oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(_krb5_pk_rd_pa_reply): non non asn1 decoding errors, fail. Make sure

Browse Source 
we free memory on error.
(pk_verify_chain_standard): make sure we provide good errors.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15190 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2005-05-19 18:49:05 +00:00
parent b4d451a234
commit 2d1b36a743
1 changed files with 31 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
lib/krb5/pkinit.c
View File

@@ -1048,7 +1048,7 @@ pk_verify_chain_standard(krb5_context context,
ret = KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE; ret = KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: failed to verify " krb5_set_error_string(context, "PKINIT: failed to verify "
"certificate: %s ", "certificate: %s ",
ERR_error_string(ERR_get_error(), NULL)); X509_verify_cert_error_string(store_ctx->error));
break; break;
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
case X509_V_ERR_CERT_SIGNATURE_FAILURE: case X509_V_ERR_CERT_SIGNATURE_FAILURE:
@@ -1058,7 +1058,7 @@ pk_verify_chain_standard(krb5_context context,
case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_CERT_HAS_EXPIRED:
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: invalid certificate: %s ", krb5_set_error_string(context, "PKINIT: invalid certificate: %s ",
ERR_error_string(ERR_get_error(), NULL)); X509_verify_cert_error_string(store_ctx->error));
break; break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
@@ -1069,13 +1069,13 @@ pk_verify_chain_standard(krb5_context context,
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE;
krb5_set_error_string(context, "PKINIT: unknown CA or can't " krb5_set_error_string(context, "PKINIT: unknown CA or can't "
"verify certificate: %s", "verify certificate: %s",
ERR_error_string(ERR_get_error(), NULL)); X509_verify_cert_error_string(store_ctx->error));
break; break;
default: default:
ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; /* XXX */ ret = KRB5_KDC_ERROR_INVALID_CERTIFICATE; /* XXX */
krb5_set_error_string(context, "PKINIT: failed to verify " krb5_set_error_string(context, "PKINIT: failed to verify "
"certificate: %s (%ld) ", "certificate: %s (%ld) ",
ERR_error_string(ERR_get_error(), NULL), X509_verify_cert_error_string(store_ctx->error),
(long)store_ctx->error); (long)store_ctx->error);
break; break;
} }
@@ -1748,7 +1748,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
size_t size; size_t size;
/* Check for PK-INIT -25 */ /* Check for PK-INIT -25 */
{ if (pa->padata_type == KRB5_PADATA_PK_AS_REP) {
PA_PK_AS_REP rep; PA_PK_AS_REP rep;
memset(&rep, 0, sizeof(rep)); memset(&rep, 0, sizeof(rep));
@@ -1757,34 +1757,32 @@ _krb5_pk_rd_pa_reply(krb5_context context,
pa->padata_value.length, pa->padata_value.length,
&rep, &rep,
&size); &size);
if (ret == 0) { if (ret)
return ret;
switch (rep.element) {
case choice_PA_PK_AS_REP_encKeyPack: switch (rep.element) {
ret = decode_ContentInfo(rep.u.encKeyPack.data, case choice_PA_PK_AS_REP_encKeyPack:
rep.u.encKeyPack.length, ret = decode_ContentInfo(rep.u.encKeyPack.data,
&ci, rep.u.encKeyPack.length,
&size); &ci,
if (ret) { &size);
krb5_set_error_string(context, free_PA_PK_AS_REP(&rep);
"PKINIT: -25 decoding failed " if (ret) {
"ContentInfo: %d", ret); krb5_set_error_string(context,
return ret; "PKINIT: -25 decoding failed "
} "ContentInfo: %d", ret);
ret = pk_rd_pa_reply_enckey(context, 0, &ci, ctx,
etype, nonce, pa, key);
free_ContentInfo(&ci);
break;
default:
krb5_set_error_string(context, "PKINIT: -25 reply "
"invalid content type");
ret = EINVAL;
break; break;
} }
} ret = pk_rd_pa_reply_enckey(context, 0, &ci, ctx,
free_PA_PK_AS_REP(&rep); etype, nonce, pa, key);
if (ret == 0) free_ContentInfo(&ci);
return 0; return ret;
default:
free_PA_PK_AS_REP(&rep);
krb5_set_error_string(context, "PKINIT: -25 reply "
"invalid content type");
break;
}
} }
/* Check for PK-INIT -19 */ /* Check for PK-INIT -19 */
@@ -1815,7 +1813,6 @@ _krb5_pk_rd_pa_reply(krb5_context context,
break; break;
} }
free_PA_PK_AS_REP_19(&rep19); free_PA_PK_AS_REP_19(&rep19);
if (ret == 0) if (ret == 0)
return 0; return 0;
} }
@@ -1843,6 +1840,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
w2krep.u.encKeyPack.length, w2krep.u.encKeyPack.length,
&ci, &ci,
&size); &size);
free_PA_PK_AS_REP_Win2k(&w2krep);
if (ret) { if (ret) {
krb5_set_error_string(context, krb5_set_error_string(context,
"PKINIT: decoding failed " "PKINIT: decoding failed "
@@ -1855,13 +1853,13 @@ _krb5_pk_rd_pa_reply(krb5_context context,
free_ContentInfo(&ci); free_ContentInfo(&ci);
break; break;
default: default:
free_PA_PK_AS_REP_Win2k(&w2krep);
krb5_set_error_string(context, "PKINIT: win2k reply invalid " krb5_set_error_string(context, "PKINIT: win2k reply invalid "
"content type"); "content type");
ret = EINVAL; ret = EINVAL;
break; break;
} }
free_PA_PK_AS_REP_Win2k(&w2krep);
} }
return ret; return ret;