkinit_authData = OBJ_txt2obj("1.3.6.1.5.2.3.1", 1);
+ if (ctx->id_pkinit_authData == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.3", id_pkinit_rkeyData,
- "id-pkinit-rkeyData", "PKINIT encKeyPack");
+ ctx->id_pkinit_DHKeyData = OBJ_txt2obj("1.3.6.1.5.2.3.2", 1);
+ if (ctx->id_pkinit_DHKeyData == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.4", id_pkinit_KPClientAuth,
- "id-pkinit-KPClientAuth", "PKINIT Client EKU");
+ ctx->id_pkinit_rkeyData = OBJ_txt2obj("1.3.6.1.5.2.3.3", 1);
+ if (ctx->id_pkinit_rkeyData == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.5", id_pkinit_KPKdc,
- "id-pkinit-KPKdc", "KDC EKU");
+ ctx->id_pkinit_KPClientAuth = OBJ_txt2obj("1.3.6.1.5.2.3.4", 1);
+ if (ctx->id_pkinit_KPClientAuth == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.2", id_ms_kp_sc_logon,
- "id-ms-kp-sc-logon EKU", "Microsoft SmartCard Login EKU");
+ ctx->id_pkinit_KPKdc = OBJ_txt2obj("1.3.6.1.5.2.3.5", 1);
+ if (ctx->id_pkinit_KPKdc == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.3", id_ms_san_upn,
- "id-ms-san-upn", "Microsoft Universal Principal Name");
+ ctx->id_ms_kp_sc_logon = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 1);
+ if (ctx->id_ms_kp_sc_logon == NULL)
+ return ENOMEM;
- CREATE_OBJ_IF_NEEDED("1.3.6.1.5.5.7.3.1", id_kp_serverAuth,
- "id-kp-serverAuth EKU", "Server Authentication EKU");
+ ctx->id_ms_san_upn = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1);
+ if (ctx->id_ms_san_upn == NULL)
+ return ENOMEM;
- /* Success */
- retval = 0;
- pkinit_oids_refs++;
+ ctx->id_kp_serverAuth = OBJ_txt2obj("1.3.6.1.5.5.7.3.1", 1);
+ if (ctx->id_kp_serverAuth == NULL)
+ return ENOMEM;
-out:
- return retval;
+ return 0;
}
static krb5_error_code
@@ -757,10 +741,15 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
{
if (ctx == NULL)
return;
-
- /* Only call OBJ_cleanup once! */
- if (--pkinit_oids_refs == 0)
- OBJ_cleanup();
+ ASN1_OBJECT_free(ctx->id_pkinit_san);
+ ASN1_OBJECT_free(ctx->id_pkinit_authData);
+ ASN1_OBJECT_free(ctx->id_pkinit_DHKeyData);
+ ASN1_OBJECT_free(ctx->id_pkinit_rkeyData);
+ ASN1_OBJECT_free(ctx->id_pkinit_KPClientAuth);
+ ASN1_OBJECT_free(ctx->id_pkinit_KPKdc);
+ ASN1_OBJECT_free(ctx->id_ms_kp_sc_logon);
+ ASN1_OBJECT_free(ctx->id_ms_san_upn);
+ ASN1_OBJECT_free(ctx->id_kp_serverAuth);
}
static krb5_error_code
@@ -979,7 +968,7 @@ cms_contentinfo_create(krb5_context context, /* IN */
unsigned char **out_data, unsigned int *out_data_len)
{
krb5_error_code retval = ENOMEM;
- ASN1_OBJECT *oid = NULL;
+ ASN1_OBJECT *oid;
PKCS7 *p7 = NULL;
unsigned char *p;
@@ -1017,8 +1006,6 @@ cms_contentinfo_create(krb5_context context, /* IN */
cleanup:
if (p7)
PKCS7_free(p7);
- if (oid)
- ASN1_OBJECT_free(oid);
return retval;
}
@@ -1056,7 +1043,7 @@ cms_signeddata_create(krb5_context context,
unsigned int alg_len = 0, digest_len = 0;
unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL;
X509 *cert = NULL;
- ASN1_OBJECT *oid = NULL;
+ ASN1_OBJECT *oid = NULL, *oid_copy;
/* Start creating PKCS7 data. */
if ((p7 = PKCS7_new()) == NULL)
@@ -1178,8 +1165,11 @@ cms_signeddata_create(krb5_context context,
V_ASN1_OCTET_STRING, (char *) digest_attr);
/* create a content-type attr */
+ oid_copy = OBJ_dup(oid);
+ if (oid_copy == NULL)
+ goto cleanup2;
PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType,
- V_ASN1_OBJECT, oid);
+ V_ASN1_OBJECT, oid_copy);
/* create the signature over signed attributes. get DER encoded value */
/* This is the place where smartcard signature needs to be calculated */
More information about the cvs-krb5
mailing list