Skip Menu |
 

Subject: pkinit doesn't handle slotid parameter properly
Download (untitled) / with headers
text/plain 1.9KiB
I've found a couple issues with the way the pkinit plugin interacts with
PKCS11. The first is that way the "slotid" in krb5.conf is handled. It
should be used as a filter to choose one or more slots from the list of
slots returned by C_GetSlotList() Instead it is being directly assigned
to the slotlist[] arg which is passed to C_OpenSession() and if the
value is invalid can cause C_OpenSession() to segfault. Here is the
broken code in
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:pkinit_open_session():

if (cctx->slotid != PK_NOSLOT) {
/* A slot was specified, so that's the only one in the list */
count = 1;
slotlist = malloc(sizeof(CK_SLOT_ID));
slotlist[0] = cctx->slotid;
^^^^^^^^^^^^^^^^^^^^^^^^^^ wrong

Instead this should be something like:

if (cctx->p11->C_GetSlotList(TRUE, slotlist, &count) != CKR_OK) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to get PKCS11 slot list: %s"),
pkinit_pkcs11_code_to_text(r));
pkiDebug("C_GetSlotList: %s\n", pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}

/* examine all the tokens */
for (i = 0; i < count; i++) {
/*
* If a slotid was specified skip slots that don't match.
*/
if (cctx->slotid != PK_NOSLOT && cctx->slotid != slotlist[i])
continue;

/* Open session */
if ((r = cctx->p11->C_OpenSession(slotlist[i], CKF_SERIAL_SESSION,
NULL, NULL, &tmpsession)) != CKR_OK) {
pkiDebug("C_OpenSession: %s\n", pkinit_pkcs11_code_to_text(r));
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
gettext("Error trying to open PKCS11 session: %s"),
pkinit_pkcs11_code_to_text(r));
r = KRB5KDC_ERR_PREAUTH_FAILED;
goto out;
}
...
From: ghudson@mit.edu
Subject: git commit

Don't blindly use PKCS11 slot IDs in PKINIT

Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.

https://github.com/krb5/krb5/commit/ac406bac3d73a7e4efcc74adbb90c722457da969
Author: Greg Hudson <ghudson@mit.edu>
Commit: ac406bac3d73a7e4efcc74adbb90c722457da969
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 +++++++++----------
1 files changed, 13 insertions(+), 14 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Don't blindly use PKCS11 slot IDs in PKINIT

Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.

(cherry picked from commit ac406bac3d73a7e4efcc74adbb90c722457da969)

https://github.com/krb5/krb5/commit/2e56aa65e8d362b2ffe90c61e377594c822e893d
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 2e56aa65e8d362b2ffe90c61e377594c822e893d
Branch: krb5-1.12
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 27 +++++++++----------
1 files changed, 13 insertions(+), 14 deletions(-)