Ticket History #8617: PKINIT matching can crash for certs with long issuer and subject

# Tue Oct 24 18:45:39 2017 ÐÐ°Ð²ÐµÐ» ÐÑÐ°Ð¹Ð½Ð¾Ð² <kraynopp@gmail.com> - Ticket created

From:	ÐÐ°Ð²ÐµÐ» ÐÑÐ°Ð¹Ð½Ð¾Ð² <kraynopp@gmail.com>
Date:	Thu, 12 Oct 2017 21:00:17 +0300
Subject:	Bug in PKINIT
To:	krb5-bugs@mit.edu

Download (untitled) / with headers
text/plain 408B

Download (untitled) / with headers
text/html 827B

Hi,

In file \src\plugins\preauth\pkinit\pkinit_crypto_openssl.h I have found constant:

#define DN_BUF_LEN 256

So, the size of DN is limited by 256 bytes. It is very small and can be easily overflowed, especially if DN contains utf8-encoded CN/O/OU.
In this case PKINIT failed with error 'stack smashing detected'.

Please, consider to increase DN_BUF_LEN or use dynamic memory allocation for DN buffer.

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Target_Version 1.16 added

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Target_Version 1.15-next added

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Target_Version 1.14-next added

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'resolved'

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Thu Oct 26 15:54:38 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 470B

Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4
Author: Greg Hudson <ghudson@mit.edu>
Commit: fbb687db1088ddd894d975996e5f6a4252b9a2b4
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 67 +++++++------------
1 files changed, 25 insertions(+), 42 deletions(-)

# Fri Oct 27 00:50:04 2017 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.15.3 added

# Fri Oct 27 00:50:04 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 544B

Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4)

https://github.com/krb5/krb5/commit/f36ae41714f669e971e9334fe471f8a924386cc6
Author: Greg Hudson <ghudson@mit.edu>
Commit: f36ae41714f669e971e9334fe471f8a924386cc6
Branch: krb5-1.15
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 69 ++++++++------------
1 files changed, 27 insertions(+), 42 deletions(-)

# Fri Oct 27 00:50:32 2017 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.14.7 added

# Fri Oct 27 00:50:32 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 544B

Fix PKINIT cert matching data construction

Rewrite X509_NAME_oneline_ex() and its call sites to use dynamic
allocation and to perform proper error checking.

(cherry picked from commit fbb687db1088ddd894d975996e5f6a4252b9a2b4)

https://github.com/krb5/krb5/commit/5bae4fe119e22accab3d9045a9524530995596e9
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5bae4fe119e22accab3d9045a9524530995596e9
Branch: krb5-1.14
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 69 ++++++++------------
1 files changed, 27 insertions(+), 42 deletions(-)

# Fri Oct 27 01:10:08 2017 ghudson@mit.edu (Greg Hudson) - CustomField pullup deleted

# Fri Oct 27 01:10:08 2017 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.16 added

# Mon Nov 27 11:19:15 2017 ghudson@mit.edu (Greg Hudson) - Subject changed from 'Bug in PKINIT' to 'PKINIT matching can crash for certs with long issuer and subject'