Avoid enumerating certificates with non-matching key type
authorSophieK <35367649+suishixingkong@users.noreply.github.com>
Tue, 21 May 2019 01:28:21 +0000 (09:28 +0800)
committerTobias Brunner <tobias@strongswan.org>
Tue, 21 May 2019 08:22:30 +0000 (10:22 +0200)
If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.

Closes strongswan/strongswan#141.

src/libcharon/plugins/stroke/stroke_ca.c
src/libstrongswan/credentials/sets/mem_cred.c

index 0432ee5..2c0df8f 100644 (file)
@@ -208,6 +208,11 @@ CALLBACK(certs_filter, bool,
                                        return TRUE;
                                }
                        }
+                       else
+                       {
+                               public->destroy(public);
+                               continue;
+                       }
                        public->destroy(public);
                }
                else if (data->key != KEY_ANY)
index b0f77be..86b232a 100644 (file)
@@ -108,6 +108,11 @@ CALLBACK(certs_filter, bool,
                                        return TRUE;
                                }
                        }
+                       else
+                       {
+                               public->destroy(public);
+                               continue;
+                       }
                        public->destroy(public);
                }
                else if (data->key != KEY_ANY)