From: SophieK <35367649+suishixingkong@users.noreply.github.com>
Date: Tue, 21 May 2019 01:28:21 +0000 (+0800)
Subject: Avoid enumerating certificates with non-matching key type
X-Git-Tag: 5.8.1dr1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3aa7b2dc3a39b85a371acc133427b26570dbc69d;p=thirdparty%2Fstrongswan.git

Avoid enumerating certificates with non-matching key type

If the key type was specified but the ID was NULL or matched a subject, it
was possible that a certificate was returned that didn't actually match
the requested key type.

Closes strongswan/strongswan#141.
---

diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index 0432ee573e..2c0df8fb2b 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -208,6 +208,11 @@ CALLBACK(certs_filter, bool,
 					return TRUE;
 				}
 			}
+			else
+			{
+				public->destroy(public);
+				continue;
+			}
 			public->destroy(public);
 		}
 		else if (data->key != KEY_ANY)
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index b0f77be984..86b232a3ed 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -108,6 +108,11 @@ CALLBACK(certs_filter, bool,
 					return TRUE;
 				}
 			}
+			else
+			{
+				public->destroy(public);
+				continue;
+			}
 			public->destroy(public);
 		}
 		else if (data->key != KEY_ANY)