[SSSD] [sssd PR#634][opened] P11: Don't return int failure from a bool function

Fri, 10 Aug 2018 05:49:44 -0700 

   URL: https://github.com/SSSD/sssd/pull/634
Author: jhrozek
 Title: #634: P11: Don't return int failure from a bool function
Action: opened

PR body:
"""
The functions return bool as per their prototype, but returning EINVAL on
failure meant that EINVAL (typically 22) was converted to 'true', so a
certificate that was not processable was considered valid.

Luckily this code only converts certificates into SSH public keys, so there
are no security implications.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/634/head:pr634
git checkout pr634

From c15555b32d91aabaa93168661505749fcafca2c4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 1 Aug 2018 10:26:28 +0200
Subject: [PATCH] P11: Don't return int failure from a bool function

The functions return bool as per their prototype, but returning EINVAL
on failure meant that EINVAL (typically 22) was converted to 'true', so
a certificate that was not processable was considered valid.

Luckily this code only converts certificates into SSH public keys, so
there are no security implications.
---
 src/p11_child/p11_child_nss.c     | 2 +-
 src/p11_child/p11_child_openssl.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 717c7a4cf..d6a0b804a 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -220,7 +220,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
     ret = b64_to_cert(p11_ctx, cert_b64, &cert);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n");
-        return EINVAL;
+        return false;
     }
 
     res = do_verification(p11_ctx, cert);
diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
index 953cd3cc8..be5872626 100644
--- a/src/p11_child/p11_child_openssl.c
+++ b/src/p11_child/p11_child_openssl.c
@@ -209,7 +209,7 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64)
     ret = b64_to_cert(cert_b64, &cert);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n");
-        return EINVAL;
+        return false;
     }
 
     res = do_verification(p11_ctx, cert);

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/2WAAGMJCS6T4MDZD6ED3WUBMNMRTFIMP/

Reply via email to