URL: https://github.com/SSSD/sssd/pull/634 Author: jhrozek Title: #634: P11: Don't return int failure from a bool function Action: opened
PR body: """ The functions return bool as per their prototype, but returning EINVAL on failure meant that EINVAL (typically 22) was converted to 'true', so a certificate that was not processable was considered valid. Luckily this code only converts certificates into SSH public keys, so there are no security implications. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/634/head:pr634 git checkout pr634
From c15555b32d91aabaa93168661505749fcafca2c4 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 1 Aug 2018 10:26:28 +0200 Subject: [PATCH] P11: Don't return int failure from a bool function The functions return bool as per their prototype, but returning EINVAL on failure meant that EINVAL (typically 22) was converted to 'true', so a certificate that was not processable was considered valid. Luckily this code only converts certificates into SSH public keys, so there are no security implications. --- src/p11_child/p11_child_nss.c | 2 +- src/p11_child/p11_child_openssl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 717c7a4cf..d6a0b804a 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -220,7 +220,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64) ret = b64_to_cert(p11_ctx, cert_b64, &cert); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n"); - return EINVAL; + return false; } res = do_verification(p11_ctx, cert); diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c index 953cd3cc8..be5872626 100644 --- a/src/p11_child/p11_child_openssl.c +++ b/src/p11_child/p11_child_openssl.c @@ -209,7 +209,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64) ret = b64_to_cert(cert_b64, &cert); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n"); - return EINVAL; + return false; } res = do_verification(p11_ctx, cert);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/2WAAGMJCS6T4MDZD6ED3WUBMNMRTFIMP/