Hi, I compiled version 1.13.2 with pkinit with NSS crypto implementation and configured it to use an external PKCS11 library for smart card authentication. It is segfaulting during kinit. The problem is at line 499 in pkinit_clnt.c. I figured out that the "princs" is not initialized by the NSS version of function "crypto_retrieve_cert_sans". When OpenSSL crypto implementation is used, "princs" is initialized and its first element points to NULL so it is properly handled by the loop (segfault doesn't happen). I'm wondering if something in "crypto_retrieve_cert_sans" in pkinit_crypto_nss.c should be amended or if the simple patch which works fine for me is enough:
--- pkinit_clnt.c-org 2015-05-09 01:27:02.000000000 +0200 +++ pkinit_clnt.c 2015-07-03 18:33:44.040593720 +0200 @@ -496,8 +496,10 @@ retval = KRB5KDC_ERR_KDC_NAME_MISMATCH; goto out; } - for (princptr = princs; *princptr != NULL; princptr++) - TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr); + if (princs != NULL) { + for (princptr = princs; *princptr != NULL; princptr++) + TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr); + } if (certhosts != NULL) { for (hostptr = certhosts; *hostptr != NULL; hostptr++) TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr); Could you please review and comment? Daniel ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos