| Subject: | pkinit doesn't handle slotid parameter properly |
I've found a couple issues with the way the pkinit plugin interacts with
PKCS11. The first is that way the "slotid" in krb5.conf is handled. It
should be used as a filter to choose one or more slots from the list of
slots returned by C_GetSlotList() Instead it is being directly assigned
to the slotlist[] arg which is passed to C_OpenSession() and if the
value is invalid can cause C_OpenSession() to segfault. Here is the
broken code in
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:pkinit_open_session():
if (cctx->slotid != PK_NOSLOT) {
/* A slot was specified, so that's the only one in the list */
count = 1;
slotlist = malloc(sizeof(CK_SLOT_ID));
slotlist[0] = cctx->slotid;
^^^^^^^^^^^^^^^^^^^^^^^^^^ wrong
Instead this should be something like:
if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to get PKCS11 slot list: %s"),
pkinit_pkcs11_code_to_text(r));
pkiDebug("C_GetSlotList: %s\n", pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
/* examine all the tokens */
for (i = 0; i < count; i++) {
/*
* If a slotid was specified skip slots that don't match.
*/
if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i])
continue;
/* Open session */
if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
NULL, NULL, &tmpsession)) != CKR_OK) {
pkiDebug("C_OpenSession: %s\n", pkinit_pkcs11_code_to_text(r));
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to open PKCS11 session: %s"),
pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
...
PKCS11. The first is that way the "slotid" in krb5.conf is handled. It
should be used as a filter to choose one or more slots from the list of
slots returned by C_GetSlotList() Instead it is being directly assigned
to the slotlist[] arg which is passed to C_OpenSession() and if the
value is invalid can cause C_OpenSession() to segfault. Here is the
broken code in
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:pkinit_open_session():
if (cctx->slotid != PK_NOSLOT) {
/* A slot was specified, so that's the only one in the list */
count = 1;
slotlist = malloc(sizeof(CK_SLOT_ID));
slotlist[0] = cctx->slotid;
^^^^^^^^^^^^^^^^^^^^^^^^^^ wrong
Instead this should be something like:
if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to get PKCS11 slot list: %s"),
pkinit_pkcs11_code_to_text(r));
pkiDebug("C_GetSlotList: %s\n", pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
/* examine all the tokens */
for (i = 0; i < count; i++) {
/*
* If a slotid was specified skip slots that don't match.
*/
if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i])
continue;
/* Open session */
if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
NULL, NULL, &tmpsession)) != CKR_OK) {
pkiDebug("C_OpenSession: %s\n", pkinit_pkcs11_code_to_text(r));
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to open PKCS11 session: %s"),
pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
...