krb5 commit: Use libkrb5support hex decoder in PKINIT
Greg Hudson
ghudson at mit.edu
Wed Mar 7 11:12:11 EST 2018
https://github.com/krb5/krb5/commit/ec58ba020721844c7070f22c1e5da56a9812da85
commit ec58ba020721844c7070f22c1e5da56a9812da85
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue Mar 6 00:14:49 2018 -0500
Use libkrb5support hex decoder in PKINIT
In pkinit_crypto_openssl.c, remove hex_string_to_bin() (recently added
for ease of backporting) and instead use k5_hex_decode() in
pkinit_get_certs_pkcs11(). Change the type of cert_id and cert_id_len
in pkinit_identity_crypto_context to avoid needing type conversion
intermediates.
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 43 +------------------
src/plugins/preauth/pkinit/pkinit_crypto_openssl.h | 4 +-
2 files changed, 5 insertions(+), 42 deletions(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 3a1180d..b4bfd63 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -31,6 +31,7 @@
#include "pkinit_crypto_openssl.h"
#include "k5-buf.h"
+#include "k5-hex.h"
#include <dlfcn.h>
#include <unistd.h>
#include <dirent.h>
@@ -4636,43 +4637,6 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
return ret;
}
-static int
-hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out)
-{
- size_t str_len, i;
- CK_BYTE *bin;
- char *endptr, tmp[3] = { '\0', '\0', '\0' };
- long val;
-
- *bin_len_out = 0;
- *bin_out = NULL;
-
- str_len = strlen(str);
- if (str_len % 2 != 0)
- return EINVAL;
- bin = malloc(str_len / 2);
- if (bin == NULL)
- return ENOMEM;
-
- errno = 0;
- for (i = 0; i < str_len / 2; i++) {
- tmp[0] = str[i * 2];
- tmp[1] = str[i * 2 + 1];
-
- val = strtol(tmp, &endptr, 16);
- if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) {
- free(bin);
- return EINVAL;
- }
-
- bin[i] = (CK_BYTE)val;
- }
-
- *bin_len_out = str_len / 2;
- *bin_out = bin;
- return 0;
-}
-
static krb5_error_code
pkinit_get_certs_pkcs11(krb5_context context,
pkinit_plg_crypto_context plg_cryptoctx,
@@ -4715,9 +4679,8 @@ pkinit_get_certs_pkcs11(krb5_context context,
}
/* Convert the ascii cert_id string into a binary blob */
if (idopts->cert_id_string != NULL) {
- r = hex_string_to_bin(idopts->cert_id_string,
- &id_cryptoctx->cert_id_len,
- &id_cryptoctx->cert_id);
+ r = k5_hex_decode(idopts->cert_id_string,
+ &id_cryptoctx->cert_id, &id_cryptoctx->cert_id_len);
if (r != 0) {
pkiDebug("Failed to convert certid string [%s]\n",
idopts->cert_id_string);
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
index 7411348..957c3de 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h
@@ -87,8 +87,8 @@ struct _pkinit_identity_crypto_context {
void *p11_module;
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST_PTR p11;
- CK_BYTE_PTR cert_id;
- int cert_id_len;
+ uint8_t *cert_id;
+ size_t cert_id_len;
CK_MECHANISM_TYPE mech;
#endif
krb5_boolean defer_id_prompt;
More information about the cvs-krb5
mailing list