Hi,
I compiled version 1.13.2 with pkinit with NSS crypto implementation and
configured it to use an external PKCS11 library for smart card
authentication. It is segfaulting during kinit. The problem is at line
499 in pkinit_clnt.c. I figured out that the "princs" is not initialized
by the NSS version of function "crypto_retrieve_cert_sans". When OpenSSL
crypto implementation is used, "princs" is initialized and its first
element points to NULL so it is properly handled by the loop (segfault
doesn't happen). I'm wondering if something in
"crypto_retrieve_cert_sans" in pkinit_crypto_nss.c should be amended or
if the simple patch which works fine for me is enough:
--- pkinit_clnt.c-org 2015-05-09 01:27:02.000000000 +0200
+++ pkinit_clnt.c 2015-07-03 18:33:44.040593720 +0200
@@ -496,8 +496,10 @@
retval = KRB5KDC_ERR_KDC_NAME_MISMATCH;
goto out;
}
- for (princptr = princs; *princptr != NULL; princptr++)
- TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ if (princs != NULL) {
+ for (princptr = princs; *princptr != NULL; princptr++)
+ TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(context, *princptr);
+ }
if (certhosts != NULL) {
for (hostptr = certhosts; *hostptr != NULL; hostptr++)
TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr);
Could you please review and comment?
Daniel
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
