diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-05-22 19:18:34 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2015-02-06 17:46:16 -0500 |
commit | 1bc131a069dfe31d2a78f8c1f84e43027a3da967 (patch) | |
tree | 048a18dbd3e171bbfe04e3ecc400553d3a5bc8ac | |
parent | a6dde5302783a59d958e1fdafd53b22fa627b158 (diff) | |
download | krb5-1bc131a069dfe31d2a78f8c1f84e43027a3da967.zip krb5-1bc131a069dfe31d2a78f8c1f84e43027a3da967.tar.gz krb5-1bc131a069dfe31d2a78f8c1f84e43027a3da967.tar.bz2 |
Don't blindly use PKCS11 slot IDs in PKINIT
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
(cherry picked from commit ac406bac3d73a7e4efcc74adbb90c722457da969)
ticket: 8100 (new)
version_fixed: 1.11.6
status: resolved
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 6363303..9ed3781 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -3744,23 +3744,22 @@ pkinit_open_session(krb5_context context, } /* Get the list of available slots */ - if (cctx->slotid != PK_NOSLOT) { - /* A slot was specified, so that's the only one in the list */ - count = 1; - slotlist = malloc(sizeof(CK_SLOT_ID)); - slotlist[0] = cctx->slotid; - } else { - if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK) - return KRB5KDC_ERR_PREAUTH_FAILED; - if (count == 0) - return KRB5KDC_ERR_PREAUTH_FAILED; - slotlist = malloc(count * sizeof (CK_SLOT_ID)); - if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) - return KRB5KDC_ERR_PREAUTH_FAILED; - } + if (cctx->p11->C_GetSlotList(TRUE, NULL, &count) != CKR_OK) + return KRB5KDC_ERR_PREAUTH_FAILED; + if (count == 0) + return KRB5KDC_ERR_PREAUTH_FAILED; + slotlist = calloc(count, sizeof(CK_SLOT_ID)); + if (slotlist == NULL) + return ENOMEM; + if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) + return KRB5KDC_ERR_PREAUTH_FAILED; /* Look for the given token label, or if none given take the first one */ for (i = 0; i < count; i++) { + /* Skip slots that don't match the specified slotid, if given. */ + if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i]) + continue; + /* Open session */ if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION, NULL, NULL, &cctx->session)) != CKR_OK) { |