From 6b8f7371e49c3aa636871bb4e2ea2d2e86c743de Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 26 Jan 2018 11:47:50 -0500 Subject: [PATCH] Fix hex conversion of PKINIT certid strings When parsing a PKCS11 token specification, correctly convert from hex to binary instead of using OpenSSL bignum functions (which would strip leading zeros). [ghudson@mit.edu: made hex_string_to_bin() a bit less verbose; wrote commit message] ticket: 8636 (cherry picked from commit 63e8b8142fd7b3931a7bf2d6448978ca536bafc0) --- .../preauth/pkinit/pkinit_crypto_openssl.c | 55 +++++++++++++++---- 1 file changed, 44 insertions(+), 11 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 2064eb7bd..eb2953fe1 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -4616,6 +4616,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts) return ret; } +static int +hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out) +{ + size_t str_len, i; + CK_BYTE *bin; + char *endptr, tmp[3] = { '\0', '\0', '\0' }; + long val; + + *bin_len_out = 0; + *bin_out = NULL; + + str_len = strlen(str); + if (str_len % 2 != 0) + return EINVAL; + bin = malloc(str_len / 2); + if (bin == NULL) + return ENOMEM; + + errno = 0; + for (i = 0; i < str_len / 2; i++) { + tmp[0] = str[i * 2]; + tmp[1] = str[i * 2 + 1]; + + val = strtol(tmp, &endptr, 16); + if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) { + free(bin); + return EINVAL; + } + + bin[i] = (CK_BYTE)val; + } + + *bin_len_out = str_len / 2; + *bin_out = bin; + return 0; +} + static krb5_error_code pkinit_get_certs_pkcs11(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx,