tomh / rpms / bip

Forked from rpms/bip 4 years ago
Clone
Source Code
GIT

Files

el5 el6 epel7 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f9 fix-auth fix-patch master
  1.   f27
  2.   0001-Check-value-returned-by-X509_OBJECT_new.patch
Blob Blame History Raw 
From 2e81cca480ed74abf8559d7e1bbe52f6be273786 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Date: Sat, 12 Nov 2016 00:52:50 +0100
Subject: [PATCH] Check value returned by X509_OBJECT_new()

Reported by Alexander Couzens, thanks to him !
---
 src/connection.c | 45 ++++++++++++++++++++++++---------------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/src/connection.c b/src/connection.c
index a10a686..86377a9 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1374,30 +1374,33 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			 err == X509_V_ERR_CERT_HAS_EXPIRED ||
 			 err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
 
-		xobj = X509_OBJECT_new();
-		if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
-				X509_get_subject_name(err_cert), xobj) > 0 &&
-				!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
-			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
-				mylog(LOG_INFO, "Basic mode; Accepting "
-						"*expired* peer certificate "
-						"found in store.");
-			else
-				mylog(LOG_INFO, "Basic mode; Accepting peer "
-					"certificate found in store.");
-
-			result = 1;
-			err = X509_V_OK;
-			X509_STORE_CTX_set_error(ctx, err);
+		if (!(xobj = X509_OBJECT_new())) {
+			result = 0;
 		} else {
-			mylog(LOG_INFO, "Basic mode; peer certificate NOT "
-					"in store, rejecting it!");
-			err = X509_V_ERR_CERT_REJECTED;
-			X509_STORE_CTX_set_error(ctx, err);
+			if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
+					X509_get_subject_name(err_cert), xobj) > 0 &&
+					!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
+				if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+					mylog(LOG_INFO, "Basic mode; Accepting "
+							"*expired* peer certificate "
+							"found in store.");
+				else
+					mylog(LOG_INFO, "Basic mode; Accepting peer "
+						"certificate found in store.");
+
+				result = 1;
+				err = X509_V_OK;
+				X509_STORE_CTX_set_error(ctx, err);
+			} else {
+				mylog(LOG_INFO, "Basic mode; peer certificate NOT "
+						"in store, rejecting it!");
+				err = X509_V_ERR_CERT_REJECTED;
+				X509_STORE_CTX_set_error(ctx, err);
 
-			link_add_untrusted(c->user_data, X509_dup(err_cert));
+				link_add_untrusted(c->user_data, X509_dup(err_cert));
+			}
+			X509_OBJECT_free(xobj);
 		}
-		X509_OBJECT_free(xobj);
 	}
 
 	if (!result) {
-- 
2.13.3
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.