fixed CRL check return value on revoked certificates
authorMartin Willi <martin@strongswan.org>
Wed, 19 Mar 2008 09:44:47 +0000 (09:44 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 19 Mar 2008 09:44:47 +0000 (09:44 -0000)
fixed possible refcounting bugs
generic return_null() implementation

src/charon/credentials/credential_manager.c
src/charon/plugins/med_db/med_db_creds.c
src/charon/plugins/sql/sql_cred.c
src/charon/plugins/stroke/stroke.c
src/libstrongswan/utils.c
src/libstrongswan/utils.h

index 71a06e9..6642c19 100644 (file)
@@ -298,13 +298,6 @@ static shared_key_t *get_shared(private_credential_manager_t *this,
 static certificate_t *get_trusted_cert(private_credential_manager_t *this,
                                                                           key_type_t type, identification_t *id,
                                                                           auth_info_t *auth, bool crl, bool ocsp);
-/**
- * return null ;-)
- */
-static void *return_null()
-{
-       return NULL;
-}
 
 /**
  * credential_set_t implementation around an OCSP response
@@ -492,22 +485,20 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
 {
        certificate_t *sub = (certificate_t*)subject;
        certificate_t *best_cert = NULL;
+       certificate_t *cert;
+       public_key_t *public;
        cert_validation_t valid = VALIDATION_SKIPPED;
        identification_t *keyid = NULL;
        bool stale = TRUE;
        
        /* derive the authorityKeyIdentifier from the issuer's public key */
+       cert = &issuer->interface;
+       public = cert->get_public_key(cert);
+       if (public)
        {
-               certificate_t *cert = &issuer->interface;
-               public_key_t *public = cert->get_public_key(cert);
-
-               if (public)
-               {
-                       keyid = public->get_id(public, ID_PUBKEY_SHA1);
-                       public->destroy(public);
-               }
+               keyid = public->get_id(public, ID_PUBKEY_SHA1);
        }
-
+       
        /* find a cached ocsp response by authorityKeyIdentifier */     
        if (keyid)
        {
@@ -612,6 +603,7 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
                }
                enumerator->destroy(enumerator);
        }
+       DESTROY_IF(public);
 
        /* if we have an ocsp response, check the revocation status */
        if (best_cert)
@@ -638,7 +630,7 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
                }
                best_cert->destroy(best_cert);
        }
-
+       
        if (auth)
        {
                auth->add_item(auth, AUTHZ_OCSP_VALIDATION, &valid);
@@ -707,19 +699,17 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
 {
        identification_t *keyid = NULL;
        certificate_t *best_cert = NULL;
+       certificate_t *cert;
+       public_key_t *public;
        cert_validation_t valid = VALIDATION_SKIPPED;
        bool stale = TRUE;
        
        /* derive the authorityKeyIdentifier from the issuer's public key */
+       cert = &issuer->interface;
+       public = cert->get_public_key(cert);
+       if (public)
        {
-               certificate_t *cert = &issuer->interface;
-               public_key_t *public = cert->get_public_key(cert);
-
-               if (public)
-               {
-                       keyid = public->get_id(public, ID_PUBKEY_SHA1);
-                       public->destroy(public);
-               }
+               keyid = public->get_id(public, ID_PUBKEY_SHA1);
        }
        
        /* find a cached crl by authorityKeyIdentifier */
@@ -820,6 +810,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
                }
                enumerator->destroy(enumerator);
        }
+       DESTROY_IF(public);
 
        /* if we have a crl, check the revocation status */
        if (best_cert)
@@ -884,8 +875,7 @@ static bool check_certificate(private_credential_manager_t *this,
                        switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth))
                        {
                                case VALIDATION_GOOD:
-                                       DBG1(DBG_CFG, "certificate status is good",
-                                                subject->get_subject(subject));
+                                       DBG1(DBG_CFG, "certificate status is good");
                                        return TRUE;
                                case VALIDATION_REVOKED:
                                        /* has already been logged */                   
@@ -905,10 +895,10 @@ static bool check_certificate(private_credential_manager_t *this,
                        {
                                case VALIDATION_GOOD:
                                        DBG1(DBG_CFG, "certificate status is good");
-                                       break;
+                                       return TRUE;
                                case VALIDATION_REVOKED:                
                                        /* has already been logged */                   
-                                       break;
+                                       return FALSE;
                                case VALIDATION_UNKNOWN:
                                        DBG1(DBG_CFG, "certificate status is unknown");
                                        break;
index f8aed25..cd1058a 100644 (file)
@@ -173,14 +173,6 @@ static enumerator_t* create_shared_enumerator(private_med_db_creds_t *this,
        }
        return NULL;
 }
-
-/**
- * returns null
- */
-static void *return_null()
-{
-       return NULL;
-}
        
 /**
  * Implementation of backend_t.destroy.
index 73a6a9c..a504b23 100644 (file)
@@ -332,14 +332,6 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this,
 }
 
 /**
- * return null
- */
-static void *return_null()
-{
-       return NULL;
-}
-
-/**
  * Implementation of sql_cred_t.destroy.
  */
 static void destroy(private_sql_cred_t *this)
index 6af5ebe..401cb22 100755 (executable)
@@ -282,14 +282,6 @@ static void ca_section_destroy(ca_section_t *this)
 }
 
 /**
- * another return NULL 
- */
-static void* return_null()
-{
-       return NULL;
-}
-
-/**
  * data to pass to create_inner_cdp
  */
 typedef struct {
index d6920cf..953ef50 100644 (file)
@@ -64,6 +64,14 @@ void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
 }
 
 /**
+ * return null
+ */
+void *return_null()
+{
+       return NULL;
+}
+
+/**
  * We use a single mutex for all refcount variables. This
  * is not optimal for performance, but the critical section
  * is not that long...
index 2624c31..aae368a 100644 (file)
@@ -210,6 +210,11 @@ void *clalloc(void *pointer, size_t size);
 void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
 
 /**
+ * returns null
+ */
+void *return_null();
+
+/**
  * Special type to count references
  */
 typedef volatile u_int refcount_t;