From 8afa0ce578ecd5cc3a397707fdb163cc169b9bd1 Mon Sep 17 00:00:00 2001

From: Stephen Gallagher <sgallagh@redhat.com>

Date: Fri, 13 Dec 2019 08:25:01 -0500

Subject: [PATCH 8/8] Fix client-cert issues found by CI tests

Resolves: rhbz#1720667

Better error message for client certs without public key file

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Fix memory leak in sscg_sign_x509_csr()

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Address clang-analyzer warning

clang-analyzer determined that it was possible for the GET_BIO()

return value to have changed between conditional creation of the

client certificate and writing it out. This patch stores the result

of the lookup so it's certain to be consistent.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

---

 src/io_utils.c | 4 ++--

 src/sscg.c     | 8 +++++---

 src/x509.c     | 1 +

 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/io_utils.c b/src/io_utils.c

index 809a1da0e455afa0dba0796a5f7ac406742328a1..a2502afb20f4bcb536428f3528900c2bb06997f5 100644

--- a/src/io_utils.c

+++ b/src/io_utils.c

@@ -363,8 +363,8 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)

     case IO_UTILS_CLIENT_UNMATCHED:

       SSCG_ERROR (

-        "The client certificate must have both public and private key "

-        "locations specified.\n");

+        "The client certificate must have the public key location "

+        "specified.\n");

       ret = EINVAL;

       goto done;

diff --git a/src/sscg.c b/src/sscg.c

index 470af815d91f5170a1e8fe00006dbaee4d07b209..f34a43b83e562d0bd7da9a77e25911762db83693 100644

--- a/src/sscg.c

+++ b/src/sscg.c

@@ -300,6 +300,7 @@ main (int argc, const char **argv)

   char *cert_key_password = NULL;

   char *cert_key_passfile = NULL;

+  bool build_client_cert = false;

   int client_mode = SSCG_CERT_DEFAULT_MODE;

   int client_key_mode = SSCG_KEY_DEFAULT_MODE;

   char *client_key_password = NULL;

@@ -1118,7 +1119,8 @@ main (int argc, const char **argv)

   /* If requested, generate the client auth certificate and sign it with the

    * private CA.

    */

-  if (GET_BIO (SSCG_FILE_TYPE_CLIENT))

+  build_client_cert = !!(GET_BIO (SSCG_FILE_TYPE_CLIENT));

+  if (build_client_cert)

     {

       ret = create_cert (main_ctx,

                          options,

@@ -1136,7 +1138,7 @@ main (int argc, const char **argv)

   /* Write private keys first */

-  if (GET_BIO (SSCG_FILE_TYPE_CLIENT_KEY))

+  if (build_client_cert)

     {

       /* This function has a default mechanism for prompting for the

        * password if it is passed a cipher and gets a NULL password.

@@ -1201,7 +1203,7 @@ main (int argc, const char **argv)

   /* Public keys come next, in chain order */

   /* Start with the client certificate */

-  if (GET_BIO (SSCG_FILE_TYPE_CLIENT))

+  if (build_client_cert)

     {

       sret = PEM_write_bio_X509 (GET_BIO (SSCG_FILE_TYPE_CLIENT),

                                  client_cert->certificate);

diff --git a/src/x509.c b/src/x509.c

index 18f0627bc64e7cb503a9e81c36dbe726186d1144..c173f539791fbbc51e52e6b121e587dca43924d4 100644

--- a/src/x509.c

+++ b/src/x509.c

@@ -482,5 +482,6 @@ done:

       *_cert = talloc_steal (mem_ctx, scert);

     }

   X509_NAME_free (subject);

+  talloc_free(tmp_ctx);

   return ret;

 }

-- 

2.23.0