[krbdev.mit.edu #7889] PKINIT use of OpenSSL OID table is not thread-safe or application-friendly
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Mar 24 17:09:36 EDT 2014
It appears that PKINIT is shadowing NID_pkcs7_data so that
create_contentinfo can call PKCS7_set0_type_other regardless of whether
the type is NID_pkcs7_data or an "other" type.
If we eliminate the shadowing and don't change anything else,
create_contentinfo creates an inconsistent PKCS7 object, with type set to
id-pkcs7-data but with the data in d.other instead of d.data. When this
inconsistent PKCS7 is ASN.1 encoded, it contains four bytes of garbage
instead of the intended data.
This is easy enough to fix; create_contentinfo just needs to special-case
the id-pkcs7-data OID and set up the PKCS7 object correctly. This can be
done using PKCS7_set_type or by filling in d.data by hand.
More information about the krb5-bugs
mailing list