From 701b6952a3c223bebf9baed48eebbbf7fda00c6b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 1 Nov 2010 15:32:37 -0400 Subject: [PATCH 092/150] - note the error when we fail to load a key or cert from a file - don't leak non-self, non-ca cert refs - don't break on certs without EKU extensions --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index d624047..6a0bc83 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -2117,6 +2117,8 @@ crypto_load_files(krb5_context context, permanent = PR_FALSE; obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent); if (obj == NULL) { + pkiDebug("%s: error loading key \"%s\"\n", + __FUNCTION__, keyfile); status = SECFailure; } else { pkiDebug("%s: loaded key \"%s\"\n", @@ -2163,6 +2165,10 @@ crypto_load_files(krb5_context context, permanent = PR_FALSE; obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent); if (obj == NULL) { + pkiDebug("%s: error loading %scertificate \"%s\"\n", + __FUNCTION__, + cert_mark_trusted ? "CA " : "", + certfile); status = SECFailure; } else { pkiDebug("%s: loaded %scertificate \"%s\"\n", @@ -2229,12 +2235,15 @@ crypto_load_files(krb5_context context, if (cert_maybe_add_to_list(id_cryptoctx->id_certs, cert) != SECSuccess) { status = SECFailure; } - } + } else if (cert_mark_trusted) { /* Add to the CA list. */ if (cert_maybe_add_to_list(id_cryptoctx->ca_certs, cert) != SECSuccess) { status = SECFailure; } + } else { + /* Don't lose the ref. */ + CERT_DestroyCertificate(cert); } } } @@ -2639,6 +2648,9 @@ cert_get_eku_bits(krb5_context context, CERTCertificate *cert, int kdc) /* Pull out the extension. */ ext = cert_get_ext_by_tag(cert, SEC_OID_X509_EXT_KEY_USAGE); + if (ext == NULL) { + return 0; + } /* Look up the well-known OIDs. */ clientauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); -- 1.7.6.4