99 lines
3.2 KiB
Diff
99 lines
3.2 KiB
Diff
|
From 8afa0ce578ecd5cc3a397707fdb163cc169b9bd1 Mon Sep 17 00:00:00 2001
|
||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||
|
Date: Fri, 13 Dec 2019 08:25:01 -0500
|
||
|
Subject: [PATCH 8/8] Fix client-cert issues found by CI tests
|
||
|
|
||
|
Resolves: rhbz#1720667
|
||
|
|
||
|
Better error message for client certs without public key file
|
||
|
|
||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||
|
|
||
|
Fix memory leak in sscg_sign_x509_csr()
|
||
|
|
||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||
|
|
||
|
Address clang-analyzer warning
|
||
|
|
||
|
clang-analyzer determined that it was possible for the GET_BIO()
|
||
|
return value to have changed between conditional creation of the
|
||
|
client certificate and writing it out. This patch stores the result
|
||
|
of the lookup so it's certain to be consistent.
|
||
|
|
||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||
|
---
|
||
|
src/io_utils.c | 4 ++--
|
||
|
src/sscg.c | 8 +++++---
|
||
|
src/x509.c | 1 +
|
||
|
3 files changed, 8 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/src/io_utils.c b/src/io_utils.c
|
||
|
index 809a1da0e455afa0dba0796a5f7ac406742328a1..a2502afb20f4bcb536428f3528900c2bb06997f5 100644
|
||
|
--- a/src/io_utils.c
|
||
|
+++ b/src/io_utils.c
|
||
|
@@ -363,8 +363,8 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
|
||
|
|
||
|
case IO_UTILS_CLIENT_UNMATCHED:
|
||
|
SSCG_ERROR (
|
||
|
- "The client certificate must have both public and private key "
|
||
|
- "locations specified.\n");
|
||
|
+ "The client certificate must have the public key location "
|
||
|
+ "specified.\n");
|
||
|
ret = EINVAL;
|
||
|
goto done;
|
||
|
|
||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||
|
index 470af815d91f5170a1e8fe00006dbaee4d07b209..f34a43b83e562d0bd7da9a77e25911762db83693 100644
|
||
|
--- a/src/sscg.c
|
||
|
+++ b/src/sscg.c
|
||
|
@@ -300,6 +300,7 @@ main (int argc, const char **argv)
|
||
|
char *cert_key_password = NULL;
|
||
|
char *cert_key_passfile = NULL;
|
||
|
|
||
|
+ bool build_client_cert = false;
|
||
|
int client_mode = SSCG_CERT_DEFAULT_MODE;
|
||
|
int client_key_mode = SSCG_KEY_DEFAULT_MODE;
|
||
|
char *client_key_password = NULL;
|
||
|
@@ -1118,7 +1119,8 @@ main (int argc, const char **argv)
|
||
|
/* If requested, generate the client auth certificate and sign it with the
|
||
|
* private CA.
|
||
|
*/
|
||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
|
||
|
+ build_client_cert = !!(GET_BIO (SSCG_FILE_TYPE_CLIENT));
|
||
|
+ if (build_client_cert)
|
||
|
{
|
||
|
ret = create_cert (main_ctx,
|
||
|
options,
|
||
|
@@ -1136,7 +1138,7 @@ main (int argc, const char **argv)
|
||
|
|
||
|
/* Write private keys first */
|
||
|
|
||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT_KEY))
|
||
|
+ if (build_client_cert)
|
||
|
{
|
||
|
/* This function has a default mechanism for prompting for the
|
||
|
* password if it is passed a cipher and gets a NULL password.
|
||
|
@@ -1201,7 +1203,7 @@ main (int argc, const char **argv)
|
||
|
/* Public keys come next, in chain order */
|
||
|
|
||
|
/* Start with the client certificate */
|
||
|
- if (GET_BIO (SSCG_FILE_TYPE_CLIENT))
|
||
|
+ if (build_client_cert)
|
||
|
{
|
||
|
sret = PEM_write_bio_X509 (GET_BIO (SSCG_FILE_TYPE_CLIENT),
|
||
|
client_cert->certificate);
|
||
|
diff --git a/src/x509.c b/src/x509.c
|
||
|
index 18f0627bc64e7cb503a9e81c36dbe726186d1144..c173f539791fbbc51e52e6b121e587dca43924d4 100644
|
||
|
--- a/src/x509.c
|
||
|
+++ b/src/x509.c
|
||
|
@@ -482,5 +482,6 @@ done:
|
||
|
*_cert = talloc_steal (mem_ctx, scert);
|
||
|
}
|
||
|
X509_NAME_free (subject);
|
||
|
+ talloc_free(tmp_ctx);
|
||
|
return ret;
|
||
|
}
|
||
|
--
|
||
|
2.23.0
|
||
|
|