Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4)

ticket: 8617
version_fixed: 1.15.3

1 files changed, 27 insertions, 42 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 74fffbf..4b86a6f 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -5145,33 +5145,29 @@ out:
     return retval;
 }
 
-/*
- * Return a string format of an X509_NAME in buf where
- * size is an in/out parameter.  On input it is the size
- * of the buffer, and on output it is the actual length
- * of the name.
- * If buf is NULL, returns the length req'd to hold name
- */
-static char *
-X509_NAME_oneline_ex(X509_NAME * a,
-                     char *buf,
-                     unsigned int *size,
-                     unsigned long flag)
+static krb5_error_code
+rfc2253_name(X509_NAME *name, char **str_out)
 {
-    BIO *out = NULL;
+    BIO *b = NULL;
+    char *str;
 
-    out = BIO_new(BIO_s_mem ());
-    if (X509_NAME_print_ex(out, a, 0, flag) > 0) {
-        if (buf != NULL && (*size) >  (unsigned int) BIO_number_written(out)) {
-            memset(buf, 0, *size);
-            BIO_read(out, buf, (int) BIO_number_written(out));
-        }
-        else {
-            *size = BIO_number_written(out);
-        }
-    }
-    BIO_free(out);
-    return (buf);
+    *str_out = NULL;
+    b = BIO_new(BIO_s_mem());
+    if (b == NULL)
+        return ENOMEM;
+    if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0)
+        goto error;
+    str = calloc(BIO_number_written(b) + 1, 1);
+    if (str == NULL)
+        goto error;
+    BIO_read(b, str, BIO_number_written(b));
+    BIO_free(b);
+    *str_out = str;
+    return 0;
+
+error:
+    BIO_free(b);
+    return ENOMEM;
 }
 
 /*
@@ -5187,8 +5183,6 @@ crypto_cert_get_matching_data(krb5_context context,
     krb5_principal *pkinit_sans =NULL, *upn_sans = NULL;
     struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch;
     unsigned int i, j;
-    char buf[DN_BUF_LEN];
-    unsigned int bufsize = sizeof(buf);
 
     if (cd == NULL || cd->magic != CERT_MAGIC)
         return EINVAL;
@@ -5201,23 +5195,14 @@ crypto_cert_get_matching_data(krb5_context context,
 
     md->ch = ch;
 
-    /* get the subject name (in rfc2253 format) */
-    X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert),
-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
-    md->subject_dn = strdup(buf);
-    if (md->subject_dn == NULL) {
-        retval = ENOMEM;
+    retval = rfc2253_name(X509_get_subject_name(cd->cred->cert),
+                          &md->subject_dn);
+    if (retval)
         goto cleanup;
-    }
-
-    /* get the issuer name (in rfc2253 format) */
-    X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert),
-                         buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS);
-    md->issuer_dn = strdup(buf);
-    if (md->issuer_dn == NULL) {
-        retval = ENOMEM;
+    retval = rfc2253_name(X509_get_issuer_name(cd->cred->cert),
+                          &md->issuer_dn);
+    if (retval)
         goto cleanup;
-    }
 
     /* get the san data */
     retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx,