From 41347471a42f263427b0f3cc2f59f773fc9181e4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 25 Jan 2018 17:50:29 +0100
Subject: [PATCH 1/2] fix certid conversion

---
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 65 ++++++++++++++++++----
 1 file changed, 54 insertions(+), 11 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index ac107c2c1..7915876b1 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -4623,6 +4623,53 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts)
     return ret;
 }
 
+int hex_string_to_bin(const char *str, int *bin_len_out, CK_BYTE **bin_out)
+{
+    size_t str_len;
+    size_t bin_len;
+    CK_BYTE *bin;
+    size_t b;
+    size_t s;
+    char tmp[3] = { '\0', '\0', '\0' };
+    char *endptr;
+    long val;
+
+    if (str == NULL) {
+        return EINVAL;
+    }
+
+    str_len = strlen(str);
+
+    if (str_len % 2 != 0) {
+        return EINVAL;
+    }
+
+    bin_len = str_len / 2;
+    bin = malloc(sizeof(char) * bin_len);
+    if (bin == NULL) {
+        return ENOMEM;
+    }
+
+    errno = 0;
+    for (b = 0, s = 0; b < bin_len; b++, s += 2) {
+        tmp[0] = str[s];
+        tmp[1] = str[s + 1];
+
+        val = strtol(tmp, &endptr, 16);
+        if (val < 0 || val > 255 || errno != 0 || endptr != &tmp[2]) {
+            free(bin);
+            return EINVAL;
+        }
+
+        bin[b] = (CK_BYTE) val;
+    }
+
+    *bin_len_out = bin_len;
+    *bin_out = bin;
+
+    return 0;
+}
+
 static krb5_error_code
 pkinit_get_certs_pkcs11(krb5_context context,
                         pkinit_plg_crypto_context plg_cryptoctx,
@@ -4665,18 +4712,14 @@ pkinit_get_certs_pkcs11(krb5_context context,
     }
     /* Convert the ascii cert_id string into a binary blob */
     if (idopts->cert_id_string != NULL) {
-        BIGNUM *bn = NULL;
-        BN_hex2bn(&bn, idopts->cert_id_string);
-        if (bn == NULL)
-            return ENOMEM;
-        id_cryptoctx->cert_id_len = BN_num_bytes(bn);
-        id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len);
-        if (id_cryptoctx->cert_id == NULL) {
-            BN_free(bn);
-            return ENOMEM;
+        r = hex_string_to_bin(idopts->cert_id_string,
+                              &id_cryptoctx->cert_id_len,
+                              &id_cryptoctx->cert_id);
+        if (r != 0) {
+            pkiDebug("Failed to convert certid string [%s]\n",
+                     idopts->cert_id_string);
+            return r;
         }
-        BN_bn2bin(bn, id_cryptoctx->cert_id);
-        BN_free(bn);
     }
     id_cryptoctx->slotid = idopts->slotid;
     id_cryptoctx->pkcs11_method = 1;
-- 
2.14.3