Bug in pkinit_clnt.c?
Daniel Deptuła
daniel.deptula at gmail.com
Fri Jul 3 12:43:10 EDT 2015
Hi,
I compiled version 1.13.2 with pkinit with NSS crypto implementation and
configured it to use an external PKCS11 library for smart card
authentication. It is segfaulting during kinit. The problem is at line
499 in pkinit_clnt.c. I figured out that the "princs" is not initialized
by the NSS version of function "crypto_retrieve_cert_sans". When OpenSSL
crypto implementation is used, "princs" is initialized and its first
element points to NULL so it is properly handled by the loop (segfault
doesn't happen). I'm wondering if something in
"crypto_retrieve_cert_sans" in pkinit_crypto_nss.c should be amended or
if the simple patch which works fine for me is enough:
--- pkinit_clnt.c-org 2015-05-09 01:27:02.000000000 +0200
+++ pkinit_clnt.c 2015-07-03 18:33:44.040593720 +0200
@@ -496,8 +496,10 @@
retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
goto out;
}
- for (princptr = princs; *princptr != NULL; princptr++)
- TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ if (princs != NULL) {
+ for (princptr = princs; *princptr != NULL; princptr++)
+ TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ }
if (certhosts != NULL) {
for (hostptr = certhosts; *hostptr != NULL; hostptr++)
TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr);
Could you please review and comment?
Daniel
More information about the Kerberos
mailing list