Merge branch 'multi-certificates'

author: Benjamin Dauvergne <bdauvergne@entrouvert.com> 2011-11-29 12:36:47 +0100
committer: Benjamin Dauvergne <bdauvergne@entrouvert.com> 2011-11-29 12:36:47 +0100
commit: 29800377a38349c04e3744aa736fc9e70c2bf16a (patch)
tree: ab00fde9b27760febeeeda86ff6b348a58803d90 /lasso
parent: 92ebef91f584d3afd72ded1747c09981b4476c14 (diff)
parent: b785881e531116da7250190e632bd205212a9bdf (diff)
download: lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.tar.gz
lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.tar.xz
lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.zip
14 files changed, 118 insertions, 67 deletions
diff --git a/lasso/errors.c b/lasso/errors.c
index af772c14..2a38f3dd 100644
--- a/lasso/errors.c
+++ b/lasso/errors.c
@@ -359,6 +359,8 @@ lasso_strerror(int error_code)
 			return "The known password does not match the UsernameToken";
 		case LASSO_WSSEC_ERROR_MISSING_SECURITY_TOKEN:
 			return "The request miss a WS-Security token.";
+		case LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA:
+			return "The EncryptedData node is invalid, look at the logs.";
 		case LASSO_XML_ERROR_ATTR_NOT_FOUND:
 			return "Unable to get attribute of element.";
 		case LASSO_XML_ERROR_ATTR_VALUE_NOT_FOUND:
diff --git a/lasso/errors.h b/lasso/errors.h
index 8cc114fb..10d91818 100644
--- a/lasso/errors.h
+++ b/lasso/errors.h
@@ -1076,3 +1076,10 @@ LASSO_EXPORT const char* lasso_strerror(int error_code);
  * The current assertion query does not contain an attribute query.
  */
 #define LASSO_ASSERTION_QUERY_ERROR_NOT_AN_ATTRIBUTE_QUERY 1902
+
+/**
+ * LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA
+ *
+ * The EncryptedData node is invalid, look at the logs.
+ */
+#define LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA -2001
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 9e914002..31cb94bc 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -384,12 +384,13 @@ lasso_login_build_assertion(LassoLogin *login,
 	/* Encrypt NameID */
 	provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
 	ss = LASSO_SAML_SUBJECT_STATEMENT_ABSTRACT(as);
-	if (provider && provider->private_data->encryption_mode & LASSO_ENCRYPTION_MODE_NAMEID
-			&& lasso_provider_get_encryption_public_key(provider) != NULL) {
+	if (provider
+			&& (lasso_provider_get_encryption_mode(provider) & LASSO_ENCRYPTION_MODE_NAMEID)) {
 		encrypted_element = LASSO_SAML2_ENCRYPTED_ELEMENT(lasso_node_encrypt(
-			LASSO_NODE(ss->Subject->NameIdentifier),
-			lasso_provider_get_encryption_public_key(provider),
-			provider->private_data->encryption_sym_key_type, provider->ProviderID));
+					LASSO_NODE(ss->Subject->NameIdentifier),
+					lasso_provider_get_encryption_public_key(provider),
+					lasso_provider_get_encryption_sym_key_type(provider),
+					provider->ProviderID));
 		if (encrypted_element != NULL) {
 			lasso_assign_new_gobject(ss->Subject->EncryptedNameIdentifier, encrypted_element);
 			lasso_release_gobject(ss->Subject->NameIdentifier);
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index 8df653de..c90819a3 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -548,16 +548,16 @@ xmlSecKey*
 lasso_provider_get_encryption_public_key(const LassoProvider *provider)
 {
 	g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
-	GList *public_keys;
+	GList *keys;
 
-	if (provider->private_data->encryption_public_keys) {
-		return provider->private_data->encryption_public_keys->data;
+	keys = provider->private_data->encryption_public_keys;
+	/* encrypt using the first given key, multiple encryption key in the metadata is generally
+	 * useless. roll-over of the encryption key is done mainly at the receiving side, by trying
+	 * to decipher using the two private keys, the old and the new. */
+	if (keys && keys->data) {
+		return (xmlSecKey*)keys->data;
 	}
-	public_keys = lasso_provider_get_public_keys(provider);
-	if (! public_keys) {
-		return NULL;
-	}
-	return (xmlSecKey*)public_keys->data;
+	return NULL;
 }
 
 static void
@@ -859,9 +859,7 @@ dispose(GObject *object)
 		provider->private_data->encryption_public_key_str = NULL;
 	}
 
-	if (provider->private_data->encryption_public_keys) {
-		lasso_release_list_of_sec_key(provider->private_data->encryption_public_keys);
-	}
+	lasso_release_list_of_sec_key(provider->private_data->encryption_public_keys);
 
 	lasso_release(provider->private_data->affiliation_id);
 	provider->private_data->affiliation_id = NULL;
@@ -1289,8 +1287,8 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
 						list_of_sec_key);
 				break;
 			case LASSO_PUBLIC_KEY_ENCRYPTION:
-				lasso_transfer_full(provider->private_data->encryption_public_keys,
-						keys, list_of_sec_key);
+				lasso_transfer_full(provider->private_data->encryption_public_keys, keys,
+						list_of_sec_key);
 				break;
 			default:
 				lasso_release_list_of_sec_key(keys);
diff --git a/lasso/id-ff/server.c b/lasso/id-ff/server.c
index 882a50b0..9d3b7365 100644
--- a/lasso/id-ff/server.c
+++ b/lasso/id-ff/server.c
@@ -182,10 +182,7 @@ lasso_server_set_encryption_private_key_with_password(LassoServer *server,
 		if (! key || ! (xmlSecKeyGetType(key) & xmlSecKeyDataTypePrivate)) {
 			return LASSO_SERVER_ERROR_SET_ENCRYPTION_PRIVATE_KEY_FAILED;
 		}
-		lasso_release_sec_key(server->private_data->encryption_private_key);
-		server->private_data->encryption_private_key = key;
-	} else {
-		lasso_release_sec_key(server->private_data->encryption_private_key);
+		lasso_list_add_new_sec_key(server->private_data->encryption_private_keys, key);
 	}
 
 	return 0;
@@ -289,8 +286,8 @@ init_from_xml(LassoNode *node, xmlNode *xmlnode)
 	rc = parent_class->init_from_xml(node, xmlnode);
 
 	if (server->private_key) {
-		server->private_data->encryption_private_key =
-			lasso_xmlsec_load_private_key(server->private_key, server->private_key_password);
+		lasso_server_set_encryption_private_key_with_password(server, server->private_key,
+				server->private_key_password);
 	}
 	if (rc)
 		return rc;
@@ -481,7 +478,7 @@ dispose(GObject *object)
 	}
 	server->private_data->dispose_has_run = TRUE;
 
-	lasso_release_sec_key(server->private_data->encryption_private_key);
+	lasso_release_list_of_sec_key(server->private_data->encryption_private_keys);
 
 	lasso_release_list_of_gobjects(server->private_data->svc_metadatas);
 
@@ -523,7 +520,7 @@ instance_init(LassoServer *server)
 {
 	server->private_data = g_new0(LassoServerPrivate, 1);
 	server->private_data->dispose_has_run = FALSE;
-	server->private_data->encryption_private_key = NULL;
+	server->private_data->encryption_private_keys = NULL;
 	server->private_data->svc_metadatas = NULL;
 
 	server->providers = g_hash_table_new_full(
@@ -610,7 +607,7 @@ lasso_server_new(const gchar *metadata,
 		if (lasso_provider_load_metadata(LASSO_PROVIDER(server), metadata) == FALSE) {
 			message(G_LOG_LEVEL_CRITICAL,
 					"Failed to load metadata from %s.", metadata);
-			lasso_node_destroy(LASSO_NODE(server));
+			lasso_release_gobject(server);
 			return NULL;
 		}
 	}
@@ -619,11 +616,11 @@ lasso_server_new(const gchar *metadata,
 	if (private_key) {
 		lasso_assign_string(server->private_key, private_key);
 		lasso_assign_string(server->private_key_password, private_key_password);
-		server->private_data->encryption_private_key = lasso_xmlsec_load_private_key(private_key,
-				private_key_password);
-		if (! server->private_data->encryption_private_key) {
+		if (lasso_server_set_encryption_private_key_with_password(server, private_key,
+				private_key_password) != 0) {
 			message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
 			lasso_release_gobject(server);
+			return NULL;
 		}
 	}
 	lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
@@ -657,7 +654,7 @@ lasso_server_new_from_buffers(const char *metadata, const char *private_key_cont
 		if (lasso_provider_load_metadata_from_buffer(LASSO_PROVIDER(server), metadata) == FALSE) {
 			message(G_LOG_LEVEL_CRITICAL,
 					"Failed to load metadata from preloaded buffer");
-			lasso_node_destroy(LASSO_NODE(server));
+			lasso_release_gobject(server);
 			return NULL;
 		}
 	}
@@ -665,12 +662,12 @@ lasso_server_new_from_buffers(const char *metadata, const char *private_key_cont
 	if (private_key_content) {
 		lasso_assign_string(server->private_key, private_key_content);
 		lasso_assign_string(server->private_key_password, private_key_password);
-		server->private_data->encryption_private_key =
-			lasso_xmlsec_load_private_key_from_buffer(private_key_content,
-					strlen(private_key_content), private_key_password);
-		if (! server->private_data->encryption_private_key) {
+
+		if (lasso_server_set_encryption_private_key_with_password(server, private_key_content,
+				private_key_password) != 0) {
 			message(G_LOG_LEVEL_WARNING, "Cannot load the private key");
 			lasso_release_gobject(server);
+			return NULL;
 		}
 	}
 	lasso_provider_load_public_key(&server->parent, LASSO_PUBLIC_KEY_SIGNING);
@@ -731,14 +728,14 @@ lasso_server_get_private_key(LassoServer *server)
 }
 
 /**
- * lasso_server_get_encryption_private_key:
+ * lasso_server_get_encryption_private_keys:
  * @server: a #LassoServer object
  *
- * Return:(transfer none): a xmlSecKey object, it is owned by the #LassoServer object, so do not
+ * Return:(transfer none)(element-type xmlSecKeyPtr): a GList of xmlSecKey object, it is owned by the #LassoServer object, so do not
  * free it.
  */
-xmlSecKey*
-lasso_server_get_encryption_private_key(LassoServer *server)
+GList*
+lasso_server_get_encryption_private_keys(LassoServer *server)
 {
 	if (! LASSO_IS_SERVER(server))
 		return NULL;
@@ -746,7 +743,7 @@ lasso_server_get_encryption_private_key(LassoServer *server)
 	if (! server->private_data)
 		return NULL;
 
-	return server->private_data->encryption_private_key;
+	return server->private_data->encryption_private_keys;
 }
 
 /**
diff --git a/lasso/id-ff/serverprivate.h b/lasso/id-ff/serverprivate.h
index 8375fc2e..c800edc2 100644
--- a/lasso/id-ff/serverprivate.h
+++ b/lasso/id-ff/serverprivate.h
@@ -32,7 +32,7 @@ extern "C" {
 struct _LassoServerPrivate
 {
 	gboolean dispose_has_run;
-	xmlSecKey *encryption_private_key;
+	GList *encryption_private_keys;
 	GList *svc_metadatas;
 };
 
@@ -40,7 +40,7 @@ gchar* lasso_server_get_first_providerID(LassoServer *server);
 gchar* lasso_server_get_first_providerID_by_role(const LassoServer *server, LassoProviderRole role);
 gchar* lasso_server_get_providerID_from_hash(LassoServer *server, gchar *b64_hash);
 xmlSecKey* lasso_server_get_private_key(LassoServer *server);
-xmlSecKey* lasso_server_get_encryption_private_key(LassoServer *server);
+GList* lasso_server_get_encryption_private_keys(LassoServer *server);
 
 #ifdef __cplusplus
 }
diff --git a/lasso/id-wsf-2.0/saml2_login.c b/lasso/id-wsf-2.0/saml2_login.c
index fc0f074b..6f86ff8e 100644
--- a/lasso/id-wsf-2.0/saml2_login.c
+++ b/lasso/id-wsf-2.0/saml2_login.c
@@ -91,7 +91,7 @@ lasso_server_create_assertion_as_idwsf2_security_token(LassoServer *server,
 			lasso_release_gobject(assertion);
 			goto cleanup;
 		}
-		lasso_assign_gobject(assertion->Subject->EncryptedID, encrypted_id);
+		lasso_assign_new_gobject(assertion->Subject->EncryptedID, encrypted_id);
 	} else {
 		lasso_assign_new_gobject(assertion->Subject->NameID, name_id);
 	}
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index 3955b62c..acc9125a 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -1160,16 +1160,16 @@ _lasso_check_assertion_issuer(LassoSaml2Assertion *assertion, const gchar *provi
 static gint
 _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *samlp2_response)
 {
-	xmlSecKey *encryption_private_key;
-	GList *it;
+	GList *encryption_private_keys = NULL;
+	GList *it = NULL;
 	gboolean at_least_one_decryption_failture = FALSE;
 	gboolean at_least_one_malformed_element = FALSE;
 
 	if (! samlp2_response->EncryptedAssertion)
 		return 0; /* nothing to do */
 
-	encryption_private_key = lasso_server_get_encryption_private_key(login->parent.server);
-	if (! encryption_private_key) {
+	encryption_private_keys = lasso_server_get_encryption_private_keys(login->parent.server);
+	if (! encryption_private_keys) {
 			message(G_LOG_LEVEL_WARNING, "Missing private encryption key, cannot decrypt assertions.");
 			return LASSO_DS_ERROR_DECRYPTION_FAILED_MISSING_PRIVATE_KEY;
 	}
@@ -1185,9 +1185,19 @@ _lasso_saml20_login_decrypt_assertion(LassoLogin *login, LassoSamlp2Response *sa
 			continue;
 		}
 		encrypted_assertion = (LassoSaml2EncryptedElement*)it->data;
-		rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
-
-		if (rc1) {
+		lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+				encryption_private_keys)
+		{
+			rc1 = lasso_saml2_encrypted_element_decrypt(encrypted_assertion, encryption_private_key, (LassoNode**)&assertion);
+			if (rc1 == 0)
+				break;
+		}
+		lasso_foreach_full_end();
+		if (rc1 == LASSO_DS_ERROR_DECRYPTION_FAILED) {
+			message(G_LOG_LEVEL_WARNING, "Could not decrypt the EncryptedKey");
+			at_least_one_decryption_failture |= TRUE;
+			continue;
+		} else if (rc1) {
 			message(G_LOG_LEVEL_WARNING, "Could not decrypt an assertion: %s", lasso_strerror(rc1));
 			at_least_one_decryption_failture |= TRUE;
 			continue;
@@ -1429,6 +1439,7 @@ lasso_saml20_login_build_authn_response_msg(LassoLogin *login)
 	lasso_check_good_rc(lasso_saml20_profile_build_response_msg(profile, NULL, http_method, url));
 
 cleanup:
+	lasso_release_string(url);
 	return rc;
 }
 
@@ -1486,7 +1497,7 @@ lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
 		return LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND;
 
 	lasso_assign_string(profile->remote_providerID, remote_providerID);
-	lasso_assign_gobject(profile->request, lasso_samlp2_authn_request_new());
+	lasso_assign_new_gobject(profile->request, lasso_samlp2_authn_request_new());
 	lasso_assign_new_gobject(LASSO_SAMLP2_AUTHN_REQUEST(profile->request)->NameIDPolicy,
 			lasso_samlp2_name_id_policy_new());
 	lasso_assign_new_gobject(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer,
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 7921e04a..97b5ac69 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -506,10 +506,23 @@ lasso_saml20_profile_set_session_from_dump_decrypt(
 				assertion->Subject->EncryptedID->original_data);
 		lasso_release_gobject(assertion->Subject->EncryptedID);
 		} else { /* decrypt */
-			int rc = 0;
-			rc = lasso_saml2_encrypted_element_decrypt(assertion->Subject->EncryptedID,
-					lasso_server_get_encryption_private_key(profile->server),
-					(LassoNode**) &assertion->Subject->NameID);
+			int rc;
+			GList *encryption_private_keys =
+				lasso_server_get_encryption_private_keys(profile->server);
+
+			rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+			lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+					encryption_private_keys);
+			{
+				rc = lasso_saml2_encrypted_element_decrypt(
+						assertion->Subject->EncryptedID,
+						encryption_private_key,
+						(LassoNode**)&assertion->Subject->NameID);
+				if (rc == 0)
+					break;
+			}
+			lasso_foreach_full_end();
+
 			if (rc == 0) {
 				lasso_release_gobject(assertion->Subject->EncryptedID);
 			} else {
@@ -560,7 +573,6 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
 		LassoSaml2NameID **name_id,
 		LassoSaml2EncryptedElement **encrypted_id)
 {
-	xmlSecKey *encryption_private_key = NULL;
 	int rc = 0;
 
 	lasso_bad_param(PROFILE, profile);
@@ -568,15 +580,20 @@ lasso_saml20_profile_process_name_identifier_decryption(LassoProfile *profile,
 	lasso_null_param(encrypted_id);
 
 	if (*name_id == NULL && *encrypted_id != NULL) {
-		encryption_private_key = profile->server->private_data->encryption_private_key;
 		if (! LASSO_IS_SAML2_ENCRYPTED_ELEMENT(*encrypted_id)) {
 			return LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER;
 		}
-		if (encrypted_id != NULL && encryption_private_key == NULL) {
-			return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+		rc = LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+		lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it,
+				lasso_server_get_encryption_private_keys(profile->server));
+		{
+			rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
+					&profile->nameIdentifier);
+			if (rc == 0)
+				break;
 		}
-		rc = lasso_saml2_encrypted_element_decrypt(*encrypted_id, encryption_private_key,
-				&profile->nameIdentifier);
+		lasso_foreach_full_end();
+
 		if (rc)
 			goto cleanup;
 		if (! LASSO_IS_SAML2_NAME_ID(profile->nameIdentifier)) {
diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index 747ca2e5..66293c3f 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -287,7 +287,6 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 	} else {
 		name = g_strdup_printf("%s %s", xmlnode->name, binding_s);
 	}
-	lasso_release_xml_string(binding);
 
 	/* Response endpoint ? */
 	response_value = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_RESPONSE_LOCATION);
@@ -301,6 +300,7 @@ load_endpoint_type(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 	_lasso_provider_add_metadata_value_for_role(provider, role, name, (char*)value);
 
 cleanup:
+	lasso_release_xml_string(binding);
 	lasso_release_xml_string(value);
 	lasso_release_xml_string(response_value);
 	lasso_release_string(name);
diff --git a/lasso/saml-2.0/saml2_helper.c b/lasso/saml-2.0/saml2_helper.c
index 3d835962..4151a7b4 100644
--- a/lasso/saml-2.0/saml2_helper.c
+++ b/lasso/saml-2.0/saml2_helper.c
@@ -776,8 +776,22 @@ int
 lasso_saml2_encrypted_element_server_decrypt(LassoSaml2EncryptedElement* encrypted_element, LassoServer *server, LassoNode** decrypted_node)
 {
 	lasso_bad_param(SERVER, server);
+	int rc = 0;
+	GList *encryption_private_keys;
 
-	return lasso_saml2_encrypted_element_decrypt(encrypted_element, lasso_server_get_encryption_private_key(server), decrypted_node);
+	encryption_private_keys = lasso_server_get_encryption_private_keys(server);
+	if (! encryption_private_keys) {
+		return LASSO_PROFILE_ERROR_MISSING_ENCRYPTION_PRIVATE_KEY;
+	}
+	lasso_foreach_full_begin(xmlSecKey*, encryption_private_key, it, encryption_private_keys)
+	{
+		rc = lasso_saml2_encrypted_element_decrypt(encrypted_element,
+				encryption_private_key, decrypted_node);
+		if (rc == 0)
+			break;
+	}
+	lasso_foreach_full_end();
+	return rc;
 }
 
 /**
diff --git a/lasso/saml-2.0/server.c b/lasso/saml-2.0/server.c
index f2dc8879..cac2d89b 100644
--- a/lasso/saml-2.0/server.c
+++ b/lasso/saml-2.0/server.c
@@ -139,7 +139,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
 
 	provider = lasso_provider_new_from_xmlnode(role, entity);
 	if (provider) {
-		char *name = g_strdup(provider->ProviderID);
+		char *name = provider->ProviderID;
 
 		if (g_list_find_custom(blacklisted_entity_ids, name,
 					(GCompareFunc) g_strcmp0)) {
@@ -153,7 +153,7 @@ lasso_saml20_server_load_metadata_entity(LassoServer *server, LassoProviderRole
 			l->next->data = g_strdup(name);
 			*loaded_end = l->next;
 		}
-		g_hash_table_insert(server->providers, name, provider);
+		g_hash_table_insert(server->providers, g_strdup(name), provider);
 		return 0;
 	} else {
 		return LASSO_SERVER_ERROR_NO_PROVIDER_LOADED;
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 0eeb8d2f..b4afba91 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -1574,7 +1574,7 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 	xmlChar *algorithm = NULL;
 	xmlSecKeyDataId key_type;
 	GList *i = NULL;
-	int rc = LASSO_DS_ERROR_DECRYPTION_FAILED;
+	int rc = LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA;
 
 	if (encryption_private_key == NULL || !xmlSecKeyIsValid(encryption_private_key)) {
 		message(G_LOG_LEVEL_WARNING, "Invalid decryption key");
@@ -1582,6 +1582,8 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 		goto cleanup;
 	}
 
+	xmlSetGenericErrorFunc(NULL, lasso_xml_generic_error_func);
+
 	/* Need to duplicate it because xmlSecEncCtxDestroy(encCtx); will destroy it */
 	encryption_private_key = xmlSecKeyDuplicate(encryption_private_key);
 
@@ -1655,8 +1657,8 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 	if (key_buffer != NULL) {
 		sym_key = xmlSecKeyReadBuffer(key_type, key_buffer);
 	}
+	rc = LASSO_DS_ERROR_ENCRYPTION_FAILED;
 	if (sym_key == NULL) {
-		message(G_LOG_LEVEL_WARNING, "EncryptedKey decryption failed");
 		goto cleanup;
 	}
 
@@ -1673,6 +1675,7 @@ lasso_node_decrypt_xmlnode(xmlNode* encrypted_element,
 
 	/* decrypt the EncryptedData */
 	if ((xmlSecEncCtxDecrypt(encCtx, encrypted_data_node) < 0) || (encCtx->result == NULL)) {
+		rc = LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA;
 		message(G_LOG_LEVEL_WARNING, "EncryptedData decryption failed");
 		goto cleanup;
 	}
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index 465a6992..9ce3f245 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -916,6 +916,7 @@ _lasso_node_free_custom_element(struct _CustomElement *custom_element)
 		lasso_release_string(custom_element->private_key);
 		lasso_release_string(custom_element->private_key_password);
 		lasso_release_string(custom_element->certificate);
+		lasso_release_sec_key(custom_element->encryption_public_key);
 	}
 	lasso_release(custom_element);
 }
author	Benjamin Dauvergne <bdauvergne@entrouvert.com>	2011-11-29 12:36:47 +0100
committer	Benjamin Dauvergne <bdauvergne@entrouvert.com>	2011-11-29 12:36:47 +0100
commit	29800377a38349c04e3744aa736fc9e70c2bf16a (patch)
tree	ab00fde9b27760febeeeda86ff6b348a58803d90 /lasso
parent	92ebef91f584d3afd72ded1747c09981b4476c14 (diff)
parent	b785881e531116da7250190e632bd205212a9bdf (diff)
download	lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.tar.gz lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.tar.xz lasso-29800377a38349c04e3744aa736fc9e70c2bf16a.zip